self-hosted.tools

How to use ZITADEL for Authentication with Open WebUI

Tue, 25 Feb 2025 00:00:00 +0000

If you’re considering implementing Single Sign-On (SSO) for Open WebUI I’ve got you covered. Integrating it with ZITADEL is a great solution.
This guide will take you step-by-step through setting up SSO and managing roles, helping to boost both security and user experience.
Let’s get started on making your (and your users) experience as seamless as possible!

This guide will not cover on how to setup and configure ZITADEL or Open WebUI, I will focus on the oidc part.

Steps in ZITADEL

Create a new Project:

I would advise setting those three settings (you dont need to set the last two, but it gives you more control over what users can try to log in): Dont forget to click Save!

Create a new Application and select “WEB” as type:

Select Code as the authentication method:

Add https://ai.example.com/oauth/oidc/callback as the callback URL (change ai.example.com to your deployment URL):

Control overview and click “Create”:

Copy your ClientId and ClientSecret and store them somewhere temporary:

Switch to Token Settings, check both options, and click Save:

Switch back to your Project and click on “Roles”.
Create an admin and user role:

Open WebUI expects the roles claim to be flat and won’t work with the standard ZITADEL Roles Claim. We will fix that with a custom action that adds the roles of a user flat to the token. Switch to the “Actions” Tab and create a new action:

Name: flatRolesClaim (The name of the action and the name of the function in the javascript have to be the same)

Add the following content (adjusted from here):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34


/**
 * Adds an additional claim in the token with roles in flat format.
 *
 * The role claims of the token look like the following:
 *
 * // added by the code below
 * "flatRolesClaim": ["test", "role2", ...],
 * // added automatically
 * "urn:zitadel:iam:org:project:roles": {
 * "test": {
 * "201982826478953724": "zitadel.localhost"
 * }
 * }
 *
 * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token creation
 *
 * @param ctx
 * @param api
 */

function flatRolesClaim(ctx, api) {
 if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
 return;
 }

 let grants = [];
 ctx.v1.user.grants.grants.forEach(claim => {
 claim.roles.forEach(role => {
 grants.push(role);
 })
 })

 api.v1.claims.setClaim('flatRolesClaim', grants);
}

Add the following flow:

Last thing to do in Zitadel is to give a user access. Go to your project and give a user the needed authorizations:

Open WebUI

Add the following to your Open WebUI env variables:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


OAUTH_CLIENT_ID: "308724015575405835" # copied before
OAUTH_CLIENT_SECRET: "your-secret" # copied before
ENABLE_OAUTH_SIGNUP: "true"
# if your user has the same email in ZITADEL and existing open webui install, the users will be merged
OAUTH_MERGE_ACCOUNTS_BY_EMAIL: "true"
# change to your zitadel url
OPENID_PROVIDER_URL: "https://sso.example.com/.well-known/openid-configuration"
OAUTH_PROVIDER_NAME: "ZITADEL"
OAUTH_SCOPES: "openid email profiles"
ENABLE_OAUTH_ROLE_MANAGEMENT: "true"
OAUTH_ROLES_CLAIM: "flatRolesClaim"
OAUTH_ALLOWED_ROLES: "openwebui_user"
OAUTH_ADMIN_ROLES: "admin"

You can still have signups disabled for normal users; ZITADEL users can still log in (even if they have never logged in before).
If you have your default user role set to “pending”, ZITADEL users with the role “openwebui_user” or “admin” assigned will have their respective role inside Open WebUI and won’t be set to “pending”. If you did not set “Check authorization on Authentication” and a ZITADEL user without one of your roles logs in, the account will be in a pending state.

I hope this tutorial helped you set up SSO in Open WebUI.
If you do not already have central authentication in your homelab, just try it - it’s worth it 😉

Cover Photo by Matt Artz on Unsplash

Recovering VMs from a Broken QubesOS Install

Sun, 20 Oct 2024 00:00:00 +0000

Is your QubesOS installation no longer booting, and you need to recover a qube (VM)? You’re in the right place.
Recently, my Qubes test install encountered issues after the machine crashed during a dom0 update. While it still booted, the system was unresponsive and most Qubes command line tools didn’t function properly. There was limited information online, so I had to dig through old forum threads and unrelated blog posts.
Here’s the solution I came up with (spoiler: it worked perfectly).

Install Qubes on a New Disk

The first step is to install Qubes on a new disk. Do NOT install it on the same disk as your failed Qubes installation!
You can download qubes here, and don’t forget to verify the downloaded file.
The fingerprint of the master signing key is: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494.

Mounting the Broken Install

First, create a new disposable qube on your fresh Qubes installation and try to attach the failed disk via the GUI. If that doesn’t work, you can identify the disk with lsblk and manually attach it to your new disposable VM using the following command.
sudo qvm-block attach dispXXX sys-usb:sdX

You can then either mount it using the Thunar file manager (GUI) or via the command line:

1
2


mkdir /mnt/old_install # create a mount point for the old disk
sudo cryptsetup luksOpen /dev/<disk> old_install # decrypt disk

I tried attaching it directly to dom0 but had no success. While that would have saved a step, I encountered strange errors that I couldn’t resolve. However, using a fresh VM made it easy.

Recover the old VM Disks

When recovering an AppVM, you only need to copy the “private” volume. The root volume is provided by the template.
Ensure that the same version of Fedora/Debian is installed as template in your new installation, matching the one from your old setup.

To transfer the disk images, use the following commands to dump the volumes of the mounted disk into a new image files.

To recover the private volume, use the following command:
sudo dd if=/dev/qubes_dom0/vm-xxx-private of=xxx_restore_private.img bs=4M
If it’s not an AppVM, you will also need to save the root volume:
sudo dd if=/dev/qubes_dom0/vm-xxx-root of=xxx_restore_root.img bs=4M

You can recover the templates the same way if you had installed extra programs there, but I recommend simply installing them again in a fresh template.

Transfer to dom0

If your files exceed the available space in dom0 , you’ll need to resize it:

1
2
3


sudo lvresize -L +30G /dev/qubes_dom0/root
sudo resize2fs /dev/qubes_dom0/root
df -h

You must transfer the saved images to dom0 to make them functional again. You can do this using the following command (executed in dom0 ):
qvm-run --pass-io <src_domain> 'cat /path/to/file_in_src_domain' > /path/to/file_name_in_dom0
for example:
qvm-run --pass-io disp4321 'cat /home/user/restore/xxx_restore_private.img' > ORIG_VM-private.img

Recreate and Recover VMs

Create a qube in the GUI with the same disk size as the original qube.
Next, overwrite the new “private” image with the old one, and the “root” image as well (if it’s not an AppVM).

1
2


sudo dd if=/home/user/QubesIncoming/disposable-vm-name/ORIG_VM-private.img of=/dev/qubes_dom0/vm-RESTORE_VM-private bs=4M
sudo dd if=/home/user/QubesIncoming/disposable-vm-name/ORIG_VM-root.img of=/dev/qubes_dom0/vm-RESTORE_VM-root bs=4M

This process may take some time, but once it’s complete, you’ll be able to start the qube and use it as usual.
You may need to scan for programs and services to add them to the start menu. This can be done through the GUI in the qube’s settings.

Cleanup

I recommend making a backup of all restored qubes and performing a fresh install, where you can restore the recovered qubes from that backup.
Otherwise, your dom0 disk size might remain incorrect, and you could end up with unnecessary data lingering in dom0.

I hope this guide helped you successfully recover your Qubes installation.

Create Custom Noreply Email for Github

Wed, 01 May 2024 00:00:00 +0000

Today, I will show you how and why you should set up a custom noreply address for git commits on GitHub and other git hosting providers with Cloudflare mail routing. Git displays the author’s email address on every commit.
As a result, many of those emails are harvested by spammers.

Platform provided Noreply Address:

GitHub and other git hosting providers give you the ability to use a noreply email address from them for commits. For example, GitHub provides something like this: “id+username@users.noreply.github.com”. All emails sent to that address will bounce, as they should for a noreply address.
Learn more about private emails from Github and Gitlab

Why use a Custom Noreply Address?

Portability: With a custom noreply address, you’re not tied to any specific platform, making it easier to transition between git hosting providers or collaborate with teams using different platforms.
Verification Challenges: You can’t use your GitHub noreply address on other platforms because you can’t verify it. Almost all providers require you to verify an author email address to display the commit on your profile.
Commit signing: If you sign your commits with GPG, do you want an email as a UID over which you don’t have control?
It is also easier to verify your signature because you can set up WKD, allowing anyone to import your key with gpg --locate-key EMAIL.
Consistency: A custom noreply address allows you to maintain consistency, especially if you use multiple git hosting providers.

How to set it up?

If you own a domain and use Cloudflare as your DNS provider, it’s a matter of a few clicks and it is free, so let’s dive in:
First, go to your Cloudflare dashboard and select the domain you want to use. Then click on “Email” -> “Email Routing” -> “Get Started.”
You can find the documentation about Cloudflare email routing here.
If you don’t plan on using your apex domain (your domain name without a subdomain) for email, you can set up noreply@example.com (or anything you want) on the next screen:

If you plan to use your apex domain with another mail provider, you can click on “Skip getting started” and proceed to “Settings” on the next screen.
Select “Add Subdomain” and input the subdomain you want to use.

You can use any subdomain you prefer. Click on “Add records and enable,” and you are nearly good to go.
For my personal domain, I chose “git.example.com” because I prefer noreply@git.example.com and because I have a few use cases for the noreply subdomain already in mind. Using the git subdomain could potentially avoid confusion if I decide to use the noreply subdomain in the future.

Click on “Destination Address” and add a real email that will be used to receive the confirmation email.

After that, go to “Routing Rules” and create a custom email address, set the action to “Send to an email” and select your verified mail that you added in the previous step.

Now you are ready to add the new email on your git hosting provider like Github as an additional mail address.

If you are using Github, keep “Keep my email addresses private” checked, but uncheck “Block command line pushes that expose my email”:

Now set your new email in your local git config:

1

git config --global user.email "git@noreply.yourdomain.com"

Your locally created commits will now have “git@noreply.yourdomain.com” as the author name. However, commits, merges, and other changes made through the GitHub web interface will have your “id+username@users.noreply.github.com” email as the commit author, otherwise you would expose your primary email address.

After you have verified the mail on your git provider, you can change the action for the custom address in Cloudflare from “send to an email” to “Drop”.
If you need to verify the email on a new git provider, simply route the mails to your normal inbox, verify them, and then set the action again to “Drop”

Send a custom reject message with Cloudflare Workers

Optionally, you can use a worker to send a custom reject message when someone sends an email to your git noreply address.
Cloudflare offers a generous free tier for up to 100,000 worker requests per day.

If you exceed 100000 worker requests per day and don’t use a paid plan, the requests to the worker will fail, but it appears you won’t be charged, see here and here (Please do your own research before activation!).
If you use a paid plan, you will be charged according to your plan.

To set this up:

Click on “Email Routing” -> “Email Workers” -> “Create.”
You can change the name or leave the autogenerated one.
Select “Create my own” and then click “Create.”

Insert the following code into the next page and click “Save and deploy”.
Change “My rejection notice” to something you would like to send when someone sends an email to your git noreply address.

1
2
3
4
5


 export default {
 async email(message, env, ctx) {
 message.setReject("My rejection notice");
 }
 }

I set mine to:

Your email has been rejected because the address you sent it to does not accept emails. This is likely because you obtained the address through automated scripts or internet scraping. Please refrain from contacting me using this address.

To activate it go back to “Routing rules” and edit the one you created before.
Change it from Action “Drop” to “Send to a worker” and select the worker you just created.

Cloudlfare also automatically created a URL where the worker is accessible, go back to the Tab “Email Workers”, click on the three dots and select “Manage Worker”.
Navigate to Tab “Settings” and select “Triggers”. Under Routes is a workers.dev URL where your worker gets triggered but shows only an error because nothing is configured for a webrequest.
Click on the three dots and select “Disable Route”.
The Email Trigger will still be active.

Now you can test it; you will get an email from the mailer daemon of your provider from which you sent it.
Your custom notice will be in the diagnostic code:

Photo by Roman Synkevych on Unsplash

Get Interface IP from OPNsense API

Mon, 18 Mar 2024 00:00:00 +0000

Hey everyone! I’m really excited about today’s topic: getting the IP address of an interface from the OPNsense API. To be honest, I’ve been on a bit of a hunt for reliable and current information on this, but it’s been a bit elusive.
So, I’ve decided to put together this guide in the hopes that it’ll be useful not just for me, but for others who might be in the same boat.

Create user and group

First, you should create a new user and group to grant it only the authorizations it needs.
Access your OPNsense firewall and navigate to System -> Access -> Groups.

Add a new group and name it something like “ApiUsers”. Do not add a member yet, as we are going to create a new one. Save the group and click on “Edit”. Then, open “Assigned Privileges” and select the following:

Assigned Privileges

Create a new User, named “api_user”. Set a strong password or select “Generate a scrambled password to prevent local database logins for this user”. Set the Login shell to /usr/sbin/nologin.
Under Group Memberships, select your new ApiUsers Group and assign it to the user. Save the user and click on “Edit”. Now you will see the option “API keys” for the user - generate a new one.
You will receive a txt file with the following content:

1
2


key=xxx
secret=xxx

Call the API

First, you need to find the interface you want the IP for, which is most likely your WAN interface.
Navigate to Interfaces -> Overview to see all your interfaces. Search for your desired interface and note the “Device”.
You will need that for the API call.

