yak

Naomi Brockwell https://www.nbtv.media/episodes does a good job of blending accessible presentation of privacy issues with technically viable solutions. Recently she's been more on an advocacy tack, but there are some gems in the back catalogue that explain not just why you should care but the sorts of products/software you can use to address your concerns. She provides suggestions, but you should take those as just an idea and develop your own answers!

So, in between watching those videos find out all you can about how Debian (for servers) and OpenWRT (for routers) work from their websites, and use $preferred_search_engine to learn about why Proxmox, Unbound, Postfix, Dovecot, XMMS, WireGuard, Nextcloud can help improve your privacy.

Get that used Optiplex, install a Linux on it and begin experimenting! Don't worry about the perfect hardware config yet. You can source other parts if you feel you really need them later. Although more RAM is always good, but you knew that already.

Along the way you will want to learn enough to decide whether you prefer VMs or Containers, or a blend; which filesystem(s) you prefer; which distributions you are going to deploy; which backup system you are going to implement; whether Apache or Nginx; and whether you like systemd or want to simply blast off and nuke it from orbit. You may also want to take a look at Ansible now. And Git. Git has saved my server config bacon more times than I care to remember.

Not sure quite where to recommend you look for bang up to date introduction to Linux networking stuff these days. The Linux Networking Howto was hopelessly out of date ten years ago. The distribution howtos are pretty good on at least the basics. Wikipedia might be useful on more advanced topics. And then searching for specific problems or needs normally turns up some learned responses on stackexchange or equivalent.

And as one 90s kid to another, if you haven't read Permanent Record by Edward Snowden yet, consider getting a copy. He grew up at the same time and does a great job of explaining why this journey matters.

Time to blades a new trail.

Thanks for the tip! Will check them out.

Experimenting with VMs is the way forward.

Basic networking knowledge is vital. And being able to configure your own firewall(s) safely is an important skill. Check out something like Foomuuri, or Firewald. Shorewall is brilliant for documentation and description of issues (with diagrams!) but it does not use the newer Linux kernel nftables and is no longer actively developed.

Go for it with Nextcloud.

I would also recommend at least having a shot at setting up an email server, although I would recommend pushing through to a fully working system. It is possible, and is very satisfying to have in place. The process of setting one up touches so many different parts of internet function and culture that it is worth it even if you don't end up with a production system. The Workaround.org ISPMail stuff is a good starting point, and includes some helpful background information at every stage, enough so you can begin to understand what's going on in the background and why certain choices are being made - even if you disagree with the decisions.

Python is great for server admin, although most server config and startup shutdown snippets are written in BASH. You will no doubt have already begun picking that up as you interact with your VMs.

I came here to upvote the post that mentions haproxy, but I can't see it, so I'm resorting to writing one!

Haproxy is super fast, highly configurable, and if you don't have the config nailed down just right won't start so you know you've messed something up right away :-)

It will handle encryption too, so you don't need to bother changing the config on your internal server, just tweak your firewall rules to let whatever box you have haproxy running on (you have a DMZ, right?) see the server, and you are good to go.

Google and stackexchange are your friends for config snippets. And I find the actual documentation is good too.

Configure it with certificates from let's encrypt and you are off to the races.

Working here (UK).

People not so much leaving the country as switching their advertising tracker?

And will be cancelled in 18 months with 2 weeks notice.

They don't have Mozartists.

This approach sounds good.

I think the correct approach is both, if you have the option.

Most devices accept two name servers. Redundancy is always good, especially for DNS.

I've used this list generating package for years now with great results: https://github.com/opencoff/unbound-adblock/tree/master

It is designed to generate blocking lists that can be used with unbound, the DNS resolver. There are even instructions for how to configure unbound so if you are new to it all you can follow along.

I use the resulting lists in my two local DNS name servers, running unbound.

The way it works is that if a query for a blocked address comes in to one of thenlocal DNS servers it returns a domain not found result. If the address is not on the block list then it forwards the query on to an internet DNS resolver securely using DoT.

You can gain further control over your DNS results by choosing those upstream resolvers carefully. Quad9 and Cloudflare etc all offer DoT resolving, along with some further filtering (eg. for malware), or completely unfiltered DNS if that's what you want.

Services like cleanbrowsing.org offer more fine grained filtering, useful if you want a family-friendly set of DNS results, based off categorify.org. You can pay for really fine tuned results, or there is a free layer which provides still very useful basic categories.

Combining the two forms of filtering, local advert and tracking blocking, along with open internet content categorisation, seems to be very effective.

I get complaints about too many adverts when my kids are on WiFi away from home. I take it as a compliment.