Category: Tech

Shifting Towards Convenient Computing

Being in tech for a while, you jump a lot of ships either due to being bored or out of curiosity. My curiosity in computing devices started some 6-7 years ago .

At the time I had a HP laptop with 8 Gigs of RAM and 2 TB of hard drive. That thing I used throughout my college and I still have it alive and was using it actively (after adding 8 more Gigs of RAM and a much needed SSD) till few days ago. There is not a time in past 7 year, when this thing didn’t gave me a headache – being multiple battery failures, hinge issues, long boot time and finally only running when connected to power supply. There was also a small period when this thing become so slow(before ssd upgrade), that I just used it to remote login into my Hetzner box where I used Webtop docker image as my main PC/Server to do my daily stuff and internship work.

But to it I owe all my learning and explorations . Either it be exploring linux for the first time or being strictly aware of privacy and security aspect of tech.Underlying all of it was the hardware whose components were failing from first year of use.I am also somewhat to blame as my machine always remained in active state 18+ hrs a day on regular basis.

Having started with Linux in 2019, particularly Ubuntu 18.04 as my main OS, I never missed windows and had it completely wiped off from hard drive . My computer always had Virtualbox then, where there was multiple different flavors of linux for different purposes. I had Parrot for my security learning(I switched to manjaro later,and god it was painful: the pentesting packages experience on an arch based distro), Whonix/Tails for the privacy focused part and many other flavors.

There were some initial driver issues like wifi, bluetooth which I solved , but there were some which remained always broken on that hardware(microphone). The best part was that the machine was so usable with linux in it and that’s what it should have from beginning. I explored lot of things which would have been pain on windows and just like that I was windows free.

Then few years down the line I got to use Thinkpads(work pc) as my daily driver , which I combined with Manjaro and used it for around 1 year. This machine was flawless . A 14 inch portable beauty with awesome battery life(7-8+ hrs on average development tasks) and an AMD cpu which I can’t complain about.I certainly miss that machine. To me it was more beautiful than the HP or Dells I had seen/used.

After that I needed another machine as I didn’t had any functional computer and I bought ~ 1000$ MSI with good specs(RTX GPU with H series Intel). I had windows on it and after 4 years of not using it I wanted to give it a try just to save my PC from having 2 OSes as I had planned on some gaming . The experience was okay at first due to WSL, but degraded very fast when I learnt about memory leaks in docker + WSL system. I installed linux in dual boot and it worked like charm. Not a single driver issue.But then Hardware failed, hinge broke and I was without that pc for a month.

This was the first time I thought I SHOULD JUST HAVE BOUGHT A MAC. Inspite of my disdain towards Apple and it’s closed walled garden, they have quality and powerful hardware , which just don’t fail in 3 months.

For the next 1 year I again used my old HP with Pop OS for my work, it was slow when doing multiple parallel tasks,but still it worked out. I never again tried to install Linux on my MSI as I used that for my increased interest in gaming as I had very less storage there .In all these times I really missed the portability and battery life of Thinkpads.

So , I eventually purchased my first ever Macbook Air to replace my aging Linux HP.While I still don’t like Apple, the quality of the hardware mixed with battery life have impressed me a lot.I am still getting used to MacOs and as of today I still prefer linux, but hardware wise I can’t be more happy in this form factor.

So for this year , I plan to use my mac extensively for all tasks bar Gaming. I will always be on lookout for an Intel/AMD/ARM hardware with powerful iGPU(i love 780M) and with power efficiency of mac level. I will always be eager to come back to using Linux as my daily driver as I believe it is far more superior(I just need to find the best hardware for me).

This post came out of my boredom and I am tired now. I will soon be writing about my latest read Kurt Vonnnegut’s Player Piano . GoodBye for now.

Setup publicly accessible services in cloud securely with reverse proxy and SSL certificate

Before we proceed with how to setup cloud/self hosted services securely, let’s go over some of the things that would be needed for this tutorial.Also the installations command is given keeping Debian like systems in mind, but can easily be found for other systems with a simple web search.

  • Docker : Install docker and docker-compose
    • sudo apt install docker.io
    • sudo apt install docker-compose-plugin
    • sudo usermod -aG docker $USER
    • newgrp docker
  • In firewall configurations, open port 443 to internet, can be done either of given ways:
    • sudo ufw allow https (for homeserver)
    • Open port 443 in cloud firewall/network (for cloud setup)
  • Also open port 80 in cloud firewall/network if using http for domain validation.
  • Either buy a domain through domain providers or visit Duckdns to get free dynamic dns.

Setting up SWAG container

SWAG sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let’s Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.

Here, I will be giving two swag.yml docker-compose files, which can be used alternatively depending upon whether you use some domain providers or duckdns.

