Who do you trust with your most intimate secrets? Google? Facebook? Apple? Microsoft ? Storing pictures, music, and documents in the cloud is the default for millions of people across the world who want to keep their digital life safe, and connect to it from anywhere there’s a convenient terminal, as well as share it with other people – and it’s no wonder. Tech giants have been pushing cloud storage for years. Google’s Chromebooks typically come with only 16 or 32 GB of onboard storage, but with one year’free access to 100 GB cloud storage. Likewise, Android phones push hard for users to upload their snapshots through the Google photos app.
And it’s just so easy. Google’s Cloud Platform includes unlimited photo storage, messaging solutions, search, email, and a truly stellar collaborative office suite.
It can be a mistake to trust the the web giants to keep your information safe. Cloud storage is convenient, but just another way of saying that your pictures, calendars, communications, and documents are on someone else’s computer. They hosting companies do with them what they want. Google sells access to your private emails, and automatically scans your work and personal documents. And this former Yahoo employee who illegally accessed around 6,000 email accounts in search of dirty pictures? He didn’t so much “hack” as use Yahoo tools, from inside Yahoo, while a Yahoo employee. We’re not even going to mention Facebook, except to say – wow.
The only computer holding your sensitive photos and intimate thoughts should be your own, and the only person with access to it should be you.
But that doesn’t mean you need to take an Amish approach to technology. We’re going to show you the best way to use cheap, off-the shelf hardware, and free open source software to take control of your digital life.
This is not a tutorial. This is a guide, combined with our own recommendations.
The Shopping List
At the cyberPunks.com UK office, we’re running a shoestring budget, and want the most bang for our buck/pound. Here’s what you need to ensure your privacy and security at the lowest possible cost:
We chose the Raspberry Pi 4B (2GB) version. Single board computers have been around in various forms since the 1970’s, but only really dropped into the public consciousness with the launch of the Pi in 2012. There are faster and more powerful SBC’s out there, but the Pi has all of the advantages which come with a user base of over 25 million, including support forums, beginner-oriented tutorials, and a wealth of resources and projects already in existence.
The 1 GB quad core model 3 can be purchased from Amazon for £36, but it is well worth paying the extra (£2 in our case) for the vastly superior Pi 4 Model B. Unfortunately the 4GB variant has issues with the USB ports, while the 1 GB version doesn’t have quite enough resources for our purposes.
Pretty nice. Pretty cheap, too
The Pi 4 Model B has very specific demands with regards to power. The plug is also sold separately. This means you’re going to have to source a supply capable of consistently delivering 5 Volts and 3 Amps. Most of the supplies in your local Walmart will deliver a maximum of 2.1 Amps through one port. Obtaining a suitable power supply is complicated by a design error meaning that the Pi will misidentify itself to e-marked smart chargers. Older USB-C chargers, the official Pi charger, or the Canakit alternative will work just fine.
You’re setting up a headless cloud server (and reading this article on the internet), so you probably have a PC anyway. We’re using Xubuntu on an ancient Macbook, but anything which supports SSH through a terminal will do. It’s even possible to set up and administer your Pi-based server through a terminal app on your mobile phone. But we wouldn’t advise it.
A Static IP
If you’re accessing your server from out and about, you need some way of calling home. Most ISPs provide dynamic IP addresses, which change periodically, and make it difficult to locate your Pi on the internet. We simply contacted our provider (Vodafone), and asked them to provide a static IP address. They did so at no cost within 24 hours.
Your operating system, database, and all your files live on the SD card, so bigger is better. Yes, you can store your non-OS files on an external hard drive, but there may be power issues, and we wouldn’t recommend it. Memory is getting cheap nowadays, and small. Pick yours up today.
A Domain Name
This is what you’ll type into your browser to access your server, and will direct to your shiny new static IP address. There are very good reasons why you want to use a domain name rather than simply typing in the numerical IP address. We recommend namecheap and GoDaddy for ease of use. If you’re really on a budget, freenom allows you to use their .tk, .ml, .gq, .ga, and .cf domain names at no cost.
This Is Where We Tell You To Use Google Search
Google it. Or DuckDuckGo it. There are hundreds of tutorials out there for each individual piece of software, and many expert guides. We’ll tell you about any any special issues you need to be aware of, but really, you’re a grown-up, and we don’t have the word count. We advise starting your search with “Rasberry Pi Headless Setup.”
This Is Where We Recommend Staying Away From
Google Drive / Google Photos / Dropbox
This is the big one, and probably the most important to you personally. The reassurance of knowing our photos and files are instantly and securely backed-up, and available to view from any machine is what cloud storage is all about. With its photos and drive apps, Google does this flawlessly, and it’s one of the reasons we’ve stayed shackled to the big G ecosystem for so long. Unfortunately, Google also looks at your photos and examines your files, so no.
For similarity of function, ease of use, and ease of installation, our choice is Nextcloud, which, according to their website, “the most deployed on-premises file share and collaboration platform.”
Once installed, Nextcloud offers a drag and drop web interface, gallery app for photos, music player with Ampache and Subsonic compatibility, MP4 playback, and rich text editing. If you install nothing else on your Pi server, Nextcloud will do most of what you need, allows you to customise its appearance, and add apps which enhance functionality.
It does, however, need tweaking in ways which aren’t available from the web interface. Image previews in the gallery are rendered on the fly, at a far higher resolution than you would ever need. And not just the thumbnails. Can you imagine a situation where you would need to open a 21 megapixel photo in your web browser at full resolution? Neither can we, especially when idly flicking through the gallery while waiting at the bus stop. It’s a massive drain on resources, and makes the photo viewing experience a miserable one. Instructions on how to pre-render previews at a more sensible size can be found here.
