From 29a570918721fd5d73bb140a9fb3bfa3e5647b9f Mon Sep 17 00:00:00 2001 From: aethrvmn Date: Sat, 30 Aug 2025 15:18:29 +0200 Subject: added content --- content/theses/self-sufficiency/_index.md | 5 + content/theses/self-sufficiency/books.md | 95 ++++++++++++++ content/theses/self-sufficiency/domain.md | 31 +++++ content/theses/self-sufficiency/email.md | 53 ++++++++ content/theses/self-sufficiency/gemini.md | 138 ++++++++++++++++++++ content/theses/self-sufficiency/git-forge.md | 170 +++++++++++++++++++++++++ content/theses/self-sufficiency/licenses.md | 64 ++++++++++ content/theses/self-sufficiency/media.md | 105 +++++++++++++++ content/theses/self-sufficiency/nixos-intro.md | 31 +++++ content/theses/self-sufficiency/photos.md | 122 ++++++++++++++++++ content/theses/self-sufficiency/web-server.md | 97 ++++++++++++++ 11 files changed, 911 insertions(+) create mode 100644 content/theses/self-sufficiency/_index.md create mode 100644 content/theses/self-sufficiency/books.md create mode 100644 content/theses/self-sufficiency/domain.md create mode 100644 content/theses/self-sufficiency/email.md create mode 100644 content/theses/self-sufficiency/gemini.md create mode 100644 content/theses/self-sufficiency/git-forge.md create mode 100644 content/theses/self-sufficiency/licenses.md create mode 100644 content/theses/self-sufficiency/media.md create mode 100644 content/theses/self-sufficiency/nixos-intro.md create mode 100644 content/theses/self-sufficiency/photos.md create mode 100644 content/theses/self-sufficiency/web-server.md (limited to 'content/theses/self-sufficiency') diff --git a/content/theses/self-sufficiency/_index.md b/content/theses/self-sufficiency/_index.md new file mode 100644 index 0000000..4090af6 --- /dev/null +++ b/content/theses/self-sufficiency/_index.md @@ -0,0 +1,5 @@ +--- +title: self-sufficiency +weight: 30 +bookCollapseSection: true +--- diff --git a/content/theses/self-sufficiency/books.md b/content/theses/self-sufficiency/books.md new file mode 100644 index 0000000..2bf583c --- /dev/null +++ b/content/theses/self-sufficiency/books.md @@ -0,0 +1,95 @@ +--- +title: books +weight: 30 +--- +Owning books (not reading them) is growing as a hobby in the digital age. I, as many others, still keep a collection of books that I occasionally read, mostly physical, but also digital. + +Unfortunately, some books are not easily accessible physically where I am, or I might want to read parts of a book to see if it is worth investing in buying an actual physical copy. + +For these reasons, among others, it is nice to have a nice, accessible web library to store your own books, and have access to them over the internet. For this reason, this guide shows you how to set up `calibre-web` as a self-hosted ebook library. + +## specs +When idling, `calibre-web` takes 132M of RAM on my system. + +## installation + +Create a `calibre` folder and a `default.nix` file inside it, at the place where you have the rest of your nixos configuration +```sh +$ mkdir calibre && touch calibre/default.nix +``` +(or use the file explorer of your choice) + +### nix declaration + +Open `calibre/default.nix` in any text editor, and copy the following +```nix + +{ config, pkgs, ... }: +{ + services = { + calibre-web = { + enable = true; + + listen = { + ip = "127.0.0.1"; + port = 3020; + }; + + options = { + calibreLibrary = "/var/lib/calibre-web/library"; + enableBookUploading = true; + }; + }; + + nginx = { + virtualHosts."library." = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:3020"; + proxyWebsockets = true; + }; + }; + }; + }; + + systemd.services.calibre-web = { + preStart = '' + if [ ! -f "/var/lib/calibre-web/library/metadata.db" ]; then + mkdir -p "/var/lib/calibre-web/library" + ${pkgs.calibre}/bin/calibredb add --empty \ + --with-library "/var/lib/calibre-web/library" + fi + ''; + }; +} +``` + +Then to enable it, just include it in the server config file: +```nix + imports = [ + # ... other services + ./calibre + # ... other services + ]; +``` +and you're done. + +Let's break the config file down. + +### explanation +1) We declare the `calibre-web` service as enabled +2) We configure the port to 3020, and make it so it won't reach out to the web outside of the reverse proxy +3) We set the library directory (where `calibre-web` will store your books), and enable uploading books via the web interface +4) We set up the reverse proxy to allow you access through the web +5) We set up a systemd service that runs when the `calibre-web` service runs, to verify that the location you set as a library is indeed a `calibre` database folder. If not, it initialised a `.db` file. + +### further setup +Once the service is up and running, go to `localhost:3020`, or `library.`, or whatever domain you set it to. + +You should see a login screen. The default `username` is `admin` and the default `password` is `admin123`. +{{% hint danger %}} +If you serve this over the open internet ***CHANGE THE DEFAULT USERNAME AND PASSWORD IMMEDIATELY AFTER LOGGING IN***. +Otherwise *everyone* will have access to your library and data. +{{% /hint %}} diff --git a/content/theses/self-sufficiency/domain.md b/content/theses/self-sufficiency/domain.md new file mode 100644 index 0000000..6ae10c9 --- /dev/null +++ b/content/theses/self-sufficiency/domain.md @@ -0,0 +1,31 @@ +--- +title: renting a domain +weight: 2 +--- + +Everything that has to do with being self-sufficient in the modern world implies internet access[^1]. + +The most important thing one has to do if they are to expose their things into the internet is a domain name. + +A domain name is a human readable address that points to a server. For example, if a server has a public address of `74.125.142.100`, then you could link that address to your domain, so that people who use your domain in a browser could get to the server you own or rent. + +{{% hint info %}} +Intuitively most people know what a domain name is, but don't know that you can get one. +A common example to illustrate how domain names work is using `Google`. +`Google` uses a server with address `74.125.142.100`, and the domain name linked to that address is `google.com`. +Putting `74.125.142.100` takes