Ditch Cloudflare

Cloudflare doesn’t have good content moderation policies and refuses to remove a hate speech site. So I must move my hosting and money from them.

Context:

https://www.dropkiwifarms.net/

#DropKiwifarms works to end the relationship between far-right hate forum Kiwi Farms and the digital service providers that keep Kiwi Farms active online. We started this campaign after members on the website published private information on Clara Sorrenti, including sexually explicit photos and videos, phone numbers, addresses, her deadname and the private information of her friends and family. Publishing that information led to threats on her life, both implicit and explicit, as well as attempts to end her life through false reports to the police about imminent violence – a practice that has ended the lives of other people.

Plan

1. copy dns to a file from cloudflare
2. add zone to google cloud with existing dns entries
3. move the name servers to be google via metaname

at this point the blog is migrated 😄

for the remaining things I used cloudflare for (reverse proxy and automated TLS)

4. start a VPS with decent bandwidth
5. connect VPS to tailscale network
6. configure caddy as a reverse proxy with tls certs
7. replicate the app hostname configurations with caddy + tailscale

So I was wrong

To remove the public bucket alert I have updated my blog infrastructure. Using code I intended to use for static publishing for a CMS tool. https://github.com/Mossman1215/mountainmoss-tf This uses a cloudfront distribution to control access and the s3 only allows the cloudfront identity to fetch content.

I’m running hugo locally but it would be possible to hook a cms server in ec2 to upload content to the bucket instead. Having a subdomain for api or form content can then allow the dynamic content to be included in the site. This module is intended for that use.

https://github.com/Mossman1215/tf-static-site

I thought that rewriting index.html with lambda code was required based on this article https://danmc.net/posts/aws-cloudfront-default-index/

perma link

but instead it’s easier to turn on ugly urls in hugo (no code is the best code!)

https://gohugo.io/content-management/urls/#ugly-urls

Bypassing NAT issues with Cloudflare Argo Tunneling

My homelab environment is my way of cost effectively trialling diferent types of tools and run it like a production service. Getting a home environment go out to the wider internet nicely when ISP’s are expecting you to only consume content make this quite difficult. I have some trouble getting port forwarding working with my new ISP who are using CGNAT and providing some router hardware that I can’t configure so all my attempts were failing even though I’ve been doing DDNS with this script for a while.

Enter: Argo Tunnel

So researching how to do reverse proxy setups and SSL configuration was getting tedious I thought I’d try this Cloudflare system called argo tunnel basically you point it at something running http/https and then it forwards traffic to cloudflare bypassing NAT and the need to setup TLS on your server because the tunnel software handles secure transmission to cloudflare and cloudflare provides TLS termination.

Systemd Templated Services

For multiple services you need multiple config files and systemd units. Systemd templates allow a single unit file define multiple units under an umbrella service I found this helpful tip on the github issues page to define as many services via config files as I needed

SSH

You can also do the same process for SSH!

This is a very easy guideline for SSH via Access