Here’s a simple bash script to call the API and retrieve the IP of the interface. It utilizes jq, a lightweight and flexible command-line JSON processor.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


#!/bin/bash

# Enter your Opnsense IP or URL
OPNSENSE="http://192.168.1.1"

# Replace key and secret with the values from the downloaded API txt file
KEY="your-key-here"
SECRET="your-secret-here"

# Specify the value from "Device" for your Interface, see GUI or API output
DEVICE="device-name-from-interface"

# Make GET request with curl
interface_info=$(curl -k -u "$KEY":"$SECRET" $OPNSENSE/api/interfaces/overview/getInterface/$DEVICE)

# Extract Interface IP with jq
ip=$(echo "$interface_info" | jq -r '.message.ipv4.value[0].ipaddr | split("/")[0]')

echo "$ip"

You can save this as a file and make it executable with chmod +x filename.sh.

You could also use the script above as a one-liner:

1

curl -k -u "<your-key>":"<your-secret>" <OPNsense-url>/api/interfaces/overview/getInterface/<device> | jq -r '.message.ipv4.value[0].ipaddr | split("/")[0]'

There are plenty of use cases. For example, you could avoid calling an external service to get your public IP and update a DNS record if it changed.
However, if you’ve ended up here, you likely already have a specific use case in mind 😉

Photo by Gabriel Heinzer on Unsplash

Why I Switched from Ghost to Hugo

Wed, 27 Sep 2023 00:00:00 +0000

I recently made the switch from a Self-Hosted Ghost instance to Hugo, an open-source static site generator.
In this article, I’ll explain my motivation for this change and the outcomes.

I started this blog last year on Ghost. When I began blogging, my top contenders for the blogging platform were the usual suspects: WordPress, Ghost, or Hugo.
WordPress was quickly ruled out due to its high maintenance and frequent security vulnerabilities. I dismissed Hugo without a closer look because it appeared overly complicated and intimidating. Thus, the logical choice was to set up the blog with Ghost. It boasted excellent features such as Members, a user-friendly web editor, Newsletter integration, and many other appealing features and quirks.

Initially, it worked like a charm. However, all those enticing features became its downfall for my specific needs.
Initially, I believed I required a members-only space and a newsletter, among other things. Over time, I realized that I didn’t need all these features. With these features came a database and a backend, but all I was doing was publishing content on my blog, which didn’t necessitate a database.
What I needed was a robust, reliable, low-maintenance site that was fast, secure, and cost-effective to operate. So, what fulfills these requirements?

Static Sites

Pure HTML, CSS, and JS.
No backend.
No database.
No server-side language.

Manually managing static pages is a significant pain. The solution lies in static site generators like Gatsby, Jekyll, Next.js, and Hugo.

With these tools, you write your content primarily in Markdown, and they compile your code and content into a static site. There is no dynamic content. The static site is served by hosting solutions, often for free.
If you make changes, you push the updates, and the site is rebuilt from scratch in milliseconds.

Hugo

Hugo initially appeared intimidating, but after spending some time with it, I found it to be a joy to work with.
The local website reloads nearly instantly when you make changes, and I can write content in Markdown inside VS Code - that’s just plain fun.
After the initial setup, customization, and template creation, it requires very little maintenance and is easy to work with.

The site is blazingly fast, and the scores on web.dev are impressive, to say the least.

See for yourself:

The page currently achieves a perfect score in every category (on mobile).

I am still learning a lot about Hugo; there are many cool features, and the documentation is good.
You will definitely hear more about Hugo in the future on this blog.

Conclusion

If you are thinking about starting a blog, please don’t dismiss Hugo as an option just because it may seem too complicated (like I did).
It is a very powerful tool for bringing your blog into existence. Ghost and Hugo target different use cases; Ghost was overkill for me.
Hugo fits my needs perfectly, at least for now.

Hugo Logo from Steve Francia

Privacy: A Luxurious Relic of the Past or a Vital Necessity Today?

Sun, 09 Jul 2023 00:00:00 +0000

In a world that thrives on connectivity and digital advancements, the concept of privacy often finds itself in the crosshairs of a profound dilemma. Is privacy a vanishing relic of the past or an essential need in this day and age as our lives get more and more entwined with technology?

Diving into the depths of this question, the article explores why privacy matters and the implications of overlooking its significance. From safeguarding our personal lives to preserving individual autonomy, the case for privacy in the modern era demands our attention.
So let’s explore the subject of privacy, its value in a world that is becoming more and more digital, the misunderstandings that surround it, and its importance in free societies.

Privacy is not merely about hiding; it’s about protecting.

Let’s kick things off by breaking down what privacy actually entails. It’s a deceptively simple concept, but upon closer examination, it reveals itself as a profound cornerstone of our lives.
It’s the right to keep aspects of our lives hidden from public view, and it directly correlates with our sense of freedom.

Let’s briefly stray off course and define privacy as opposed to anonymity.
While privacy allows individuals to control the flow of personal information and thereby express themselves selectively, anonymity goes a step further by concealing identity altogether. Privacy is a broader concept that encompasses the selective sharing of information, while anonymity involves complete disassociation from personal identity.
While these concepts are closely related and often overlap, the main focus of this post will be on privacy.

Privacy: A Cornerstone of Free Societies

Freedom and privacy are two concepts that go hand in hand. Just as freedom is the power to act, think, or speak without hindrance, privacy provides the space for such actions. It’s a symbiotic relationship where one fuels the other.

People can make decisions freely and independently when they have control over their personal information and preferences. Giving individuals a secure space to freely express their ideas and opinions is strongly related to freedom of expression.

Every person has a unique set of beliefs, preferences, and experiences that shape their identity. This individuality is nurtured in a private setting, away from public scrutiny or pressure to conform, which results in a variety of viewpoints.
Without the right to privacy, society would be at risk of homogeneity - everyone thinking the same way due to constant monitoring and fear of reprisal for “different” thoughts.
In essence, privacy is an enabler of personal growth.

So yes, privacy is far from being an underestimated relic; it’s an essential pillar supporting free societies today - strengthening individual identities while fostering diversity in perspectives.
As we move on to debunking common misconceptions about privacy, let’s ensure these invaluable roles remain at the center of attention.

Debunking the ‘Nothing to Hide’ Argument

“I’ve got nothing to hide, so why should I care about privacy?”