you `Google`, just as `google.com` +{{% /hint %}} + +There are many domain name providers, like [`GoDaddy`](https://www.godaddy.com), [`PorkBun`](https://porkbun.com), or others. A good rule of thumb is to check multiple providers; typically providers from the country of origin are cheaper (for example, in Greece, a good option is [`Papaki`](https://papaki.gr)). + +{{% hint info %}} +In most cases the domain provider can help you stay anonymous by blocking `whois` (an authentication system for domains), and presenting themselves as the domain owner. +It is adviced for anonymity, to enable the service +{{% /hint %}} + +The process is extremely simple. You make an account, and look up a domain name you want, and rent it. + +{{% hint warning %}} +It might be difficult to find a good domain name. Most domain names that are legible are already rented. There is a way to make money off of domains called 'domain flipping', where you rent domains for cheap and then auction them, so people might grab 'good' domains for this purpose. +{{% /hint %}} +[^1]: If the goal is to drop the internet completely, then this page is useless. If everything is to be run *exclusively locally*, skip to the next page. If you want nothing to do with technology, close your browser and go outside. Otherwise check other pages on the site apart from `self-sufficiency`. This section of the site is about technological autonomy. diff --git a/content/theses/self-sufficiency/email.md b/content/theses/self-sufficiency/email.md new file mode 100644 index 0000000..edff450 --- /dev/null +++ b/content/theses/self-sufficiency/email.md @@ -0,0 +1,53 @@ +--- +title: email ownership +weight: 3 +--- + +Email is not safe. It never was and it never will be. This doesn't mean we have to give up. + +The important thing is not security (there are other ways to communicate securely, like [`Signal`](https://signal.org), [`Session`](https://getsession.org), and [`SimpleX`](https://simplex.chat) (even more alternatively, use [`XMPP`](https://xmpp.org), or [`matrix`](https://matrix.org))), but rather ownership. Most people use Google/Microsoft/Apple, which is the primary evil we are running away from. +{{% hint info %}} +Regarding why [check this video out](https://www.youtube.com/watch?v=iH626CXyNtE). +{{% /hint %}} + +Now that we understand that the main goal is claiming our data back from Big Tech, there are many small email providers that one can use; otherwise one can host their own email server. + +I have heard that running your own email server is a hassle, and that you need to do some extra things in order to actually host and secure it. Because of this, I use a third-party provider. + +The email provider I use is [`Fastmail`](https://fastmail.com), but in all earnest it doesn't really matter. I chose them because I have more than one domain, and fastmail supports importing as many domains as you own, and also allows you to create as many aliases as you want. +(For context, Proton allows 1 custom domain in their base plan, and infinite aliases, and Tuta offers three custom domains, but 15 aliases. Fastmail offers unlimited custom domains and unlimited aliases.) + +{{% hint danger %}} +The ***only*** reason I am comfortable using `Fastmail` is because I am ***not*** the citizen of a country in the +[Five/Six/Nine/Fourteen Eyes](https://en.wikipedia.org/wiki/Five_Eyes)--- international spying organizations that exchange information about their own citizens and/or citizens of hostile nations. +If you are a citizen of: +- the USA +- the UK +- New Zealand +- Australia +- Canada +- Denmark +- France +- the Netherlands +- Norway +- Belgium +- Germany +- Italy +- Spain +- Sweden + +If you are a citizen of one of the above countries, you are kindly encouraged to use `Proton` exclusively, assuming you care about privacy. +Do ***not*** use either `Fastmail` or `Tuta`. +{{% /hint %}} + +[`Proton`](https://proton.me) and [`Tuta`](https://tuta.com) try to be closer to a whole Cloud account (with services like Drive, Docs, etc), but in all earnest I just want an email, since I self-host my own cloud. + +The only caveat with all this is that you *do* have to pay for your email. In essence you give money for the convinience of not having to maintain your own server, as well as to not have to worry about your email getting flagged as spam by major providers. Plus, you pay so you dont become the product. +{{% hint info %}} +I might self-host an email server once I have the ability to control which ports I have open (so when I move out from my current house). If I do, I will update this. +{{% /hint %}} + +If you want to self-host an email server [check this out](https://github.com/LukeSmithxyz/emailwiz). In general check out [LandChad.net](https://landchad.net/#setup-an-email-server). Note that this guide assumes Debian/Ubuntu. +{{% hint warning %}} +The above guide by the LandChads doesn't work with [NixOS](https://nixos.org). If you choose to follow that guide, you might end up needing a dedicated server for emails. +{{% /hint %}} diff --git a/content/theses/self-sufficiency/gemini.md b/content/theses/self-sufficiency/gemini.md new file mode 100644 index 0000000..f43045d --- /dev/null +++ b/content/theses/self-sufficiency/gemini.md @@ -0,0 +1,138 @@ +--- +title: gemini:// +weight: 6 +--- + +Here I explain how to set up a `gemini://` server, which is known as a `capsule`. + +If you don't know what `gemini://` is, essentially it is a text-only `https://` alternative. + +It allows you to browse text only feeds, and is a welcome escape from ads and javascript and bloat. + +{{% hint info %}} +Gemini in general does not support anything except for pure text. There is no CSS, no JavaScript, nothing, except for text and sometimes images (but not in-line, you have to click them). +It is considered an alternative to the web, seen as "better/superior" because it forces minimalism, however it is a bad comparison. +The issue with modern web is the invasiveness, not the CSS or JS (although JS sucks); in this regard, I prefer my site being static and served over the web where I can use CSS, than gemini, where in the name of "minimalism" I have to give up expressive