Play Music and Other Music Streaming Services
Accessing your own music from anywhere is important. Sure you can subscribe to Spotify, Deezer, or YouTube Premium, but it’s not your music. You don’t own it, and Spotify in particular takes great pleasure in showing off the depth of its user analytics.
If, like us, you have a vast music collection, lovingly curated over the years, you want to be able to access it from any connected device. There are a number of options available to you.
If you’ve successfully deployed Nextcloud, there are two built-in players, with varying degrees of functionality. Not everything works perfectly all the time, and the functional limit is around 50,000 tracks. In addition the Ampache and subsonic integration is patchy, and will only work with a limited range of clients.
If you don’t fancy the web-based Nextcloud players, Subsonic can be deployed easily and rapidly, and allow you access to your music files using a range of clients and any browser. But while Subsonic used to be free and open source, that changed with the release of version 6 in 2016, and the server software is now closed source, requiring a subscription in order to access all of it features. If you don’t pay the subscription, subsonic will nag.
Airsonic is the open source continuation of Subsonic. It’s fully featured, doesn’t nag, and doesn’t request that you buy a subscription. Unfortunately, we found it a nightmare to set up.
Google Docs / Office 365
Office collaboration is important, especially if, like us, you work on the other side of the world from your clients. Google Docs is truly fantastic, and the only open source competitors which even come close, Collabora Online, and OwnOffice, are not compatible with the Raspberry Pi’s Arm based architecture.
Cryptpad is free, open source and nearly as fully featured as an full-on office suite. It can be deployed in minutes and allows anonymous collaborative creation and editing of documents, spreadsheets, presentations, and polls – all running on your own Pi based server in your own house. All documents are encrypted, and cannot be accessed or read by anyone without authorisation.
Some Cryptpad features require an account to use, and using any of its features will result in intrusions nagging users to create accounts. These intrusions can be turned off through configuring some server settings with a text editor, but if you do intend to limit access using accounts, the credentials are stored on and authenticated by Cryptpad servers, rather than your own. You don’t have full control, and if the Cryptpad servers go offline for any reason, you’ve lost access to everything.
Etherpad is the bedrock on which Google docs was built, and in their magnanimity Google has left the software open source under an Apache License. It was later forked as Etherpad lite. Etherpad lite is basic, but supports images, links and rich text. Access to pad creation and editing is controlled through APIs, and it is super easy to use and share.
Alternatively, you can simply stick with the text app in Nextcloud. It’s basic, and there are issues affecting sharing documents with images, but it’s what we’re using at the moment.
Google is the king of search – there’s no competition. And nothing else will ever be as good. Not DuckDuckGo, not Yahoo!, and certainly not Bing. Google search is what we miss most in our conscious uncoupling from the tech giant.
But there is a way that you can still have access to the best search engine in the world (sort of), without exposing yourself to surveillance or tracking.
Searx describes itself as a privacy-respecting, hackable, metasearch engine. It will run easily on your pi, and is accessible through a browser. It works by taking your query, and asking all of the major search engines on your behalf. It leaves no trace, and there are even options to automatically wipe your own server logs. Setup instructions can be found here.
Does it work? Kind of. Searx means that any filter bubble you may be used to is destroyed, so results may not be what you’re used to. Spam results are higher up, and you will learn on the first page of results, just how true rule 34 really is. But that’s not a problem – the big problem is that Google has got wise to metasearch engines, and a simple Captcha check is enough to stop your Searx instance from accessing Google results. You’ll still get results from Bing, Yandex, and others. But damn, Google search is good.
Twitter is toxic and Facebook is for fools. Alliteration aside, your if you use any social media, your tweets, posts, likes, and shares belong to the service rather than you. Your drunken tweets are stored forever on their servers, and that you’re allowed to access them at all is entirely down to the service owners’ discretion.
Mastodon is an open-source self-hosted social networking service. No, you can’t host an entire social network on your Pi, but you can host a node of the Mastodon network. From your node, you can access other servers, nodes and users. You can toot, rather than tweet, and control the privacy settings on every aspect of everything you publish.
As it’s your own server, you can choose whether or not to let others access it, set your own code of conduct, terms of service, and moderation policies. And if you want to, you can delete everything. It’s yours.
What Else You Need to Know
The internet is a dangerous place. And setting up a server in your own home is exposing yourself to its dangers in a way you’ve never before imagined. Accessing your server logs will reveal dozens of incoming connections from IP addresses in Hong Kong, both Koreas, Amsterdam, and of course, the actual Kremlin.
You’ll see the the ports and pages they’ve tried to access, and usernames and passwords that they’ve tried. Most of this is malicious garbage. Some of it isn’t.
Masscan is a Internet-scale port scanning utility. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine. It’s looking for open ports, and if you’re running a server from your Pi, congratulations, anyone who runs Masscan now knows you have open ports. You’re a target.
This is where a domain name comes in useful. Software on your server can be configured to only allow login access from certain addresses. For instance, configuring Nextcloud to allow your internal IP and xyz.com as trusted domains will allow you to access the login page from your internal IP and xyz.com. Attempting to access it from your external IP will result in you seeing this page.
Without a domain name, you will be limited to accessing your server from inside your own network, or through a port which is open to the entire world. And there are a lot of bad people out there.
This is not an exhaustive list of all of the open source alternatives you can run on your Pi. If you have any recommendations, please let us know.
Obviously, not everyone uses Gmail, and some mail providers are more ethical than others – We like GMX. If you want to host your very own mail server on your very own Raspberry Pi, it’s do-able, but it’s not easy. Unlike everything else in this article, we haven’t tried it. This is the most authoritative thread we could find, and it comes with the caveat: WARNING : It might just happen that the email server you’ve just configured, doesn’t work!
We fully intend to try it out in the new year, and will update the article accordingly.