This is one of the most commonly heard arguments when discussing privacy rights. But it’s a flawed one and here’s why.

Privacy isn’t Only About Hiding

The idea that privacy becomes significant solely when you have something to hide is an overly simplistic and inadequate representation.
It’s not about hiding; it’s about protecting.

Privacy preserves your freedom to be yourself without judgment or interference. It gives you control over your personal information, preventing others from using it in ways you don’t consent to.

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say."
— Edward Snowden¹

In general, individuals hold sensitive aspects of their lives that they strive to keep confidential and shielded from public view.
A straightforward way to illustrate this, is to ask people if they would let all their emails, texts, online searches, financial details, health records, and so forth, be made public. The number of individuals who’d be comfortable with such a proposition is zero.

Benefits and Value of Upholding Privacy

Measuring the value of privacy can be a difficult task since it depends on personal perspectives and cultural contexts, making it a subjective matter. Nevertheless, privacy holds significant value for everyone. Some highlights include:

Encouraging individualism and fostering variety in viewpoints
Establishing trust in personal relationships and professional settings to ensure confidentiality of sensitive information
Allowing free expression without fear of being monitored or judged
Protecting citizens against potential abuses by those in power
Maintaining social harmony by respecting boundaries and promoting healthy relationships built on trust, respect, and mutual understanding
Enabling open and honest political discourse. It allows individuals to voice their opinions and engage in debates
Encourages innovation and creativity by providing individuals with a safe space to explore new ideas
Protects individuals from potential harm, including identity theft, fraud, stalking, harassment, and other malicious activities

Potential Harms of Disregarding Privacy

Disregarding privacy can lead to a multitude of potential harms, essentially negating all the positive aspects mentioned earlier.

When private data falls into the wrong hands, it can result in identity theft, discrimination, or harassment. Even when held by seemingly benign entities (like corporations), the collected data can be used for manipulative advertising, creating echo chambers, and perpetuating biased algorithms.

As we delve further into the digital age, where personal data can spread faster and wider than ever before, defending the basic right to privacy becomes increasingly crucial.

While most law-abiding citizens might currently believe that they have “nothing to hide”, it is worth considering the drastic change in the situation if they were to live in a totalitarian state such as China or North Korea with widespread police surveillance. There exists a possibility that their residing state could move in a similar direction, making such a scenario not impossible. Widespread police surveillance is the very definition of a police state.
It is essential to recognize the potential consequences and safeguard privacy, even if it may not seem immediately relevant.

“Privacy is only for those with something to hide” - this belief belongs in the trash bin of debunked misconceptions.

Societal Implications of Digitalization

The digital advancements and software innovations in the 21st century, have had a profound impact on society.
Technological advancements have redefined the world in unimaginable ways. On one hand, they’ve made life more convenient - consider how easy it is to book a hotel or order something with just a few taps by a consumer! But on the flip side, they’re shaping new societal norms that are going to be harmful if left unchecked.

With this increasing digitization, the private lives are becoming public like never before. Personal data is the currency that fuels most digital platforms. Every click, swipe or like can be tracked, stored, and used in ways the user may not even realize. This constant surveillance culture raises serious privacy concerns.

Amidst this digital revolution, privacy holds an even greater value. It’s not just about hiding personal information anymore - it’s about preserving human dignity and individuality. It’s about maintaining control over personal data in a world where data is power.

As our society continues to embrace the digital revolution, understanding the societal implication becomes crucial. There’s no denying their benefits but simultaneously it must be ensured that the right to privacy isn’t compromised.

Why you should protect your privacy today

Today privacy protection is not just a concern, it’s a necessity. With every click, like, and share, there are left behind digital footprints that can be easily taken advantage of. Here’s why safeguarding privacy rights in the digital age is crucial:

Risk of Identity Theft
The more information available about you online, the higher the risk of identity theft. Cybercriminals can use this information to impersonate you, apply for credit in your name, or commit other online crimes.

Manipulation Through Ads
Ever noticed how ads seem to know exactly what you’ve been thinking about buying? That’s not coincidence but a result of advertisers using your personal data to tailor ads specifically to your preferences.

Mental Health
A constant invasion to privacy has a grave impact on your mental health.

“This leads to hypervigilance, doubts, constant fears, and paranoia in some cases.”
— Namrata Khetan²

Harassment and Personal Safety
Unwanted attention and access to your personal information can lead to harassment and pose serious threats to your personal safety. From cyberstalking to identity theft, such invasions can cause psychological distress and even lead to physical harm.

Data Aggregation and Filter Bubbles
When personal data is collected en mass, it becomes a powerful tool for manipulating perception. Information about our likes, dislikes, habits, and opinions are aggregated to create comprehensive profiles. These profiles are then used to tailor our digital experiences, pushing us towards specific products, ideas, or viewpoints - a phenomenon known as filter bubbles.

Let’s remember that privacy isn’t merely a matter of personal preference - it’s a fundamental right that safeguards our freedom.

By living in the EU, every citizen is protected by the General Data Protection Regulation (GDPR). It aims to safeguard individuals’ privacy and give them control over their personal data. The following rights are fundamental principles established by GDPR:

Right to Information: You have the right to know what data is being collected about you.
Right to Access: You can request a copy of your personal data.
Right to Rectification: If your data is inaccurate or incomplete, you can have it corrected.
Right to Erasure: Also known as ’the right to be forgotten’, you can request for your data to be deleted.
Right to Restrict Processing: You can request that your data is not used for processing.

While GDPR has brought significant improvements in data protection and privacy, it is essential not to be careless and assume that every company strictly adheres to the law.
In order to protect basic privacy rights, it’s a must to be constantly on guard and take proactive measures. Attention should be paid, if organizations ask for excessive or pointless amounts of personal information, don’t give clear privacy policies, or share sensitive information without the owners permission.

Keep in mind that the effectiveness of the GDPR depends, on both corporate compliance and public awareness. Society has to work together to improve privacy protection and guarantee that the goals of the GDPR are upheld by remaining informed, challenge data practices, and hold companies responsible.

What can be done?

The ideal approach for protecting data is to refrain from sharing it with third parties. But given the desire to engage in social media and other platforms, the following basic actions can help to strike a balance between privacy and convenience.

While these methods may not provide protection against nation-state surveillance or motivated threat actors, they serve as a good starting point to improve your general digital privacy.