Using Domain Providers

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000 # your user and group ids
      - PGID=1000 # get it with typing `id` in terminal
      - TZ=Asia/Kolkata # Docker available time zone regions
      - URL=your-domain.com  # the domain name that you bought
      - SUBDOMAINS=www,jellyfin,code-server # the subdomains which serves the specific services
      - VALIDATION=http
    volumes:
      - ./swag:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

We will be using http validation to validate domain ownership. Visit your domain providers console’s manage dns section and follow the given steps to configure it correctly:

  • configure A records, add:
    • www . your-domain.com
    • your-domain.com
  • configure CNAME for each service you want to run, for each CNAME we need to configure hostname and value as:
    • CNAME (for service 1 : let’s say code-server)
      • Hostname : code-server.your-domain.com
      • Value : www . your-domain.com
    • CNAME (for service 2 : let’s say jellyfin)
      • Hostname : jellyfin.your-domain.com
      • Value : www . your-domain.com
    • In similar way, we can add as many as CNAMEs as number of services.

Using Dynamic DNS(DuckDns)

---                                                 
version: "2.1"                                      
services:                                           
  swag:                                             
    image: lscr.io/linuxserver/swag                 
    container_name: swag                            
    cap_add:                                        
      - NET_ADMIN                                   
    environment:                                    
      - PUID=1000                                   
      - PGID=1000                                   
      - TZ=Asia/Kolkata                             
      - URL=your-domain.duckdns.org                 
      - SUBDOMAINS=wildcard                         
      - VALIDATION=duckdns                          
      - DUCKDNSTOKEN=97654867496t4657382648659765854
    volumes:                                        
      - ./swag:/config                              
    ports:                                          
      - 443:443                                     
      - 80:80                                       
    restart: unless-stopped

Here, we won’t need to do anything if we are following default container names, so visit following subdomain after setup for:

  • code-server : code-server.your-domain.duckdns.org
  • jellyfin : jellyfin.your-domain.duckdns.org

Now, following either one of the way from above , we are ready to fire up our swag container, we can do so by running:

docker compose -f swag.yml up -d

Only if the domain name configurations are done properly the nginx server on swag container will start.

Check docker logs swag -f to verify if swag is successfully running without errors, it should have printed `server ready` otherwise reconfigure swag yaml file and domain name and recreate the swag container.

Before moving ahead, we need to create a user defined network and add swag container to that network, also we would add all subsequent docker containers to this network for inter-network connectivity. To do this:

docker network create -d bridge my_network
docker network connect my_network containerId

Setting up Individual Apps

  1. Setting up Jellyfin media server along with transmission torrent(transmission won’t be open to internet in this example), create a jellyfin.yml file with following content:
---                                                      
version: "2.1"                                           
services:                                                
  transmission:                                          
    image: lscr.io/linuxserver/transmission:latest       
    container_name: transmission                         
    environment:                                         
      - PUID=1000                                        
      - PGID=1000                                        
      - TZ=Asia/Kolkata                                  
      - TRANSMISSION_WEB_HOME= #optional                 
      - USER=admin #optional                             
      - PASS=password #optional                          
      - PEERPORT=51413                                   
    volumes:                                             
      - ./transmission/data:/config                      
      - ./shared/downloads:/downloads                    
    ports:                                               
      - 9091:9091                                        
      - 51413:51413                                      
      - 51413:51413/udp                                  
    restart: unless-stopped                              
  jellyfin:                                              
    image: lscr.io/linuxserver/jellyfin:latest           
    container_name: jellyfin                             
    environment:                                         
      - PUID=1000                                        
      - PGID=1000                                        
      - TZ=Asia/Kolkata                                  
      - JELLYFIN_PublishedServerUrl=192.168.0.5 #optional
    volumes:                                             
      - ./jellyfin/config:/config                        
      - ./shared/downloads:/data/to_watch                
    ports:                                               
      - 8096:8096                                        
      - 8920:8920 #optional                              
      - 7359:7359/udp #optional                          
      - 1900:1900/udp #optional                          
    restart: unless-stopped

now enter inside swag container using command ,

docker exec -it swag_container_id bash

and do following mentioned things:

  • cd /config/nginx/proxy-confs/
  • mv jellyfin.subdomain.conf.sample jellyfin.subdomain.conf
  • restart the swag container

Also add this container to user defined bridge network:

docker network connect my_network jellyfin_containerId

2. Setting up code-server with password authentication, create a code-server.yml with below content:

---
version: "2.1"
services:
  code-server:
    image: lscr.io/linuxserver/code-server:latest
    container_name: code-server
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Kolkata
      - PASSWORD=password1
      - SUDO_PASSWORD=password2
      - DEFAULT_WORKSPACE=/config/workspace #optional
    volumes:
      - ./code-server/config:/config
    ports:
      - 8443:8443
    restart: unless-stopped

Do again same as above as entering in swag container and moving files and restarting it along with adding code-server container to the user defined bridge network.

Now, we are done, we can access our containers now and they will look something like this:

Jellyfin: visit https://jellyfin.your-domain.com

Code Server: visit https://code-server.your-domain.com

In similar ways, we can host numerous services securely with very minimal attack surface available to exploit by malicious entities.

IMPORTANT – As you keep on adding more services, keep in mind to append them to swag container’s SUBDOMAINS environment variable and recreate the swag container.

Please refer linuxserver.io for even more awesome services and more detailed explanation for swag .

Happy hacking !

Design a site like this with WordPress.com
Get started