A few entities I liked recently announced the Digital Independence Day (DI.DAY) which is a good motivation to regain ownership of my data.

Technically, DI.DAY is tomorrow, but I don’t feel like computering on a Sunday, so here we go.

I have been working on regaining data for a couple of months already, but it’s been on and off, so the initiative is a good reminder.

Here’s what I’ve done in the past:

  • Installed TrueNAS Community on my UGREEN NASync DXP4800 and DXP2800
  • Set up ZFS replication for my important data between the two NAS
  • Moved my TimeMachine Backups from removable SSDs to the NAS
  • Migrated all my photos from Google Photos to Immich
  • Moved all important documents from Google Drive to paperless-ngx
  • Replaced my Amazon Echo devices with Apple HomePods (because I trust Apple a tiny bit more and like the convenience of a voice assistant)

Before I move more stuff over to my systems, I wanted to make sure they have a good environment to run on. Most of the SaaS solutions we often rely on aren’t necessarily better than the open source solutions, but we keep telling ourselves that they are more secure against hackers or data loss.

Therefore, on this first DI.DAY, I want to:

  • Ensure my systems feel uniform
  • Ensure my systems are up to date
  • Ensure my systems have basic security measures set up
  • Set up a central OIDC auth server
  • Move from tailscale to headscale

Ansible

I use Ansible a lot at work, but somehow I’ve never bothered to set one up for my private systems and also never really cared about uniformity between them. This changes today.

I’ve created an Ansible playbook to achieve the following tasks:

  • Install packages I want to be present on every system
  • Configure unattended-upgrades on all servers
  • Create synced users, configure shells and configs, configure sudo
  • Hardened sshd-config and deployed my SSH keys to all systems
  • Additional security measures I don’t want to outline here

Right now, all Ansible code still requires me to run it, in the future I might consider using AWX or a CI/CD pipeline of my choosing, but that’s for another day.

ZSH

I’ve been using Oh my ZSH for ages, but I never set it up for the root user out of laziness. After installing it, I noticed I had a hard time distinguishing between my usual user and root, so I made a small change to the afowler-theme which I’ve been using for years, changing the hostname to red if the user is root:

# ~/.oh-my-zsh/themes/afowler-root.zsh-theme
PROMPT='%B%(!.%F{red}.)%m%f%b %B%F{blue}:: %b%F{green}%3~ $(hg_prompt_info)$(git_prompt_info)%B%(!.%F{red}.%F{blue})»%f%b '
# rest remains unchanged
[...]

Updates

The systems themselves receive security updates via unattended-upgrades, however I run most of my services in docker compose deployments, which will also require occasional updates. I’ve deployed What’s up Docker on all Docker hosts to achieve a bit of oversight over the deployed containers, there’s no automatic update happening yet, as I haven’t yet figured out the best way to achieve this. I will add WUD to my prometheus once I set it up.

Central OIDC Server

At EdgeOps we use Authentik for most of our OIDC needs, and I have nothing to complain about there. On the contrary, I’ve really enjoyed having SSO for all services, so I will definitely add it to more services in the next couple of DI.DAYs. Setting up Authentik was a breeze using Docker containers, I used traefik as a reverse proxy that also handles Let’s Encrypt for me.

I rely on YubiKeys as a 2nd factor, so I configured Authentik to enforce MFA using WebAuthn.

Headscale

To be honest, I really love tailscale. I’ve used it a bunch in my professional life, and it never let me down. If it were left to my gut, I’d probably keep with it forever.

However, my tailnet is using my Google Workspace (or whatever it is called today) as authentication provider, and changing it to OIDC isn’t really easy and reading the docs wasn’t too confidence inspiring that this is a primary focus of the developers. So I bit the bullet, purchased a new VM to run as a headscale server, and configured it according to the docs. I used authentik as OIDC provider. The documentation is spot on, so setting everything up was a breeze.

Headscale worked as a great drop-in replacement with the official tailscale binaries/apps, so a simple tailscale login --login-server <url> did the trick. On the TrueNAS app this can be achieved by passing --login-server <url> in the Extra Arguments section.

Next Steps

Before we can move more stuff to self-hosted, I mainly need monitoring and backups to feel comfortable, but that’s for another DI.DAY.

Conclusion

DI.DAY #1 was a success for me. My infrastructure feels more uniform and I have a solid foundation I can use going forward. So far, everything went pretty smoothly and I’m really questioning why I didn’t do a bunch of this a lot sooner.

A special thanks goes out to the initiators of DI.DAY! And now it’s up to you, go out there and regain control of your data!