Threat Modeling

A threat model is a compilation of the most likely risks to the personal privacy and security. Since it is impossible to protect against every potential attacker, it is important to focus on the most probable threats. By concentrating on the threats that are most relevant, attack surface can be narrowed down and the appropriate tools for the task at hand can be selected.
More can be found under the following link:
Threat Modeling: The First Step on Your Privacy Journey - Privacy Guides

Social media is a double-edged sword. It connects individuals within the digitalized world, but also exposes their lives to it. The following guidelines must always be sticked to:

Sharing of personal data should be limited: Don’t put out all your personal information and photos for everyone to see.
Privacy settings: Adjust privacy settings to be more restrictive.
Random username: Use a different random username for every platform.
Turn of location: Never forget to turn off location sharing.
Avoid third-party links: Do not click on links shared on social media. They will track you in most cases.

⚠️ Remember: What goes on the internet, stays on the internet.

Use privacy friendly alternatives

Privacy Guides has compiled an extensive and great list of recommendations for privacy friendly alternatives:
Best privacy alternatives by Privacy Guides

PrivacyTests has the most complete browser privacy checklist:
Which browsers are best for privacy?

Passwords and Two-Factor Authentication

Strong, unique passwords and 2FA protect accounts from unauthorized access.
The most recommended password manager by the privacy and security community is Bitwarden, for 2FA on Android it is Aegis and for iOS Raivo OTP is recommended.

Keep Your Devices Updated

Devices should be always running the latest software releases.
They often contain security enhancements that protect against new threats.

Cloud Storage

Cloud Storage options such as Proton Drive or self-hosted Nextcloud should be utilized.
Alternatively, all uploaded files should be encrypted to ensure that the data can’t be processed. Cryptomator is the best tool for this specific use-case.

Full-Disk Encryption

All disks in devices that hold personal data should be encrypted.
Activate Bitlocker in Windows, FileVault on macOS, LUKS on Linux.
Modern iOS and Android devices have full-disk encryption enabled by default.

Account Creation and Deletion

Before signing up and giving out sensitive data, the risks and benefits should be evaluated. If a user decides to sign up, email aliases can be used (Simplelogin is a well-suited tool for this task), temporary phone numbers (Textverified or other tools can be helpful), and a random username should be used to protect personal privacy.

Accounts that are not used anymore should be deleted.
JustDeleteMe is a great page to guide on how to delete unused accounts.

Other Methods

There are numerous other methods to enhance privacy, albeit requiring more effort. These include switching to a different operating system, utilizing Tor for anonymous browsing, self-hosting services, using Bitcoin with mixers for financial privacy, exploring alternative chat apps, and more. While these options may reduce convenience, if they fit the threat model they are worth it.

Conclusion: The Value of Privacy Today

In a world brimming with technological advancements, privacy stands as an irreplaceable cornerstone of modern society. Concealing information isn’t the only thing to consider.

Privacy is about guarding what means most to us.

The boundary of privacy gives individuals the freedom to be themselves, without the fear of judgment or manipulation.

It is crucial to reiterate the undeniable correlation between privacy and freedom. Freedom finds true expression when privacy is revered, enabling individuals to develop distinct identities and fostering diverse viewpoints in society.

In the current digital era, where personal data can easily become public, it can’t be stressed enough to remain vigilant and prioritize the preservation of privacy.

⚠️ Your information is your asset, don’t let it fall into the wrong hands.

Mindful steps must be taken towards protecting sensible personal information online. Strong, unique passwords are a must and individuals have to be cautious while sharing personal information on social media platforms or any online platform for that matter.

Privacy can not be dismissed as a relic of the past but it must be uphold as a vital necessity today.

Additional reads and resources

Here are some great additional reads and resources:

Photo by Muhammad Zaqy Al Fattah on Unsplash

“Just days left to kill mass surveillance under Section 215 of the Patriot Act. We are Edward Snowden and the ACLU’s Jameel Jaffer. AUA.” - reddit. Retrieved 2023-07-09. ↩︎
“What Is a Constant Lack of Digital Privacy Doing to Our Mental Health?” - The Swaddle. Retrieved 2023-07-09. ↩︎

Your Microsoft 365 Calendar on Your Phone - A Privacy-Friendly Approach

Thu, 15 Jun 2023 00:00:00 +0000

In today’s fast-paced world, it’s not uncommon for employers or schools to use the Microsoft 365 calendar solution as the primary method for scheduling appointments and managing events. Consequently, many individuals find themselves in a situation where having their schedule readily available on their phone becomes a necessity. However, the concern of installing apps like Outlook or other mail clients, which often request extensive permissions, raises valid privacy considerations.

How to sync the calendar privately

So, let’s dive into the easiest way to sync your Microsoft 365 calendar onto your phone while maintaining control over your privacy.

By following the steps outlined below, you can conveniently have your schedule at your fingertips, with the only trade-off being that the calendar will be read-only. For users like myself, who primarily use it to prevent scheduling conflicts between private and work appointments, this limitation is not an issue.

We will publish the calendar and sync it periodically with the open source app ICSx⁵ (website, source code). The published ICS link will have a unique hash, ensuring that only individuals to whom you have shared the link will have access (in most cases only you).

Steps in Microsoft 365

Access outlook.office.com with the Account, from which you want to import the calendar.
Click on the gear Icon in the upper right corner and select “Show all Outlook settings”
Switch to Calendar on the left and select Shared calendars.
Within the “Publish a calendar” section, select the specific calendar you wish to publish and determine the level of detail visible to others (in this case your phone) and publish it.
Copy the ICS link.

Steps on your Phone

Download ICSx⁵ from F-Droid, Google Play, or directly from Github and install it.
Click on the + to add a calendar and insert the link you copied before, give your calendar a name.
To set your preferred sync interval, simply click on the three dots located in the upper right corner.

Your work or school calendar is now visible within your calendar app on your phone and will be updated according to your set sync interval. Only changed resources will be updated in the calendar.

ICSx⁵ doesn’t collect, process or transmit any statistical data like app or server usage. There are no ads and there’s no tracking, you can have a look at their privacy policy here.

If you find ICSx⁵ useful, please consider supporting it by purchasing it from the Play Store or making a donation to the developer.

Photo by Omar Al-Ghosson on Unsplash

Embed Markdown From Github in Ghost

Tue, 13 Jun 2023 00:00:00 +0000

If you’ve ever wondered how to embed a Markdown file hosted on GitHub directly into a Ghost article, you might have encountered a lack of readily available resources online. While preparing for an upcoming article, I encountered this challenge of integrating Github Markdown files smoothly. I was searching for a solution that would avoid manual copy-pasting or complicated workarounds.

So, let’s dive in and explore this method that will incorporate GitHub-hosted Markdown files into your Ghost articles.

