Going Selfhosted: Breaking the prison of Surveillance Capitalism
Wait, what is surveillance captialism
- Coined by Shoshana Zuboff
- Capitalism: An economic and political system in which a country's trade and industry are controlled by private owners for profit
- Surveillance Capitalism: When the said system's profit is made by monetizing the data obtained by surveilling the customers
Not really sure how this will effect you ?
Well, Google, Amazon and Facebook are exploiting you
Google spys on you 24/7
New York Times published an article about how a criminal was caught using phone's location data
Google spys on you 24/7
Google actively coordinates with Law Enforcement, these dots are you. They know where you were at what time
Google spys on you 24/7
And this is a representation of the route you traveled in a given time-frame
Their devices are designed to snoop
Their devices are designed to snoop
They just don't have a limit
How low can you stoop
Ok, I'm a bit worried, but does it actually pose any danger ?
- China is already doing it (not surveillance capitalism, but more of a mass surveillance program)
- All public places are covered by CCTVs
- Footage is scanned real-time for people with criminal records ranging from drug dealers to jaywalkers
- On their way to introduce a social credit system
- Facial recognition and cell phone pinging were used in the recent Hong Kong protests to identify the protestors
- Governments are already making deals, Oregon police and Amazon have teamed up to use facial recognition technology
Umm, but I do not do any illegal things
Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.
- Edward Snowden
Umm, but I do not do any illegal things
When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’
You’re saying, ‘I don’t have this right, because I’ve got to the point where I have to justify it.’
The way rights work is, the government has to justify its intrusion into your rights
- Daniel J. Solove
Fine, I don't want to live in an Orwellian future. What can I do ?
Go Selfhosted
What all can be selfhosted ?
Git
Analytics
File storage
Calendar
Contacts
Blog
and much more ...
Software I used/replaced
| Cloud Storage (GDrive/Dropbox) | Nextcloud/Seafile |
| Google Analytics | Fathom/Matomo |
| Google Docs | Onlyoffice/LibreOffice Online |
| Evernote, OneNote, GKeep | Standard Notes |
| Media (Movies + Music) | Emby |
| Calendar + Contacts | Nextcloud |
| Google Photos | Piwigo/Photoprism |
| Git | Gitea |
How a self-hosted setup looks
[Demo Time]
How to setup your own ecosystem
Ansible role example for Portainer
- name: Run portainer container
docker_container:
name: portainer
image: portainer/portainer
restart_policy: always
labels:
traefik.frontend.rule: "Host:{{ portainer_domain }}"
traefik.port: "{{ portainer_port }}"
traefik.backend: portainer
traefik.docker.network: "{{ traefik_proxy_network }}"
networks:
- name: "{{ traefik_proxy_network }}"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "{{ portainer_port }}:9980"
state: started
Ansible role example for Nextcloud
- name: Setup nextcloud
file:
path: "{{ nextcloud_dir }}"
state: directory
mode: 0755
- name: Copy docker-compose
template:
src: templates/docker-compose.yml.j2
dest: "{{ nextcloud_dir }}/docker-compose.yml"
- name: Start nextcloud and mariadb
shell: "docker-compose up -d"
args:
chdir: "{{ nextcloud_dir }}"Docker-compose for Nextcloud (Database)
version: '3.5'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
restart: always
volumes:
- db:/var/lib/mysql
environment:
MYSQL_DATABASE: {{ nextcloud_mysql_database }}
MYSQL_USER: {{ nextcloud_mysql_user }}
MYSQL_PASSWORD: {{ nextcloud_mysql_password }}
MYSQL_ROOT_PASSWORD: {{ nextcloud_mysql_password }}
labels:
traefik.enable: false
networks:
- nextcloudDocker-compose for Nextcloud (Server)
app:
image: nextcloud
ports:
- {{ nextcloud_port }}:80
