Derek Siver's shell script for tech independence(sive.rs)
sive.rs
Derek Siver's shell script for tech independence
https://sive.rs/ti.sh
39 comments
Related discussion from yesterday: https://news.ycombinator.com/item?id=37546255
Thanks! Macroexpanded:
Tech Independence - https://news.ycombinator.com/item?id=37546255 - Sept 2023 (66 comments)
Tech Independence - https://news.ycombinator.com/item?id=37546255 - Sept 2023 (66 comments)
Fascinating that the instructions buck the trend of curl'ing and piping to bash, but rather ftp's and then executes separately.
> Type ftp https://sive.rs/ti.sh
> Type sh ti.sh
> Type ftp https://sive.rs/ti.sh
> Type sh ti.sh
7 if [[ $(id -u) -ne 0 || $(uname) != "OpenBSD" ]]; then
8 echo "must be run as root on OpenBSD"
9 exit 1
10 fiSomeone should redo this, but with Guix or NixOS
It's very rough, and I haven't found much time to work on it recently, but I've started something with https://github.com/RyanGibb/eilean-nix
This is great (although I haven't tried it yet). And it would in theory be more deterministic and less brittle than Derek Sivers' instructions.
IDK, I think an important part of the process is the act of doing. You more deeply understand what is going on.
This actually has a similar purpose to an idea I had for basically creating a "your own backoffice" distribution of software (a little more turnkey, but with the same idea of tying it to a particular low-cost cloud provider). I love the concept and love seeing this kind of thing. I believe in the mission. I think being opinionated about first steps is an important part of it.
What bogged me down were "day 2" concerns around troubleshooting and maintainability. I had a somewhat more ambitious plan that would involve monitoring and rollouts and so forth as well, so it's not really something you do in a shell script and forget about. And I was focusing on the use case of a small group of people rather than a single, disconnected person, because that's so much of what (I think) we use our devices for. And I wanted to focus on using tools in a standard way so that you could actually learn how your system worked by looking at its standard configurations, written in a standard way (not "pkg_add" and "opaque ad-hoc config template") and being aware of how to change them over time as you learned more.
I still think this is great but I'm not sure it's the kind of thing you can just run and then be okay. Hell, I'm a "tech professional" for whatever that's worth and it's hard enough for me to keep homeassistant updated and free from rot. A single server that's not backed up--and even if it were, without features for restoring--or updated (even recommending never updating it--I love OpenBSD and its stability is great but there are reasons to update) just isn't something to tell someone to start relying on for their digital life.
What bogged me down were "day 2" concerns around troubleshooting and maintainability. I had a somewhat more ambitious plan that would involve monitoring and rollouts and so forth as well, so it's not really something you do in a shell script and forget about. And I was focusing on the use case of a small group of people rather than a single, disconnected person, because that's so much of what (I think) we use our devices for. And I wanted to focus on using tools in a standard way so that you could actually learn how your system worked by looking at its standard configurations, written in a standard way (not "pkg_add" and "opaque ad-hoc config template") and being aware of how to change them over time as you learned more.
I still think this is great but I'm not sure it's the kind of thing you can just run and then be okay. Hell, I'm a "tech professional" for whatever that's worth and it's hard enough for me to keep homeassistant updated and free from rot. A single server that's not backed up--and even if it were, without features for restoring--or updated (even recommending never updating it--I love OpenBSD and its stability is great but there are reasons to update) just isn't something to tell someone to start relying on for their digital life.
This bash script is the real Proof of Work.
I don’t understand the tech independence claim? The script is replacing a unified service like Google or Apple iCloud with a lot of other services. Vultr and mailgun for example.
There is something to be said about the larger centralized services. I’d be hesitant to put any sensitive files on my own server. The larger firms have security departments ready to respond to CVE’s and 0days.
There is something to be said about the larger centralized services. I’d be hesitant to put any sensitive files on my own server. The larger firms have security departments ready to respond to CVE’s and 0days.
I work at one of these "larger firms".
You might be surprised at how much even basic things like security response or considerations are valued at "larger firms", or inconsistently applied (in part because of their size), or don't accord with the users' interests.
It's typical for "larger firms" for example to have a vulnerability evaluation process that pretty much boils down to "can we avoid responding to this vulnerability at all?" and if there's any way to avoid it, they do--because even patching will cost money. Across a big service with a variety of components? Potentially even "real" money. And the mistakes these companies make, when they make them, are often huge (like Sony storing plaintext passwords), even when they're elementary mistakes.
Put something on encrypted storage and served by a reasonably-configured OpenBSD server? That's probably quite a bit safer from compromise, when considering all threats, than Flickr or Google Drive or whatever. What it's not safer from, probably, are corruptions and loss (like from bad hardware, mistaken deletion, key loss, and so forth).
