Going Selfhosted: Breaking the prison of Surveillance Capitalism

Wait, what is surveillance captialism

  • Coined by Shoshana Zuboff
  • Capitalism: An economic and political system in which a country's trade and industry are controlled by private owners for profit
  • Surveillance Capitalism: When the said system's profit is made by monetizing the data obtained by surveilling the customers

Not really sure how this will effect you ?

Well, Google, Amazon and Facebook are exploiting you

Google spys on you 24/7

New York Times published an article about how a criminal was caught using phone's location data

Google spys on you 24/7

Google actively coordinates with Law Enforcement, these dots are you. They know where you were at what time

Google spys on you 24/7

And this is a representation of the route you traveled in a given time-frame

Their devices are designed to snoop

Their devices are designed to snoop

They just don't have a limit

How low can you stoop

Ok, I'm a bit worried, but does it actually pose any danger ?

  • China is already doing it (not surveillance capitalism, but more of a mass surveillance program)
  • All public places are covered by CCTVs
  • Footage is scanned real-time for people with criminal records ranging from drug dealers to jaywalkers
  • On their way to introduce a social credit system
  • Facial recognition and cell phone pinging were used in the recent Hong Kong protests to identify the protestors
  • Governments are already making deals, Oregon police and Amazon have teamed up to use facial recognition technology

Umm, but I do not do any illegal things

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

- Edward Snowden

Umm, but I do not do any illegal things

When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’

 

You’re saying, ‘I don’t have this right, because I’ve got to the point where I have to justify it.’

 

The way rights work is, the government has to justify its intrusion into your rights

- Daniel J. Solove

Fine, I don't want to live in an Orwellian future. What can I do ?

Go Selfhosted

What all can be selfhosted ?

Git

Analytics

File storage

Calendar

Contacts

Blog

and much more ...

Software I used/replaced

Cloud Storage (GDrive/Dropbox) Nextcloud/Seafile
Google Analytics Fathom/Matomo
Google Docs Onlyoffice/LibreOffice Online
Evernote, OneNote, GKeep Standard Notes
Media (Movies + Music) Emby
Calendar + Contacts Nextcloud
Google Photos Piwigo/Photoprism
Git Gitea

How a self-hosted setup looks
[Demo Time]

How to setup your own ecosystem

Ansible role example for Portainer

 

- name: Run portainer container
  docker_container:
    name: portainer
    image: portainer/portainer
    restart_policy: always
    labels:
      traefik.frontend.rule: "Host:{{ portainer_domain }}"
      traefik.port: "{{ portainer_port }}"
      traefik.backend: portainer
      traefik.docker.network: "{{ traefik_proxy_network }}"
    networks:
      - name: "{{ traefik_proxy_network }}"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    ports:
      - "{{ portainer_port }}:9980"
    state: started

Ansible role example for Nextcloud

 

- name: Setup nextcloud
  file:
    path: "{{ nextcloud_dir }}"
    state: directory
    mode: 0755

- name: Copy docker-compose
  template:
    src: templates/docker-compose.yml.j2
    dest: "{{ nextcloud_dir }}/docker-compose.yml"

- name: Start nextcloud and mariadb
  shell: "docker-compose up -d"
  args:
    chdir: "{{ nextcloud_dir }}"

Docker-compose for Nextcloud (Database)

 

version: '3.5'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      MYSQL_DATABASE: {{ nextcloud_mysql_database }}
      MYSQL_USER: {{ nextcloud_mysql_user }}
      MYSQL_PASSWORD: {{ nextcloud_mysql_password }}
      MYSQL_ROOT_PASSWORD: {{ nextcloud_mysql_password }}
    labels:
      traefik.enable: false
    networks:
      - nextcloud

Docker-compose for Nextcloud (Server)