liberty. +Be that as it may, it's nice to have options, plus the minimalism might appeal to some, or might enable a "rehab" sentiment. +{{% /hint %}} + +## setup +The nixos configuration is a bit more difficult because of how simple `gemini` servers are. This simplicity means that we need to set up our own user, open the port (since `nginx` is a ***web*** server, it can't work with `gemini://`), and set up autosync so we don't need to sync files manually with git. + +### specs +There are many servers to host; the `gemini://` protocol is extremely simple, and so servers can take ~200-500 lines of code, and are *extremely* lightweight. + +This guide sets up `agate` since it's a service in `nixos`. + +We start by making a folder `gemini` and `gemini/default.nix` +```sh +$ mkdir gemini && touch gemini/default.nix +``` +(or use the file explorer of your choice) + +### nix declaration +Open `gemini/default.nix` in any text editor, and copy the following + +```nix +{ config, pkgs, lib, ... }: +{ + services.agate = { + enable = true; + + hostnames = [ "" ]; + addresses = [ "0.0.0.0:1965" ]; + language = "en"; + contentDir = "/srv/gemini"; + }; + + networking.firewall.allowedTCPPorts = [ 1965 ]; + + users = { + groups.agate = { }; + users = { + agate = { + isSystemUser = true; + description = "gemini user"; + group = "agate"; + home = "/srv/gemini"; + createHome = true; + shell = "${pkgs.git}/bin/git-shell"; + }; + }; + }; + + systemd = { + # set service + services."gemini" = { + description = "Update Gemini site from repo"; + + script = '' + if [ -d /srv/gemini/.git ]; then + ${pkgs.git}/bin/git -C /srv/gemini pull + else + ${pkgs.git}/bin/git clone https:// /srv/gemini + fi + ''; + + serviceConfig = { + Type = "oneshot"; + User = "agate"; + }; + }; + + timers."gemini" = { + description = "Hourly Gemini-site update"; + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnCalendar = "hourly"; + Persistent = true; + }; + }; + }; +} +``` +Then to enable it, just include it in the server config file: +```nix + imports = [ + # ... other services + ./gemini + # ... other services + ]; +``` +and you're done. +{{% hint warning %}} +Make sure to replace `` with your actual gemini repo above +{{% /hint %}} + +Let's break the config file down. + +### explanation +1) We declare the `agate` service as enabled. +2) We define the hostname for the `gemini://` network, set the address(es) to serve from, and declare the language we will be writing in. Finally we declare the content directory +3) We open port 1965 to the internet +4) We declare a group `agate` +5) We declare a user `agate`, in group `agate`, with the home folder being at `srv/gemini`, having access only to the git shell, for security. +6) We declare a `systemd` service, `gemini`, that checks if `/srv/gemini` is a git repo; if it isn't it `git clone` at a specified repository, if it is, it runs `git pull`. This service is set to run once (not continuously), and to be run by user `agate` +7) We declare a timer that runs the `gemini` service we just declared, once per hour. This automates the setup + + +### adding content +In order to add content to your new capsule, simply go to the `content/` folder and start writing. + +By default `gemini://` serves the `index.gmi` at `/`, so make that file first. + +{{% hint info %}} +`.gmi` is the markup flavour that gemini reads/serves. +It is a stripped down version of markdown (`.md` files). +[You can find out more about it here](https://geminiprotocol.net/docs/gemtext.gmi) +{{% /hint %}} + +Since servers simply serve `.gmi` files, you don't need to do any update/reload or anything. It happens automatically. + +Personally, I use `git` to keep files synced (as in, the content folder is a git repo). + +## client +In order to browse `gemini://` you need a dedicated client. + +Use [`Lagrange`](https://gmi.skyjake.fi/lagrange/). diff --git a/content/theses/self-sufficiency/git-forge.md b/content/theses/self-sufficiency/git-forge.md new file mode 100644 index 0000000..644c893 --- /dev/null +++ b/content/theses/self-sufficiency/git-forge.md @@ -0,0 +1,170 @@ +--- +title: git-forge +weight: 10 +--- +For all of the work one might do regarding self-sufficiency (or other personal projects), be that modifications to code, documents, images, or literally any modifiable process on a computer system, it is wise to use a version control system to keep track. + +Version contol systems, like `git`, or `fossil`, allow for the set-up of trackers and managers that are able to present a history of changes, as they are logged. + +This means that after a modification is made, it can be "commited" to the version control system, and stored. Effectively, you commit to the change. + +Although it is relatively simple to set up a `git` server for self-hosting (via [`cgit`](https://git.zx2c4.com/cgit/about/) perhaps), on its own it lacks an intuitive, easy to use way to interact with, apart from a command line interface. For this reason I personally use a [`Forgejo`](https://forgejo.org) instance, which is the same software running in [`Codeberg`](https://codeberg.org) + +## specs +`Forgejo` is extremely lightweight, and on it barely registers any resource usage. As a nix service, it consumes around 139M of RAM on my system. + +## installation + +Create a `forgejo` folder and a `default.nix` file inside it, at the place where you have the rest of your nixos configuration +```sh +$ mkdir forgejo && touch forgejo/default.nix +``` +(or use the file explorer of your choice) + +### nix declaration + +Open `forgejo/default.nix` in any text editor, and copy the following + +```nix +{ + services = { + forgejo = { + enable = true; + + dump.enable = true; + + useWizard = true; + + settings = { + DEFAULT = { + APP_NAME = ""; # Like "yourname's Forge" + RUN_MODE = "prod"; + APP_SLOGAN = ""; # Try "Fuck Microsoft" + RUN_USER = "forgejo"; + }; + + server = { + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3040; + DOMAIN = "forge."; + }; + + service = { + DISABLE_REGISTRATION = false; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + }; + + lfs = { + enable = true; + }; + }; + }; + + nginx = { + virtualHosts."code." = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${config.services.forgejo.settings.server.HTTP_PORT}"; + proxyWebsockets = true; + }; + }; + }; + }; +} +``` + +Then to enable it, just include it in the server config file: +```nix + imports = [ + # ... other services + ./forgejo + # ... other services + ]; +``` +and you're done. + +Let's break the config file down. + +### explanation + +1) First of all we declare the `forgejo` service as enabled. +2) `dump.enable` enables backups, to be performed daily at 04:31 (4:31AM), and stored at `/var/lib/forgejo/dump` +3) `useWizard` enables the `Initial Configuration` page on first launch. It allows for some non-nixo-style configuration, just in case. +4) The `settings` define the configuration of forgejo itself: + 1) `DEFAULT` are the base options, such as the name, slogan, and type (production or development) of the instance + 2) `server` are server configuration options, which are options that will be written in the `app.ini` (the forgejo config file at run-time), under the [service] tag. You can find all of them [here](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#server-server) + - We set the DOMAIN to be `forge.` so that it apperas on `git clone` commands, + - We set the HTTP_PORT to `3010` because it's a non-standard port (the default of `3000` might clash with other services) + - We set the HTTP_ADDR to `127.0.0.1` so that the service is not accessible to anyone outside of the machine, *except* via reverse proxy through [`nginx`](/notes/self-sufficiency/web-server) + 3) `service` deals with some of the more middleware things; here we have it set to allow registrations, so that we might make our own admin account. After that is done, it should be + `DISABLE_REGISTRATION = false;` + 4) We enable git LFS (Large File Storage) just in case. + +5) Finally, we declare an [`nginx`](/notes/self-sufficiency/web-server) virtual host to set up a reverse proxy to point `forge.` to HTTP_PORT 3040, so that you can access `forgejo` via the web. +{{% hint warning %}} +If you change the `HTTP_PORT`, remember to change it also in the `nginx` block. +{{% /hint %}} +{{% hint info %}} +In general the `settings` block works as follows: +Each of `name = {}` that starts a block within settings declares the equivalent `[name]` block in the non-default `app.ini`. Then, in that, it adds the items you define in the config. +For example, assume we have this: + +```nixos +{ + services = { + forgejo ={ + settings = { + server = { + HTTP_PORT = 3000; + }; + }; + }; + }; +} +``` +this then translates inside of the `app.ini` file to +```ini +[server] +HTTP_PORT = 3000 +``` +once the setup is set up. +{{% /hint %}} + +{{% hint info %}} +More information can be found at the [wiki](https://wiki.nixos.org/wiki/forgejo), but it can be opaque. +More options can be found [here](https://mynixos.com/nixpkgs/options/services.forgejo). +For example, if you plan to use this instance with more that ~4-5 people, it might be good to change the backend database from SQLite3 to PostgreSQL. +I leave the process of doing that as an exercise to the reader (Hint: It's a single line inside of `services.forgejo.database`). +{{% /hint %}} + +Make sure to update the parts inside of `<>`. +It should now appear in `localhost:3010`. If you are hosting this in a public server (like a VPS), it can be found in `http://forge.`. + +### further setup +Once the service is up and running, go to `localhost:3010`, or `forge.`, or whatever domain you set it to. + +You will see a setup page `Initial Configuration`. + +You must set up an administrator account. This can either be a completely seperate account to your own, or it could be your own account. + +You can also set up an email server using the [SMTP address of the email provider](/notes/self-sufficiency/email), as well as check out other small configuration stuff you can do. Configuring things like this however beats the purpose of using `NixOS`. You can always copy `app.ini` and translate it into `NixOS` later anyway though. + +{{% hint danger %}} +If you do translate `app.ini` ---> `nix`, make sure to not include any secrets (JWT/INTERNAL_TOKEN/etc). +{{% /hint %}} + +{{% hint danger %}} +If you don't want to have registration open for everyone, remember to set +`DISABLE_REGISTRATION = false;` +{{% /hint %}} + +## backups +### code backups +In general it is a good idea to have your code in multiple repositories. This allows you to not worry about your server going down, your code getting deleted, etc. + +I use [`codeberg`](https://codeberg.org) as a backup mirror for my personal work, and [`github`](https://github.com) for my work at [αpothēke](https://apotheke.earth). Although I don't like github, it is the best place for others to discover and contribute. + +### service backups +Because we have `service.forgejo.dump.enabled = true;`, we can simply copy `/var/lib/forgejo/dump` to another computer. If you want to keep any updates and configurtions after running, and made outside of nix, you can simply make a copy of the entire `/var/lib/forgejo` folder at regular intervals. diff --git a/content/theses/self-sufficiency/licenses.md b/content/theses/self-sufficiency/licenses.md new file mode 100644 index 0000000..487816e --- /dev/null +++ b/content/theses/self-sufficiency/licenses.md @@ -0,0 +1,64 @@ +--- +title: licensing +weight: 1 +--- + +It is well understood that free and open source software (*libre* software) stands for freedom as in "free speech", not as in "free beer". More specifically, free software is defined as any software that guarantees these four freedoms + +- The freedom to use the program for any purpose. +- The freedom to study how the program works, and change it to make it do what you wish. +- The freedom to redistribute and make copies so you can help your neighbor. +- The freedom to improve the program, and release your improvements (and modified versions in general) to the public, so that the whole community benefits. + +These four freedoms guarantee that the *user* can make a fully informed choice; given they, or someone else, has knowledge of programming, they may study the code, and obtain full knowledge of how the software