Create a raw HTML card and insert the following code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


<!DOCTYPE html>
<html>
<head>
 <title>Embedded Markdown from GitHub</title>
 <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
</head>
<body>
 <div id="markdown-content"></div>

 <script>
 var markdownContent = document.getElementById('markdown-content');
 var repoUrl = 'https://api.github.com/repos/{owner}/{repo}/contents/{path}';

 var owner = 'your-github-username';
 var repo = 'your-repo-name';
 var path = 'path-to-your-markdown-file.md';

 var apiUrl = repoUrl.replace('{owner}', owner).replace('{repo}', repo).replace('{path}', path);

 fetch(apiUrl)
 .then(function(response) {
 return response.json();
 })
 .then(function(data) {
 var markdown = window.atob(data.content);
 var html = marked.parse(markdown);
 markdownContent.innerHTML = html;
 });
 </script>
</body>
</html>

You need to customize the variables “owner,” “repo,” and “path” according to your specific requirements.

How it works

The code provided will query the GitHub API on the client-side. It runs in the browser and uses JavaScript’s fetch function to make an HTTP request to the GitHub API endpoint.

When the code is executed in a web browser, the client (user’s device) sends the request directly to the GitHub API. The API responds with the file content, which is then processed and rendered in the browser.

It uses marked, a markdown parser and compiler, served over jsdeliver.net.

Limitations

It’s important to note that making API requests from the client-side has some limitations. The GitHub API has rate limits for unauthenticated requests, and if you’re making a large number of requests or fetching a lot of data, you may hit these limits. If you only retrieve one markdown file from the GitHub API, there won’t be any issues. However, if you encounter rate limits, you might need to switch to a server-side method for fetching the content instead of relying on the client-side approach.

Photo by Richy Great on Unsplash

Encrypted Proxmox Server on Hetzner

Mon, 12 Sep 2022 00:00:00 +0000

Goal:

The goal is to setup a encrypted hypervisor on a dedicated Hetzner Server without the need of a KVM.
It needs to be remotely unlockable, but safe and convenient.
You will have one IP for the proxmox host, and one IP for Opnsense/Pfsense and behind that your VMs.

Why encrypt it?

For my use case its not a must to have it encrypted, because everything that is sensitive I host at home and only external exposed stuff is hosted on this server (for now).
But it is always nice if the data is encrypted (at rest), because what if a hard drive fails? Hetzner will replace it and I have no control about what happens with the old drive.
I think Hetzner is responsible enough to destroy the disks, but you can never be sure.

Why at Hetzner?

I decided to get a Server from Hetzner and not host it at home, because the Hardware would cost me (used) ~800€ and the electricity to run this thing arround 35€ per month.
At Hetzner I pay arround 47€ per month, but that includes the server, power, a second static IP and defective Hardware is changed for free.
For that price I got a server with 2x 2 TB Enterprise HDD, 2x 480 GB Datacenter SSD, 64 GB ECC Ram, a Xeon E3-1275v5 and two IPs (one bought separately).
I used them before for a storage box to save my NAS Backups that I make with restic, never had any problems.
I think I will set it up at home, when the electricity is on a sane level again. At the moment I pay around 0,49€ per kw/h.

Installation of Debian

I will install Debian first for the mdadm setup and then proxmox on top of if.
After you buy your Server, you will get an email with instructions on how to connect to your server.
I would advise you to generate a key for ssh, rather than use a password.
You can find a good tutorial here.

Fist connect to your server (in rescue system):
ssh root@[your-IP]
Check if the host key is the same, as you got in your email.

Upon connection you will see some infos to your server:Here is the basic Info on the disks of mine:
Disk /dev/sda: 480 GB
Disk /dev/sdc: 480 GB
Disk /dev/sdb: 2000 GB
Disk /dev/sdd: 2000 GB

I will work with four disks, if you only have two, just ignore the hdds.
The 480 GB ones are SSDs and the 2 TB ones are HDDs. The SSDs will be used for proxmox and the VMs, the HDDs for storage.
For example the Proxmox Backup Server will store there my Homelab Backups and the Backups from the VMs on this server, a rest server will store my restic backups and there will be some music for streaming.

We will use a script to setup dropbear and busybox for remote unlock, so we have to create some files with inputs for the script:
touch /tmp/authorized_keys
Copy your SSH key to this created file. It will be used for the remote unlock and for accessing your server. You can later change that. Use the key that you want for remote unlock and not for access (if you want to use two keys). More on that later.

You can use one of those commands (on your PC) to copy your key to the file:

1

gpg --export-ssh-key [fingerprint] | ssh root@[your-IP-adress] "cat >> /tmp/authorized_keys"

1

ssh-copy-id -i ~/.ssh/mykey root@[your-IP]

Lets create another file on the server:
nano /tmp/setup.conf
Insert this in you setup.conf file (change CRYPTPASSWORD, Hostname, drive names and if you want the size of the partitions). I have four disks but used only two for the setup with the rescue system, because the other two will use zfs and that must be configured later.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


CRYPTPASSWORD [your-encryption-password]

DRIVE1 /dev/sda
DRIVE2 /dev/sdc

SWRAID 1
SWRAIDLEVEL 1

BOOTLOADER grub
HOSTNAME [your-hostname]

PART /boot ext4 1G
PART lvm pve all crypt

LV pve root / ext4 100G
LV pve swap swap swap 10G

IMAGE /root/images/Debian-1101-bullseye-amd64-base.tar.gz

SSHKEYS_URL /tmp/authorized_keys

Now lets add the post-install script:
nano /tmp/post-install.sh
and insert:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46


#!/bin/bash


add_rfc3442_hook() {
 cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh

PREREQ=""

prereqs()
{
 echo "\$PREREQ"
}

case \$1 in
prereqs)
 prereqs
 exit 0
 ;;
esac

if [ ! -x /sbin/dhclient ]; then
 exit 0
fi

. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions

mkdir -p \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF

 chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}


# Install hook
add_rfc3442_hook

# Copy SSH keys for dropbear
mkdir -p /etc/dropbear-initramfs
cp -a /root/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys

# Update system
apt-get update >/dev/null
apt-get -y install cryptsetup-initramfs dropbear-initramfs

make it executable:
chmod +x /tmp/post-install.sh

Finally start the Debian installation with those parameters:
installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh

Should look like this:

install screen

After some minutes the post-install scrip has finished and you can see more logs with
cat debug.txt.
Some Errors are normal.
You can copy the new host keys to a text file for the verification of the ssh connection later.

Make a reboot to leave the rescue system (reboot)

Ping your server to see when its online again, this will take a couple of minutes:
ping [your-IP]
When you get a response, you can ssh into it.
ssh root@[your-IP]
You will get the following error because the installation changed your hostkey:

On your Linux PC (change the path to your username, if you use windows or mac, it should also tell you the path in the error):
nano /home/user/.ssh/known_hosts
Comment the old entry from your server (add a # before the entry)Now ssh into your server again
ssh root@[your-ip]
Accept the new key, you should have seen the new keys before when the post-install script did its thing.