depends_on:
- db
volumes:
- nextcloud:/var/www/html
restart: always
environment:
NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud_domain }}"
NEXTCLOUD_ADMIN_USER: {{ nextcloud_admin_user }}
NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }}
MYSQL_HOST: db
MYSQL_DATABASE: {{ nextcloud_mysql_database }}
MYSQL_USER: {{ nextcloud_mysql_user }}
MYSQL_PASSWORD: {{ nextcloud_mysql_password }}
labels:
traefik.frontend.rule: "Host:{{ nextcloud_domain }}"
traefik.port: 80
traefik.backend: nextcloud
traefik.docker.network: "{{ traefik_proxy_network }}"
networks:
- {{ traefik_proxy_network }}
- nextcloudDocker-compose for Nextcloud (Document Server)
documentserver:
image: onlyoffice/documentserver
restart: always
networks:
- {{ traefik_proxy_network }}
- nextcloud
environment:
- "TZ=UTC"
labels:
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.backend=documentserver"
- "traefik.docker.network=traefik_proxy"
- "traefik.frontend.rule=Host:{{ onlyoffice_domain}}"
networks:
{{ traefik_proxy_network }}:
external: true
nextcloud:
name: nextcloudTraefik's Labels
-
traefik.enable=true (Enable/Disable the container in Traefik) -
traefik.port=80 (Registers this port. Useful when the container exposes multiples ports) -
traefik.backend=documentserver (Name Traefik uses to identify the backend) -
traefik.docker.network=traefik_proxy (the docker network to use for connections to the container) -
traefik.frontend.rule=Host:{{ onlyoffice_domain}} (Add host header for domain)
Running containers
DNS and Networking configuration
Ansible role example for Traefik
- name: Create traefik proxy network
docker_network:
name: "{{ traefik_proxy_network }}"
- name: Run docker container
docker_container:
name: traefik
image: traefik
command:
- --docker
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "{{ traefik_dir }}/traefik.toml:/traefik.toml"
- "{{ traefik_dir }}/acme.json:/acme.json"
networks:
- name: "{{ traefik_proxy_network }}"
restart_policy: always
labels:
traefik.frontend.rule: "Host:{{ traefik_monitor_domain }}"
traefik.port: "8080"
ports:
- "80:80"
- "443:443"
- "8080:8080"
state: startedHow traefik helps
- Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.
- In this case, to use traefik, you just need to add labels to your docker container
- Provides a UI Dashboard out of box
DNS Config
- We now need a way to access those services from the internet
- It is advisable to use a domain
- The host header defined in Traefik should match the subdomain
- You can use terraform or the cloud provider's API as well
- I chose terraform because it was the fastest way to get the desired results
DNS Config in DigitalOcean
DNS Config using Terraform
provider "digitalocean" {
token = "${var.do_token}"
}
resource "digitalocean_record" "cloud" {
domain = "${var.domain}"
type = "A"
name = "cloud"
value = "${var.target_ip}"
}
resource "digitalocean_record" "portainer" {
domain = "${var.domain}"
type = "A"
name = "portainer"
value = "${var.target_ip}"
}
resource "digitalocean_record" "onlyoffice" {
domain = "${var.domain}"
type = "A"
name = "onlyoffice"
value = "${var.target_ip}"
}
resource "digitalocean_record" "traefik" {
domain = "${var.domain}"
type = "A"
name = "traefik"
value = "${var.target_ip}"
}
Checklist
- Have an automated backup and restore mechanism
- Everything should be as code
- Destroying and creating a new self-hosted cloud should be a one-step command
- Don't have a single point of failure
Managed vs Self Hosting
| Managed | Self | |
|---|---|---|
| Software | Depends upon the provider | You are in full control |
| Reliability | More reliable | Depends on how you manage it |
| Privacy | Data is stored on their servers | Data is stored on your servers |
| Robustness | More robust as they have business targets | Depends on the software you are using |
| Convenient | Yes | No |