works. + +This, however, means that the code itself must be accessible, which comes with the implicit consequence that somebody well versed in programming might get the code, and use the software as they may, *without* paying. In this sense a consequence of free (*libre*)[^1] software (or rights-preserving software) is also *gratis* software (or zero-cost software). + +For the above reason, *libre* software has been massively adopted by programming communities; not only does it liberate the user by ensuring that they may make a choice based on full information, it also provides extra securities; rather than needing to place trust on the developer(s), you can trust the product itself. Security bugs and issues are found more easily, because more people are looking over the code, and the project is, in theory, constantly being audited; the project may organically grow because people take a natural interest in it, and become a communal effort rather than a personal one. + +It also is seen as a collectivising movement. Since the implication is that *libre* software has to provide access to the full source code for the four freedoms to be upheld, the implication of the capacity of others to use said code *without providing any financial compensation* means that businesses are typically disincentivised from using or creating *libre* software. Governments and other bad faith actors also typically prefer to make or use proprietary software, since making and using *libre* software would leave their misdeeds exposed. + +For this reason a more "lenient" software movement rose to prominence, that of *open source* software, which is also called *permissive*, because it permits the developer more freedoms, at the expense of the freedoms of the user[^2]. Open source software, although it does provide the user some freedoms, mostly cares for the developer experience, and the end-user is secondary[^3]. + +This in turn allowed corporations to see open-source software in a more friendly light, and reinforced the idea that there is an ideological and political distinction between *open-source* vs *libre* software; open-source is typically seen as corporate-friendly and capitalistic, whilst *libre* software is considered the collectivist/communist/anarchist option. If we look at this from a classical liberal viewpoint however, we might see a different story, and realise that *libre* software is the foundation of a free market of software. + +## legal plunder and lawful defence +In 1850, French economist Frederic Bastiat[^4] wrote a book called The Law[^5], in which he tries to argue that the rule of the Law is to guarantee and preserve the rights of the majority. In his argument, he says that since the government is comprised of people, then the government itself has no more rights than those that people individually have; the rights to life, to liberty, and to property.[^6] + +> *"Life, liberty, and property do not exist because men have made laws. On the contrary, it was the fact that life, liberty, and property existed beforehand that caused men to make laws in the first place. What, then, is law? As I have said elsewhere, it is the collective organization of the individual right to lawful defense."* + +In this regard, the role of government is exclusively to protect these very rights; anything that the government does that goes beyond the simple task of protecting the rights of the people is a degeneration of the law. + +> *"The law has placed the collective force at the disposal of the unscrupulous who wish, without risk, to exploit the person, liberty, and property of others. It has converted plunder into a right, in order to protect plunder. And it has converted lawful defense into a crime, in order to punish lawful defense."* + +We see in the above quote the root of the matter; lawful defence, insofar as it is defence that does not remove from the rights of others, is being subverted, in favour of plunder, so that others may exploit the individual, as well as the property of the individual, and in doing so reduce the capacities of the individual to exercise their liberty. In this sense, legal plunder, as Bastiat calls it, is nothing more than the erosion of the rights of the individual for the benefit of another, and because the law ends up perverted by the very people who seek to erode the liberties of others, lawful defence is seen as a detriment, and oftentimes opposing plunder is made illegal. + +## copyleft +It is on this that *libre* software takes a stand, where the open-source movement doesn't; *libre* software acts as an extension of good law; it protects and reinforces the rights of the user. Meanwhile *non-libre* software aims to plunder the user; it deducts from the user's rights. + +The way the rights are preserved is through a type of license called *copyleft*, called so because it forces not only the developer to provide the entirety of the project in a way that respects user freedom, but also any other developer who might build upon it and make their own modifications and distributions of the software. In essence it forces, in a viral way, all derived software to be as respectful of the user's rights as the original version. It promotes user freedom at the detriment of the developer. + +> *"[...] +>5. Conveying Modified Source Versions. +>You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: +>[...] +>c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. +>[...]"