So I use both services and self-hosted things--but it's certainly the case for my "sensitive files" that they don't go within sniffing distance of a "larger firm" cloud service but are stored and backed up with my own encryption, using tools like OpenBSD and the utilities stemming from it.
As for whether it's "tech independence", perhaps it's more about being able to make the choice for yourself about where that line is drawn, rather than being forced to accept serfdom because you don't know any better. If someone takes this as a first step, moving cloud providers could be their second, or DNS registrars; or maybe revision 2 of the script (or someone else taking inspiration from it) can describe how to host your own nameservers and MTA. But there has to be some place to start, and an opinionated cookbook is not a bad one.
You might be surprised at how much even basic things like security response or considerations are valued at "larger firms", or inconsistently applied (in part because of their size), or don't accord with the users' interests.
It's typical for "larger firms" for example to have a vulnerability evaluation process that pretty much boils down to "can we avoid responding to this vulnerability at all?" and if there's any way to avoid it, they do--because even patching will cost money. Across a big service with a variety of components? Potentially even "real" money. And the mistakes these companies make, when they make them, are often huge (like Sony storing plaintext passwords), even when they're elementary mistakes.
Put something on encrypted storage and served by a reasonably-configured OpenBSD server? That's probably quite a bit safer from compromise, when considering all threats, than Flickr or Google Drive or whatever. What it's not safer from, probably, are corruptions and loss (like from bad hardware, mistaken deletion, key loss, and so forth).
So I use both services and self-hosted things--but it's certainly the case for my "sensitive files" that they don't go within sniffing distance of a "larger firm" cloud service but are stored and backed up with my own encryption, using tools like OpenBSD and the utilities stemming from it.
As for whether it's "tech independence", perhaps it's more about being able to make the choice for yourself about where that line is drawn, rather than being forced to accept serfdom because you don't know any better. If someone takes this as a first step, moving cloud providers could be their second, or DNS registrars; or maybe revision 2 of the script (or someone else taking inspiration from it) can describe how to host your own nameservers and MTA. But there has to be some place to start, and an opinionated cookbook is not a bad one.
> There is something to be said about the larger centralized services. I’d be hesitant to put any sensitive files on my own server. The larger firms have security departments ready to respond to CVE’s and 0days.
Some people change their own oil, mow their own lawns, fix their own dripping faucets, etc.
Running a secure server on the internet requires different, but not more knowledge and effort, and is less expensive, than changing your own oil.
There's no need to be in thrall to the "larger firms". They have different problems, which you might not be able to solve for them -- but you can often solve your own.
Some people change their own oil, mow their own lawns, fix their own dripping faucets, etc.
Running a secure server on the internet requires different, but not more knowledge and effort, and is less expensive, than changing your own oil.
There's no need to be in thrall to the "larger firms". They have different problems, which you might not be able to solve for them -- but you can often solve your own.
I think this is disingenuous. Example: configuring a linux firewall properly is not on the same competency level of changing your oil.
This script doesn’t harden sshd to the level I’d call safe. Disabling root login is minimum. I’d have port change, timeouts, fail2ban, otp via Pam all configured. Only allow specific IP ranges and users to ssh. I’d use ansible to properly configure instead of this script.
In the case of httpd. Id run it in docker or chroot. Again fail2ban, otp, I’d probably put it on a different port have it proxied via Cloudflare and have httpd only allow Cloudflare ips.
All this that are difficult to learn.
Source: I run my families infrastructure. Which spans multiple servers, routers, switches across 7 houses in 3 countries. I also change my own oil.
This script doesn’t harden sshd to the level I’d call safe. Disabling root login is minimum. I’d have port change, timeouts, fail2ban, otp via Pam all configured. Only allow specific IP ranges and users to ssh. I’d use ansible to properly configure instead of this script.
In the case of httpd. Id run it in docker or chroot. Again fail2ban, otp, I’d probably put it on a different port have it proxied via Cloudflare and have httpd only allow Cloudflare ips.
All this that are difficult to learn.
Source: I run my families infrastructure. Which spans multiple servers, routers, switches across 7 houses in 3 countries. I also change my own oil.
fail2bandaid is just a log cleaner. It doesn’t really provide security if you’re using keys correctly.
Great metaphor. Thank you.
>The larger firms have security departments ready to respond to CVE’s and 0days.
Nah, they do have large security departments, though.
I've met many CSOs that had never wrote a line of code in their lives. That kind of works ... until it doesn't and it fails embarrasingly bad.
Nah, they do have large security departments, though.
I've met many CSOs that had never wrote a line of code in their lives. That kind of works ... until it doesn't and it fails embarrasingly bad.
Cool background - Derek created CDBaby back in the day.
Cool dude. Check out his interview on the Tim Ferris podcast for context on why you might want the tech independence this script enables
Cool dude. Check out his interview on the Tim Ferris podcast for context on why you might want the tech independence this script enables
I've read for of his books, which he sold in a package deal for cheap last year.