You are now in the BusyBox for remote unlocking, enter
cryptroot-unlock
and insert your password (that you choose in the setup.conf file).
If the password is correct the boot will continue and you will automatically be disconnected from the temporary SSH session.

unlock and disconnection from BusyBox

Wait 30 sec and use ssh again to access your server.
You will get the same error as before, because you connect now to the debian install and not to the BusyBox. Edit the known_hosts file again.
Now comment the key from BusyBox, save it, connect again and accept the new key.
Now edit the file again and uncomment (remove the #) from the BusyBox key so that both keys are active. You wont get the error on remote unlock or on a normal ssh connection again.

When you run lsblk it should look something like this:

lsblk output

Install Proxmox on top of Debian

1

echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bullseye pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list

1

wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

Now we have to check if the key was not tampered with, run:
sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
You should get this output:

1

7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

Update and upgrade your packages:
apt update && apt full-upgrade
Install the needed packages:
apt install proxmox-ve postfix open-iscsi

Postfix will ask you, how you want to configure it:

I choose Local only, hostname like it was, but I am not sure thats the best option.
It can send me emails through a account so should be good.
More on that config later.

reboot your server
systemctl reboot
ping your server, to check when its online again and ssh then into your server
ping [your-ip]``ssh root@[your-ip]
SSH should connect without warning, if you have deleted the # from the BusyBox entry
cryptroot-unlock
Enter your password, if correct, you will be disconnected.

Wait ~ 30 sec and connect to your server: ssh root@[your-ip]

remove no longer needed packages from the Debian install:
apt remove os-prober linux-image-amd64 'linux-image-5.10*'
Change / set your root password: passwd

If you want you can now connect to the proxmox web interface for the first time:https://[your-IP]:8006Use root as username, use the password you just set and select pam authentication.
Back to the command line:change the Proxmox repo if you don’t have a subscription key:
nano /etc/apt/sources.list
Put a # before the subscritpion repo and add

1
2
3


# PVE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

Now put a # before the subscription repo and save & exit the file.

Add lvm thin pool

Now we will crate a new lvm thin pool for the vm disks
lvcreate -l +99%FREE vm pve``lvconvert --type thin-pool pve/vm

Now reboot your server and then access the server with ssh like before.

Lets add the new storage pool to the proxmox gui:
nano /etc/pve/storage.cfg
and add:

1
2
3
4


vm-disk #name that should be shown in gui
thinpool vm
vgname pve
content rootdir,images

how it looks in the web gui of proxmox

Install fail2ban

fail2ban is a very simple, but effective tool to block IPs with malicious behavior.
apt install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

In the [sshd] tab, enable must be set to true and if you changed the SSH port, it must be specified.
This is part of my config:

1
2
3
4


enabled = true
maxretry = 3
bantime = 45m
findtime = 45m

add to this file:

1
2
3
4
5
6
7
8


[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600

Now we need to create a custom filter file:
nano /etc/fail2ban/filter.d/proxmox.conf
and add:

1
2
3


[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

Restart fail2ban to load the new config:
systemctl restart fail2ban

Check the status of fail2ban:
service fail2ban status
fail2ban-client status sshd
Now go to the web interface and make a wrong login attempt to check if it picks it up.
You should see the wrong login with that command:
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf

ZFS

You only need this, if you want to use your extra drives with zfs. If you dont have extra drives, skip the entire zfs section.
The root drives are not possible to use with zfs and encryption because you cant unlock zfs on root remotely.

error: zfsutils-linux not installed (500)

So we have to install the needed packages to use this feature.
apt install pve-headers
apt install zfsutils-linux zfs-dkms zfs-zed

If you get the error that it does not build correctly for your kernel, you can try the following.
The information provided here, can change quickly, so check before you try it.
With Backports it builds correctly for the 5.15.39-1-pve kernel.
In the stable repos is zfs-dkms 2.0.3-9, in backports 2.1.5-1.2.0.3-9 is only with the following kernels compatible: 3.10 – 5.10.

If you run into this problem, you have to enable Backports to fix it. If you did not get an error, skip this:
nano /etc/apt/sources.list
and add:
deb [http://deb.debian.org/debian](http://deb.debian.org/debian) bullseye-backports main contrib non-free
then you can install the newer version of zfs-dkms:
apt install -t bullseye-backports zfs-dkms

Then reboot and connect with ssh again.

Create a ZFS Pool

Click on your host on the web interface, and under disks select ZFS. On the top you have to select “Create: ZFS”.

I selected my two additional drives, selected mirror for the Raid level and gave it the name “HDD_Data”. Everything else I left at the defaults.

If you want to encrypt it you have to create a encrypted pool inside the one you created on the web interface:
zfs create -o encryption=on -o keyformat=passphrase HDD_Data/encrypted_data
It will ask you for a password, use a strong one.
Add the ZFS pool:
pvesm add zfspool encrypted_zfs -pool HDD_Data/encrypted_data
And finally you can mount it:
zfs mount -l HDD_Data/encrypted_data
You have to insert your password to mount it.

My final disk config looks like this:

ZFS

LVM-Thin

Improvement settings

You have to set vm swappiness really low, because mdadm is not officially supported and if the host swaps a vm that can lead to problems.
sysctl -w vm.swappiness=1
or edit
nano /etc/sysctl.conf
and add:
vm.swappiness = 1
With 1 it swaps only before crashing, so it should never swap, unless you allocate to much resources :)

Add a new pam user

This user will be used to access the proxmox server with ssh so that we can disable root login over ssh.
adduser [username]
usermod -aG sudo [username]
sudo -u [username] mkdir /home/[username]/.ssh/
sudo -u [username] touch /home/[username]/.ssh/authorized_keys

Now add the ssh key to the authorized keys file from the new user (run this on your PC).
You can add here a different key then the one for unlocking your server.
gpg --export-ssh-key [fingerprint]| ssh [username]@[your-IP]"cat >> ~/.ssh/authorized_keys"
you can also use
ssh-copy-id
or
scp
(I use the one above, because my key is on a nitrokey).

Check if (on the server) the key is present:
cat /home/[username]/.ssh/authorized_keys
Check if you can log in with the new user:
ssh [username]@[your-IP]

Now we have to add the user on the web interface to be able to use it for login there:
Go to Datacenter -> Groups and add a new one. I called mine “Admin”

Create Admin Group

Then go to Users and click on add, insert the name of the user you created with the command line before.
Select “Linux PAM standard authentication” and select the Admin group.
If you want, you can add an email, name, comment…

If you are already here in the Datacenter view, set up 2FA now.
Go to “Two Factor” and add TOTP and Recovery Keys for root and your new user.
For WebAuthn you need a FQDM and a valid certificate.

Harden SSH

Now that we have a second user, time to setup ssh securely:
sudo nano /etc/ssh/sshd_config
You can add, or change the following:

1
2
3
4
5
6
7


PermitRootLogin no
ClientAliveInterval 300
ClientAliveCountMax 1
AllowUsers [username]
LoginGraceTime 1m
MaxAuthTries 2
PasswordAuthentication no

Save the file and check for errors:
sudo sshd -t
if there are no errors detected, restart the ssh service:
sudo systemctl restart sshd
I didn’t change the ssh port, because I limit access with the hetzner firewall to that port from my ip. A changed ssh port is only good to reduce logs, it is not a security measure.
If you limit the access to your IP, you will not get any annoying logs from bots.
Same goes for the web interface. I will share my Hetzner firewall rules later in the tutorial.

Disable IPV6 if not used

For now I will disable ipv6 because I don’t know enough about it to set it up (securely), so I disabled it.
This is optional, please let me know if you got it working with ipv6 and opnsense.
sudo touch /etc/sysctl.d/disable-ipv6.conf
nano /etc/sysctl.d/disable-ipv6.conf
insert those two lines:

1
2


net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Comment (add a # before) everything ipv6 related in
nano /etc/sysctl.d/99-hetzner.conf

Now reload all variables with
sysctl -system``ip -6 addr
and
ip -6 route
should show nothing.

PBS restore client

If you plan to use the proxmox backup server and want to restore from it you have to install:
sudo apt install proxmox-backup-restore-image

Networking for opnsense / pfsense

I bought a second IP for this, it should be possible with only one but then you have a big problem if something doesn’t work on your firewall vm.
t is not that expensive so I would get one, its a lot more convenient.
After you have bought your second IP, you need to get a virtual mac from your hetzner robot web interface.

We need the mac from the physical interface (change enp0s31f6 to your interface name),you can see the mac in the output of
ip link show
or
cat /sys/class/net/enp0s31f6/address

Enable ip forwarding,
sudo nano /etc/sysctl.conf
and uncomment (delete the #) before net.ipv4.ip_forward=1

With sudo sysctl -p you should see:
net.ipv4.ip_forward = 1
vm.swappiness = 1

Make a copy of your old interface config:
cd /etc/network``sudo cp interfaces interfaces.old

Edit the file with sudo nano interfaces

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39


auto lo
iface lo inet loopback

iface enp0s31f6 inet manual

auto vmbr0
iface vmbr0 inet static
 address [Main-IP/XX]
 gateway [Gateway-IP]
 bridge-ports enp0s31f6
 bridge-stp off
 bridge-fd 1
 hwaddress [mac from hardware you got above with format xx:xx:...]
 pointopoint [Gateway-IP]
#Main_public_IP

auto vmbr1
iface vmbr1 inet static
 address 10.0.0.1/24
 bridge-ports none
 bridge-stp off
 bridge-fd 0
#mgmt

auto vmbr2
iface vmbr2 inet static
 address 10.0.10.1/24
 bridge-ports none
 bridge-stp off
 bridge-fd 0
#internal

auto vmbr3
iface vmbr3 inet static
 address 10.0.20.1/24
 bridge-ports none
 bridge-stp off
 bridge-fd 0
#external

I created 3 bridged networks for the VM, change it how you need it.
Before i made a reboot I made a cronjob to revert the config if the network config doesn’t work. Otherwise you have to use the rescue system or ask for a KVM Console to revert the config.

sudo crontab -e (select 1), go to crontab.guru and select a time where you want to revert the config to the old working one (30 min from now or so)
0 22 * * * cp /etc/network/interfaces.old /etc/network/interfaces
If the server doesn’t comes online after some minutes, just reboot it after the selected time from the hetzner robot web interface.

Reboot the serversudo reboot
Use ssh root@[your-IP] to unlock it and ssh [username]@[your-IP] to access it.
You can find the complete start sequence on the the next section of this post.

Now you can add / change local networks (on the host, behind opnsense) from the web interface or the config file.

my networks

After you have done that, I would make management vm from where you access later the opnsense gui in the browser. I made a dedicated management bridge to which the opnsense web interface binds to.
So if the opnsense FW stops working, i can access the mgmt VM from the Proxmox gui and access from the mgmt VM the Opnsense webinterface.

Reboot / start sequence

ssh root@[your-IP]
cryptroot-unlock
SSD-decryption Password
Session ends, wait 15 sec

ssh [username]@[your-IP]
sudo zfs mount -l HDD_Data/encrypted_dataHDD
decryption password

Opnsense / pfsense

I will not document the whole install, just some key points you should look out for on the installation. Basically it is a normal install, like you can find it in the opnsense docs (or pfsense docs).
Maybe I will write a detailed tutorial for that, I will link it here, if I do.

Access the Proxmox web interface and create a new VM.
Under the Network Tab select the mgmt lan and disable the Firewall, otherwise create the VM as usual.
Now click on the new VM and go to the Hardware Tab and add a Network Device for the Wan interface. Here you must enter your virtual mac you got for your second IP from the Robot web interface.

Add Network Device to opnsense VM

Now you can start the VM and configure it like described here and here.Be sure to map the wan and lan interface correctly (assign them manually), otherwise you will use the wrong mac on the wan interface and you will get an abuse mail from Hetzner.

I created a Site 2 Site VPN between my Homelab and my Hetzner server, so I can access the VMs with ssh like they are on my local network without opening a port in my opnsense firewall.
If the opnsense vm goes down, I can access it with my mgmt vm that I access with spice.

Hetzner Firewall

I use the Hetzner Firewall to protect the Proxmox Host IP. It’s nice because you don’t get any logs from bots, can change it easily on the robot web interface, are DDOS protected and so on.
I limit access from my home IP to the port 22 (ssh), 8006 (proxmox web interface), icmp (ping) and port 3128 (spice). Everything else is blocked.
To my second IP, I let all traffic through, that traffic handles the opnsense firewall vm.

Final thoughts

Thanks for sticking around until here, that was a long one.
I feel really confident with that setup and it works great (for the last two months). I hope this helped you to setup your own server.
If you encountered an error, have feedback, or you have a question, please send me an email to mail@self-hosted.tools.
Thanks for reading 😊

Resources that helped me

https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve
https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption
https://github.com/TheReal1604/disk-encryption-hetzner
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
https://pve.proxmox.com/pve-docs/pve-admin-guide.html
Many Reddit and Proxmox forum posts i cant find anymore.

Photo by Kelvin Ang on Unsplash