* + +## example of non-copyleft abuse +In order to see why *copyleft* is so important to the preservance of user freedom, and how *libre* software acts as an extension of the righteous purpose of the law, as per classical liberalism, and why *open-source* and proprietary software permits legal plunder, I need to quote a very strong historical example. + +> MINIX is an operating system first released in 1987 by Andrew S. Tanenbaum, as an open-source clone of the Unix operating system, specifically targeted at low-power devices. Because it was licensed with an open-source license without a *copyleft* provision, a company, namely Intel, copied the code (ie *forked* in the proper terminology) and developed their own derivative operating system. Due to the lack of any *copyleft* clause that would force Intel to respect user freedom, by allowing the users to study and/or modify their derivative work, nobody, apart from the engineers that maintain it, know exactly what it does and how it works. The issue arises from the fact that this custom version of the MINIX operating system is run on the *Intel ME*, which is a small chip that exists in *every* Intel CPU for the past twenty years, and this operating system has *full* access to everything that happens inside of a computer that includes it. This includes the capability to control the computer; even if the computer is turned off, as long as it is connected to a power source (e.g. an outlet or a battery), it may even turn the computer on *without* user knowledge or consent. This control over the user system, alongside the inability of the user to study the MINIX operating system running inside of Intel ME, is enough of a reason to call it *malware* or *spyware*. It is a piece of code that is running without the user being able to give explicit and informed consent, and most of the time without even the user's knowledge. It is legal plunder.[^7] + +It is exactly this form of plunder that *copyleft* in *libre* software prevents, and in doing so creates a unique and interesting dynamic. + +## the free market of software +Exactly because it allows the user the maximal freedom, i.e. the ability to make fully informed consensual decisions concerning the software they wish to use, it forms the foundation of a free market of software; the voluntary exchange of goods and services. In classical liberalism, the term *market* is not restricted to use only in the exchange of goods for currency, but also includes any voluntary exchange of ideas and services, in a non-interventionist, fully decentralized manner. Besides, the concept of a free market does not axiomatically carry a preferred method of transaction; monetary exchanges, cryptocurrencies, barter, donations, everything is appropriate, with the only prerequisite being that an exchange is conducted on a voluntary premise for all participants, which necessitates transparency and full knowledge of the good or service provided; a free market of software *requires copyleft* in order to exist, and *copyleft* cannot function outside of a free market. + +[^1]: *free* software is an extemely poor choice of wording in my opinion, because it confuses the notion of freedom, with the notion of zero monetary costs. The distinction is why *libre* software has historically been used to denote free software as in freedom, and why *freeware* has been associated with zero-monetary cost. +[^2]: Because of this, I tend to call "permissive" licenses "restrictive". They restrict the user's freedoms. +[^3]: The difference is mainly ethical/moral, however there is open-source software that is *not* libre. +[^4]: 1801-1850 +[^5]: You can find a free copy [here](https://cdn.mises.org/thelaw.pdf) +[^6]: I am slowly compiling my own notes on the subject matter; you can find part of my viewpoint [here](https://notes.aethrvmn.gr/metaphysical/interpersonal/abilities) +[^7]: This specific example is the most egregious one *that we know of*, and has given rise to the term [*cuck license*](https://lukesmith.xyz/articles/why-i-use-the-gpl-and-not-cuck-licenses/) for non *copyleft*, open-source licenses. diff --git a/content/theses/self-sufficiency/media.md b/content/theses/self-sufficiency/media.md new file mode 100644 index 0000000..a55fa00 --- /dev/null +++ b/content/theses/self-sufficiency/media.md @@ -0,0 +1,105 @@ +--- +title: media +weight: 20 +--- + +Movies, shows, and music tend to fall under the broad category of "media". This means that there exist solutions to self-host an entire suite for all "media", so there is no need to pay seperate subscriptions to services such as Netflix and/or Spotify. + +{{% hint info %}} +Self-hosted means BYOM (Bring Your Own Media). +This will not buy you movies/tv shows/music. +On a discussion on the subject, [read this article](https://wiki.futo.org/index.php/Introduction_to_a_Self_Managed_Life:_a_13_hour_%26_28_minute_presentation_by_FUTO_software#%E2%80%9CPiracy%E2%80%9D) +I am not taking any ethical stance on piracy; I am taking an ethical stance on ownership. +{{% /hint %}} + +We will be using Jellyfin, which is a free and open-source software for serving media libraries, effectively replacing Netflix (albeit with a clankier UI) and spotify, with dedicated third-party clients. + +## specs +Whilst serving videos, the server needs to parse the bits; the higher the resolution, the higher the useage. + +When idling, jellyfin takes 273M of RAM on my system. + +## installation + +Create a `jellyfin` folder and a `default.nix` file inside it, at the place where you have the rest of your nixos configuration +```sh +$ mkdir jellyfin && touch jellyfin/default.nix +``` +(or use the file explorer of your choice) + +### nix declaration + +Open `jellyfin/default.nix` in any text editor, and copy the following + +```nix +{ config, pkgs, lib, ...}: +{ + environment.systemPackages = with pkgs; [ + jellyfin + jellyfin-web + jellyfin-ffmpeg + logrotate + ]; + + services = { + jellyfin = { + enable = true; + }; + + logrotate.enable = true; + + nginx = { + virtualHosts."media.`, so that jellyfin is only acessible via the reverse proxy. + +{{% hint info %}} +The nix service of Jellyfin doesn't allow us to customize the port, so the default one (`8096`) has to be used. +{{% /hint %}} + +{{% hint info %}} +More information can be found at the [wiki](https://wiki.nixos.org/wiki/jellyfin), but it can be opaque. Specifically it has info concerning mounting external drives (from a NAS potentially), which is not covered here. +More options can be found [here](https://mynixos.com/nixpkgs/options/services.jellyfin). +{{% /hint %}} +### further setup +Once the service is up and running, go to `localhost:8096`, or `media.