Smolnet with smol hardware: the more I own, the better

Gemini version of this post

Since I started my personal Gemini site, or “Ávalos' Indie Gemsite”, it has been hosted in AWS EC2, therefore owned by Amazon, the same megacorp that exploits its workers and lobbies against privacy. Their services are extremely powerful and reliable, though, and relatively cheap for small projects. But, do I really need them? I do, but a lot less than I thought.

The problem is, I don’t own any of the servers or infrastructure where I run my Internet stuff! Everything I call my own, is actually owned by Amazon, subject to Amazon’s terms and policies. Besides, they’re too much for a lot of things that I could perfectly run at home, with hardware I own, control and no one can take away from me if I stop paying. Like, my good ol' Orange Pi One. <3

However, my home Internet service is behind a restrictive NAT that won’t accept incoming connections, not even with port forwarding enabled, apparently. The only solution is to tunnel connections to a cloud server. That way, if I use my EC2 exclusively as a reverse proxy, I can easily replace it if Amazon ever pulls it off. It should be enough with pointing my domain to my new VPS. Vendor lock-out!

And I have done this several times. I ran a Fossil SCM server for a school project back in mid-2020, and few weeks ago I made an MPD + IceCast setup (I wrote a post about it!) where I frequently stream music for me and the public. Since yesterday, my Gemsite is also running at home! My 2021 goal is to move as much stuff as possible to my own hardware. I might even consider buying a couple more of SBCs (single-board computers) for different things, as well as more reliable storage (SSDs or HDDs); but right now I’m poor.

In the AWS side, I use WireGuard VPN to share network with the board, NGINX as the HTTP reverse proxy and iptables as a non-HTTP (plain TCP/UDP) reverse proxy. This is the NGINX config that I use to reverse proxy my IceCast stream (192.168.2.6 is the IP address I assigned to the board in the VPN):

server {
...
    server_name avalos.me www.avalos.me;
...
    location /stream/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 90;
        proxy_redirect http://192.168.2.6:8000 $scheme://avalos.me/stream;
        proxy_pass http://192.168.2.6:8000/;
    }
...
}

And these are the iptables commands I used to reverse proxy all Gemini traffic to my board:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1965 -j DNAT --to-destination 192.168.2.6:1965
iptables -t nat -A POSTROUTING -j MASQUERADE

Finally, here’s a photo of my smol server: