This post will self-destruct is 72-hours because this thread is SHIT, and everyone who responded should feel bad for their derailing, meta posting.
>>4850>Write your own>Host your ownEh. This is a shitpost, which I'm very much not enthralled to see on Kissu of all places... Regardless, kind of, yeah. If you're concerned about privacy, hosting your own is the way to go. Writing your own is overkill. The only thing about hosting your own is that it's kind of a nightmare dealing with all the background security stuff you need to setup.
This is my setup for example:
¥DNS: PiHole + Unbound - Blocks malicious, tracking, and ad domains from resolving, while also providing custom DNS records for intranet URL resolution. Your router should provide a setting to prevent DoH, and unsigned DNSSEC, etc., but you can also do this within PiHole as well. Unbound then provides an on-premise DNS lookup by going straight to the DNS root servers instead of an upstream DNS (e.g. 8.8.8.8, 1.1.1.1, 9.9.9.9, etc.). In theory, this provides better privacy because you're not wantonly giving away your internet browsing behavior to third-parties. I'm pretty sure ICANN can be trusted...¥Certificate Authority: Smallstep CA (ACME) - Automated certificate renewal via DNS challenge. Does not rely on a third-party CA for chain of trust, like Let's Encrypt. You control the chain of trust. Combined with a yubikey, it should more or less be impossible to forge certificates, but if you're paranoid you can set certificate expiry to be very short (e.g. a day) so that misconfiguration or compromisation is quickly noticed.¥Reverse Proxy: Caddy - provides automated certificate renewal via DNS challenge to an ACME server of your choosing (on-premise Smallstep CA, in my case). Forwards traffic between a client and destination without needing to expose the destination server to your whole VLAN.¥VLANs/Networking: [Do your own research for options] - VLANs allow you to segment your backend services into their own separate networks with their own routing behavior. A common setting, for example, is to have client isolation so that even devices you have on the same subnet cannot see each other. This means that if service A is compromised, it can't even passively snoop traffic, nor can it see service B to use as an attack vector. This pairs very well with Caddy because it means that your segmented traffic can only communicate through the reverse proxy because the router will prevent cross-VLAN, cross-subnet routing unless you have rules in place to allow this. Any non-consumer router from within the last 20 years will support VLANs.¥Seedbox: [Do your own research for options] - It's best to segment off your swashbuckling network traffic so it's not tied to your IP. Implement a secure fileshare and then download the completed files.¥VPN: WireGuard + [Do your own research for options] - For maximal privacy with regards to accessing your intranet, you ideally want to implement a hub-and-spoke design where you have a hub VPN server (this is your VPS), and then a client gateway on your intranet. To an outside observer, your traffic is simply going to the VPS. I won't try and claim that WireGuard makes this easy, but it certainly makes it possible. In many cases, your VPN can live on your Seedbox, but I would only recommend this for outbound traffic NOT intranet-bound traffic. If you're a super networking genius you can implement split horizon routing so outbound traffic goes through the Seedbox, and intranet traffic routes through a separate VPS back to the intranet. Weigh your options with regards to latency and privacy.¥Search: SearXNG + Google Search Appliance: SearXNG is a meta search engine which collates results from various other search engines. It has a privacy focus with a no logs, no URL query design. Quite frankly, it's better to use a hosted instance than self-hosting your own. This is because regardless of its own privacy focus, the search requests would still be coming from your home IP, so that information can be added to your advertising profile very easily. Google Search Appliance, on the other hand, is specifically designed for crawling and indexing your intranet to make it searchable. I should note, the GSA uses the actual Google Search page ranking algorithm used on google.com before it went to shit. That said... There's nothing actually preventing you from using the GSA to crawl the clearnet if you want a fully offline solution. You can even run multiple and cluster them to speed up crawling. The only downside is that the internet is big. Like really big. Unfathomably big. So, if you actually want to index the clearnet, it's probably best to set rules to only index certain domains you're interested in, otherwise you'll need A LOT of storage and a lot of bandwidth. That being said... because SearXNG is a meta search engine, if you want, you can pipe in the GSA's search results (accessible via XML) so you get a unified intranet + internet search experience.¥Account Management (LDAP): [Do your own research for options] - Most enterprises use Microsoft Active Directory, but if you want something FOSS, there are plenty of alternatives. The whole point of this is so you have a single sign on that persists between services. With how many services you're likely running on the backend to keep everything working, it's best to look into LDAP instead of individually managing passwords per-service (or heaven forbid: reusing the same account credentials on each one). ¥Password Management: KeePassXC / Vaultwarden - For local storage, I would recommend KeePassXC. If you want web integration, I would recommend looking at Vaultwarden, which is a re-implementation of Bitwarden that unlocks its paid features.Sidenote: Email is tricky. You can, and I would even
recommend, self-hosting an SMTP server on your intranet, if only for receiving periodic status emails from your various services --- but for anything beyond that, it's frankly not worth it. You will
never be accepted as a trustworthy email host from any major email providers, nor will account signups permit your completely unheard of domain out of caution that you're some bot farm. An internet-facing email server is thus
only worthwhile for monitoring the status of your intranet. So... use whichever trusted email host you like best for general usage.
Once you reach this point, everything is simply a matter of following security best practices. You can do more to tweak around the edges locally, but you'll never be free from the broader tracking and advertising security apparatus that resides on the internet.