`, or whatever domain you set it to. + +You must set up an administrator account. This can either be a completely seperate account to your own, or it could be your own account. + +You must also point and set up the different libraries (and types of libraries) you want to host, like Movies/TV Shows/Music, etc. You can have multiple of each type. I have three for Music, two for TV Shows, and one for Movies, because I share this instance with other family members. + +{{% hint info %}} +Playlists are public in each library. You might want to make a Music library per user. +{{% /hint %}} + + +## service backups +Jellyfin simply serves media files, and fetches and displays metadata from within the media folders you provide. Just keep a backup of those folders. To keep a copy of the exact jellyfin setup and configuration you may do on top of the nix service, just keep a copy of `/var/lib/jellyfin`. diff --git a/content/theses/self-sufficiency/nixos-intro.md b/content/theses/self-sufficiency/nixos-intro.md new file mode 100644 index 0000000..0a5c056 --- /dev/null +++ b/content/theses/self-sufficiency/nixos-intro.md @@ -0,0 +1,31 @@ +--- +title: intro to nixos +weight: 4 +--- + +There are many other places to showcase how to pursue technological autonomy and self sufficiency in the current era, but usually their guides try to be independent from each other, meaning that if you want to run multiple services, it still requires manual configuration, and therefore there is a notion of "less" or "more" advanced setups, on top of following the guide line by line. + +In order to close this gap, and offer guides that work "as is" either in a vacuum, or as part of a larger setup, I have written this section, and propose the use of [NixOS](https://nixos.org) as the base OS for setting up everything. + +{{% hint info %}} +If you don't want to use [NixOS](https://nixos.org), there are two excellent resources: + +- [LandChad](https://landchad.net) (started by [Luke Smith](https://lukesmith.xyz) and added to by other people) +- [FUTO Wiki](https://wiki.futo.org) (written by [Louis Rossmann](https://rossman) for FUTO; Louis is also the founder of the fulu foundation, and of the [Consumer Action Taskforce (CAT)](https://consumerrights.wiki)) + +Everyone involved in either is smarter than me and a great inspiration. +{{% /hint %}} + +The benefits of [NixOS](https://nixos.org) cannot be understated: +- The fact that it all packages/services/programs are isolated, and therefore solving dependency issues means that none of the services you run has any possibility of clashing with any other. +- The declerative configuration of the entire OS means that once you have set up a complete solution, you can simply use [git](https://git-scm.com) to maintain the configuration of your system. This means that should you want to migrate your system (except your actual data), you simply grab your configuration files, and have a ready made clone of your previous system, within ***minutes***. + +For the above you need only to tolerate the following: +- Because each process is isolated, each package/service/program needs it's own copy, making the system a bit more demanding in terms of storage. This is not a significant issue however; Linux in general is extremely lightweight, and this adds a couple of GiBs at most. Once installed, NixOS is as fast as moth other distros. +- Due to it's unique configuration setup and novel language, there is a steeper learning curve in order to implement a "clean" system configuration, this however comes as a byproduct of a clean configuration being possible in the first place, which is not a thing in other operating systems. +- The documentation ***sucks***. I cannot overstate how annoying it is to find official information on most issues. Thankfully searching online yields good enough results most of the time. You can use [the official forums](https://discourse.nixos.org). You can also use any LLM, since they appear to be capable of parsing the code/misc documentation, and be able to handle the boilerplate language parts well enough. + +Especially at the early stages of using [NixOS](https://nixos.org), there needs to be a certain amount of trust to others holding your hand and telling you what to do. This is the case for the rest of this guide; In the following sections I will give verbatim nix configuration files, which abstract implementing by hand the services shown. I will not however show you how to use NixOS, as this is not the point of this guide. +{{%hint warning %}} +- To learn more about [NixOS](https://nixos.org), see [this online guide](https://nixos-and-flakes.thiscute.world/preface). It might look daunting, but if you are familiar with programing, it's quite simple. If you are unfamiliar with programming, it's still of value, although it might make more sense to just "trust me on this" and follow the rest of this guide, as it tries to hold your hand in terms of configuration. +{{% /hint %}} diff --git a/content/theses/self-sufficiency/photos.md b/content/theses/self-sufficiency/photos.md new file mode 100644 index 0000000..ca3dfe6 --- /dev/null +++ b/content/theses/self-sufficiency/photos.md @@ -0,0 +1,122 @@ +--- +title: photos +weight: 15 +--- + +One main purpose for using cloud services is keeping photos and videos, and other such media backed up in a server that is searchable, and that allows you to create albums to share with friends. + +For this purpose, in order to replace Google Photos/iCloud Photos, and to retain our ownership of said photos (both those services have restrictive ToS which gives them rights over *your* photos), we will use [`immich`](https://immich.app), which is a self-hosted free and open-source software photo and video management solution, with many features like duplicate detection and contextual search using machine learning, running locally. + +{{% hint danger %}} +As of writing this, immich is still in early/active development. There may be breaking changes between versions, so be wary and ***always keep a backup***, like an old drive, and store a copy of your photos there, just in case. +{{% /hint %}} + +## specs +The machine learning models run locally, which might make it more difficult to run on small or old hardware, but you can disable it. + +When the machine learning stack is not running, immich takes 285M of RAM on my system. + +## installation + +Create a `immich` folder and a `default.nix` file inside it, at the place where you have the rest of your nixos configuration +```sh +$ mkdir immich && touch immich/default.nix +``` +(or use the file explorer of your choice) + +### nix declaration + +Open `immich/default.nix` in any text editor, and copy the following + +```nix +{ config, lib, ... }: +{ + services = { + # Immich setup + immich = { + enable = true; + + host = "127.0.0.1"; + port = 3010; + machine-learning.enable = true; + }; + + nginx = { + virtualHosts."photos." = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:3010"; + proxyWebsockets = true; + }; + }; + }; + }; + + hardware.graphics.enable = lib.mkForce true; + + users.users.immich = { + extraGroups = [ "video" "render" ]; + }; +} +``` +Then to enable it, just include it in the server config file: + +```nix + imports = [ + # ... other services + ./immich + # ... other services + ]; +``` +and you're done. Download the app for your phone, and connect through `https://photos.` + +Let's break the config file down. + +### explanation +1) First of all we declare the `immich` service as enabled. +2) We define the host and port, so that the service only speaks to the outside world via a reverse proxy (via `nginx`) +3) We explcitly enable machine learning functionality, like face and object detection. +4) We set up nginx to serve a reverse proxy at `photos.` pointing at the immich service. +5) We explicitly force the use of graphics drivers +6) Finally, we declare some information for the user that will run the `immich` service, `immich`. (we add `immich` to the `video` and `render` groups.) + +{{% hint info %}} +To disable any machine-learning functionality, simply set `machine-learning.enable = false;` +{{% /hint %}} + +{{% hint info %}} +More information can be found at the [wiki](https://wiki.nixos.org/wiki/immich), but it can be opaque. +More options can be found [here](https://mynixos.com/nixpkgs/options/services.immich). +{{% /hint %}} + +{{% hint info %}} +If you want to declare more settings and/or environment variables for `immich`, you can declare them: +```nix +services = { + immich = { + settings = { + # ... + }; + environment = { + # ... + }; + }; +}; +``` +- `services.immich.settings`, declares [settings found here](https://immich.app/docs/install/config-file/) and expects JSON syntax +You can find these settings and change them from the admin panel in your running instance of `immich` + +- `services.immich.environment`, declares [envarionment variables found here](https://immich.app/docs/install/environment-variables), and expects +`ENV_VAR_NAME = ENV_VAR_VALUE;` +Only for env vars tagged `server`, `api`, or `microservices`. +{{% /hint %}} +### further setup +Once the service is up and running, go to `localhost:3010`, or `photos.`, or whatever domain you set it to. + +You must set up an administrator account. This can either be a completely seperate account to your own, or it could be your own account. + +## service backups +By default, all media will be stored somewhere in `/var/lib/immich`. Automatic database backups are being kept inside `/var/lib/immich/backups` as `###.sql.gz` files, so you can store these alongside your media. +If you want you can simply make a copy of the entire `/var/lib/immich` folder at regular intervals. diff --git a/content/theses/self-sufficiency/web-server.md b/content/theses/self-sufficiency/web-server.md new file mode 100644 index 0000000..9ce5cfa --- /dev/null +++ b/content/theses/self-sufficiency/web-server.md @@ -0,0 +1,97 @@ +--- +title: web-server +weight: 7 +--- +In order to host anything online nowdays, everybody needs a couple of things. The first is a [domain](/notes/self-sufficiency/domain.md), and the second is a web server to handle the different domains/subdomains and the HTTP(S) requests, and deal with the SSL certificates. + +Here we will use [`nginx`](https://nginx.org); [`caddy`](https://caddyserver.com) is also an option (so is `apache`, etc) that automates SSL, but before moving to `NixOS` I was using `nginx`, so I am more familiar with the syntax + +We will put the following at the root of our own `modules/server/` folder, since it is the aggregation point for all the following services. + +## nix decleration + +Make a default.nix at `/modules/server` +```sh +$ touch /modules/server/default.nix +``` +(or use the file explorer of your choice) + +### configuration + +Open `default.nix` in any text editor, and copy the following + +```nix +{ + imports = [ + # ... all the services will go here + ]; + + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + sshguard.enable = true; + + openssh = { + enable = true; + settings = { + PermitRootLogin = false; + PasswordAuthentication = false; + AllowTcpForwarding = false; + X11Forwarding = false; + }; + }; + + }; + + networking = { + firewall.allowedTCPPorts = [ 80 443 ]; + }; + + security.acme = { + acceptTerms = true; + defaults.email = ""; + } +} +``` +and you're done. + +Let's break the config file down. + +### explanation +1) We declare `nginx` as enabled, and set it to use the recommended options. +2) We enable `sshguard`, which protects hosts from brute-force attacks, among other things. +3) We enable `openssh`, so that we can access the server via SSH, but configure it so that nobody can use a password to log in, and root login is disabled. +4) We open ports `80 (HTTP)` and `443(HTTPS)` to the internet. +5) We set up the `acme` service which fetches SSL certificates from LetsEncrypt. Certificates require to accept the terms and an email for communication, so we accept the terms and provide an email. + +{{% hint warning %}} +Before you enable the openssh config as is, make sure you have an `authorizedKey` on your user, otherwise you can be locked out of your machine. +To set an SSH authorized key add this tou your `user` config +```nix +users = { + users = { + = { + # ... + openssh.authorizedKeys.keys = [ + + + # ... + ] + # ... + } + } +} +``` +{{% /hint %}} + +{{% hint info %}} +By default nixos sets a daily interval to renew the Let'sEncrypt SSL certificates, so we don't need to worry. +{{% /hint %}} + +Now we can start adding services. -- cgit v1.2.3