 

  app:  
    image: nextcloud
    ports:
      - {{ nextcloud_port }}:80
    depends_on:
      - db
    volumes:
      - nextcloud:/var/www/html
    restart: always
    environment:
      NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud_domain }}"
      NEXTCLOUD_ADMIN_USER: {{ nextcloud_admin_user }}
      NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }}
      MYSQL_HOST: db
      MYSQL_DATABASE: {{ nextcloud_mysql_database }}
      MYSQL_USER: {{ nextcloud_mysql_user }}
      MYSQL_PASSWORD: {{ nextcloud_mysql_password }}
    labels:
      traefik.frontend.rule: "Host:{{ nextcloud_domain }}"
      traefik.port: 80
      traefik.backend: nextcloud
      traefik.docker.network: "{{ traefik_proxy_network }}"

    networks:
      - {{ traefik_proxy_network }}
      - nextcloud

Docker-compose for Nextcloud (Document Server)

 

  documentserver:
    image: onlyoffice/documentserver
    restart: always
    networks:
      - {{ traefik_proxy_network }}
      - nextcloud
    environment:
      - "TZ=UTC"
    labels:
      - "traefik.enable=true"
      - "traefik.port=80"
      - "traefik.backend=documentserver"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.rule=Host:{{ onlyoffice_domain}}"

networks:
  {{ traefik_proxy_network }}:
    external: true
  nextcloud:
    name: nextcloud

Traefik's Labels

 

  • traefik.enable=true (Enable/Disable the container in Traefik)
  • traefik.port=80 (Registers this port. Useful when the container exposes multiples ports)
  • traefik.backend=documentserver (Name Traefik uses to identify the backend)
  • traefik.docker.network=traefik_proxy (the docker network to use for connections to the container)
  • traefik.frontend.rule=Host:{{ onlyoffice_domain}} (Add host header for domain)

Running containers

 

DNS and Networking configuration

Ansible role example for Traefik

 

- name: Create traefik proxy network
  docker_network:
    name: "{{ traefik_proxy_network }}"

- name: Run docker container
  docker_container:
    name: traefik
    image: traefik
    command:
      - --docker
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "{{ traefik_dir }}/traefik.toml:/traefik.toml"
      - "{{ traefik_dir }}/acme.json:/acme.json"
    networks:
      - name: "{{ traefik_proxy_network }}"
    restart_policy: always
    labels:
      traefik.frontend.rule: "Host:{{ traefik_monitor_domain }}"
      traefik.port: "8080"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    state: started

How traefik helps

 

  • Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.
  • In this case, to use traefik, you just need to add labels to your docker container
  • Provides a UI Dashboard out of box

DNS Config

 

  • We now need a way to access those services from the internet
  • It is advisable to use a domain
  • The host header defined in Traefik should match the subdomain
  • You can use terraform or the cloud provider's API as well
  • I chose terraform because it was the fastest way to get the desired results

DNS Config in DigitalOcean

 

DNS Config using Terraform

 

provider "digitalocean" {
  token = "${var.do_token}"
}

resource "digitalocean_record" "cloud" {
  domain = "${var.domain}"
  type   = "A"
  name   = "cloud"
  value  = "${var.target_ip}"
}

resource "digitalocean_record" "portainer" {
  domain = "${var.domain}"
  type   = "A"
  name   = "portainer"
  value  = "${var.target_ip}"
}

resource "digitalocean_record" "onlyoffice" {
  domain = "${var.domain}"
  type   = "A"
  name   = "onlyoffice"
  value  = "${var.target_ip}"
}

resource "digitalocean_record" "traefik" {
  domain = "${var.domain}"
  type   = "A"
  name   = "traefik"
  value  = "${var.target_ip}"
}

Checklist

  • Have an automated backup and restore mechanism
  • Everything should be as code
  • Destroying and creating a new self-hosted cloud should be a one-step command
  • Don't have a single point of failure

Managed vs Self Hosting

Managed Self
Software Depends upon the provider You are in full control
Reliability More reliable Depends on how you manage it
Privacy Data is stored on their servers Data is stored on your servers
Robustness More robust as they have business targets Depends on the software you are using
Convenient Yes No

The future of self-hosted apps

Thank You

Made with Slides.com