And he's working on a new one: https://sive.rs/u
And he's working on a new one: https://sive.rs/u
Starts at 24 minutes here: https://www.youtube.com/watch?v=0BaDQCjqUHU
To format a YouTube URL that is indexed to a particular time, just add the minutes/seconds after it like so:
https://www.youtube.com/watch?v=0BaDQCjqUHU#t=24m
(or NNs for seconds, or MMmNNs etc.)
https://www.youtube.com/watch?v=0BaDQCjqUHU#t=24m
(or NNs for seconds, or MMmNNs etc.)
I note that format doesn't work with Invidious, it only handles the older(?) format using & instead of # : https://www.youtube.com/watch?v=0BaDQCjqUHU&t=24m
Ah. I get around those issues by paying for YouTube, because as a Gen X’er I believe in paying for good services. :P (And its recommendations are excellent, now that Google knows me so well. LOL)
Now I check, Youtube still generates timestamped URLs with it in the query string. I wonder where the # alternative comes from.
I hand-made the URL. I could have used a querystring as well, but the pound symbol usually indexes down to a particular part of a page, so it makes sense that they would also make it index to a particular part of a video
[deleted]
Immediately disables IPv6. Amazing.
I may be out of the loop, but what's wrong with IPv6?
I presume he does it to reduce possible issues and mid configurations.
If you have IPv4 addresses IPv6 isn’t necessary, and it can result in strange “almost works sometimes” cases.
Worth learning, of course, but it’s a whole different thing.
If you have IPv4 addresses IPv6 isn’t necessary, and it can result in strange “almost works sometimes” cases.
Worth learning, of course, but it’s a whole different thing.
It's ksh not bash.
It's only for OpenBSD 7.3 on Vultr.com
It should only be run in the context of the steps at https://sive.rs/ti
I was trying to help non-technical people experience the empowering joy of having their own server, so instead of the usual "you could do this or that, here or there", this is a single-track "just do this".
It's only for OpenBSD 7.3 on Vultr.com
It should only be run in the context of the steps at https://sive.rs/ti
I was trying to help non-technical people experience the empowering joy of having their own server, so instead of the usual "you could do this or that, here or there", this is a single-track "just do this".
Ok, I've bashed that part out of the title above. Thanks!
Random question regarding OpenBSD:
I'm curious why you suggested OpenBSD vs Linux? I read through your linked "OpenBSD : why and how" [1] article - as well as the secondary linked article from that page [2] - and couldn't help but notice how many of the reasons listed were reasons why not to use OpenBSD. More than that, the limitations (while I do understand the value of doing simple things well) of the system seem highly constraining.
Do you use OpenBSD for all your devices, all the time? Or is it more of a thing where OpenBSD serves your needs perfectly for some smaller subset of what a "computer" is, and for everything else you have a separate device to fill those needs? (An ipad/macbook for media consumption, a home server for handling media related tasks, etc.)
Love the general sentiment behind the article, btw. The OpenBSD thing just really stood out to me as I read through it.
[1] - https://sive.rs/openbsd [2] - https://dataswamp.org/~solene/2022-06-22-openbsd-selling-arg...
I'm curious why you suggested OpenBSD vs Linux? I read through your linked "OpenBSD : why and how" [1] article - as well as the secondary linked article from that page [2] - and couldn't help but notice how many of the reasons listed were reasons why not to use OpenBSD. More than that, the limitations (while I do understand the value of doing simple things well) of the system seem highly constraining.
Do you use OpenBSD for all your devices, all the time? Or is it more of a thing where OpenBSD serves your needs perfectly for some smaller subset of what a "computer" is, and for everything else you have a separate device to fill those needs? (An ipad/macbook for media consumption, a home server for handling media related tasks, etc.)
Love the general sentiment behind the article, btw. The OpenBSD thing just really stood out to me as I read through it.
[1] - https://sive.rs/openbsd [2] - https://dataswamp.org/~solene/2022-06-22-openbsd-selling-arg...
I use OpenBSD for basically everything: laptop, desktop, server. It's been my server OS since 1999. I play with other OSs and come back to the solid simplicity of OpenBSD.
I chose OpenBSD for https://sive.rs/ti because of its simplicity and security, and that it has the mailserver and webserver built-in.
I chose OpenBSD for https://sive.rs/ti because of its simplicity and security, and that it has the mailserver and webserver built-in.
If you ran your own github clone (self-hosted Gitlab, Gitea etc.), we could fork that script and improve upon it, potentially
[deleted]
* sets up your server
* secure SSH and firewall
* private encrypted storage
* web server
* file server
* secure TLS certificate
* maintenance scripts to keep it secure
* calendar server
* contacts server
* email server with IMAP
* free email sending via Mailjet
* SPF + DKIM DNS to secure email[deleted]