Tech Independence
Contents:
- What?
- Register a domain
- Create storage
- Create an SSH key
- Create your server
- Attach storage
- Point your domain here
- SSH into root
- Customize the instructions!
- Create your username
- Another user?
- Secure your login
- Format storage
- Use your storage
- More storage?
- Phones
- Web server
- Simple website
- File sharing in /pub/
- Contacts and Calendar
- Email basics
- Email tips
- Email from anywhere
- Email verification
- More indie tips
- Upkeep
- Trouble? Start over
- Questions? Additions?
What?
Tech independence is not depending on any particular company or software.
The only tools you need are the common open source basics built into any Linux or BSD operating system — free public-domain tools that are not owned by anyone, and can run on any computer.
Learn a few of these basic tools, and you can run your own private server on any computer forever, for the rest of your life. Host your own website and email. Keep your own contacts and calendars synced with your phone. Back up and sync your photos, movies, and music to your own private storage. No more subscriptions needed.
You can ignore all the companies offering “solutions”, even if they are free, because they take away self-reliance. The point is to know how to do it yourself, not to have somebody do it for you. It’s worth a little up-front work, like learning how to drive.
Below are simple step-by-step instructions that work. Instead of drowning you in options, it uses an operating system called OpenBSD and a hosting company called Vultr because I’ve used them for years and I know they are good and trustworthy. But you could do this same setup with any free Linux or BSD operating system, with any hosting company that gives you “root” access to your own private server. You could even do it on an old laptop in your closet.
So if a company turns evil or goes out of business, no problem! You can set up a new server anywhere else in an hour, point your domain name to the new IP address, and it’s done. That’s tech independence — never dependent on any particular provider or software. It’s very empowering. The instructions below will show you how.
Register a domain
- Go to Porkbun.com.
- Search for a domain name you like until you find one that’s available.
- Click the red + (plus) sign, then the [checkout] button.
- Click the blue [Continue] button in the bottom-right corner.
- Create a new account, and pay.
- Congratulations. You’ll use this domain name in many of the steps below.
Create storage
- Go to Vultr.com.
- Create an account and give it your credit card.
- Click “Products” in the left menu, then “Storage - Block/Object” in the horizontal middle of the screen, then the blue (+) on the right, to go to the “Add Block Storage” page.
- Click “Block Storage (HDD)”, which says “Globally Available”
- Below that, a list of 28 countries appears. Click the one closest to you.
- Below that, a slider lets you choose how much storage you need. If not sure, just leave it as $1 for 40 GB.
-
Below that, in a subtle box that says “label”
type the word
encrypted
. - Below that, click the “Add Block Storage” button.
Create an SSH key
-
Open a terminal.
- Windows? Start → Windows PowerShell → Windows PowerShell
- Mac? Applications → Utilities → Terminal
-
Type
ssh-keygen -t ed25519
and hit [enter] or [return]. -
When it says, “
Enter file in which to save the key (/Users/yourname/.ssh/id_ed25519):
”, hit [enter] or [return]. -
When it says, “
Enter passphrase (empty for no passphrase):
”, hit [enter] or [return]. -
When it says, “
Enter same passphrase again:
”, hit [enter] or [return]. -
See the line that starts, “
Your public key has been saved in
” and ends in “id_ed25519.pub
”? That’s the file you need for the next step. -
In a text editor, open “
id_ed25519.pub
”.-
Windows? Type
notepad .ssh/id_ed25519.pub
-
Mac? Type
open -e .ssh/id_ed25519.pub
-
Windows? Type
-
It should be a single line like this:
ssh-ed25519 AAAAC3Nz5AAAAIPIXO5icj4LUpqa2baqYQRmCZ1+NV4sBDr you@computer
- You’ll use this in the next step: “Create your server”.
Create your server
- In your Vultr.com account:
- Click “Products” in the left menu, then the blue (+) on the right, to go to the “Deploy New Instance” page.
- Click “Cloud Compute” (NOT “Optimized Cloud Compute”)
- Below that, click “Intel Regular Performance”
- Below that, IMPORTANT: click the same city you chose for your encrypted storage in the previous step.
- Below that, click “OpenBSD” (the yellow blowfish) then inside its box, click “7.3 x64”
- Below that, under Server Size, click “25 GB SSD $5/month”
- A blue pop-up appears underneath, up-selling “For only $1.00 more you can...”. Click “No thanks”.
-
Scroll down to “SSH Keys”, click “Add New”, then
under “Name” type
mykey
. -
From the previous section, step 3,
copy (⌘-C or Ctrl-C)
the contents of “id_ed25519.pub” and paste it into this
box
called “SSH Key”. It should be a single line like this:
ssh-ed25519 AAAAC3NzaC1XO5iclCcrHbGRPoj4LUpqa2baqYQRmCZ1+NV4sBDr you@computer
- After pasting it into the box, click [Add SSH Key].
- Under SSH Keys, click the box with the picture of the key called “mykey” to give it a tick mark in the top-right corner.
- Scroll up to “Enable Auto Backups”, click the “on” toggle button to turn it OFF.
- A scary pop-up says “Are you sure....”. Tick the box next to “I understand the risks”, then click the red button “Disable Auto Backups”.
- Under “Additional Features”, tick the box next to “Enable IPv6”, to disable it.
- Under “Server Hostname & Label”, type your domain name (the new one you registered at Porkbun). Your domain name should appear in both “server hostname” and “server label”.
- At the bottom, click the big blue button [“Deploy Now”].
- Stretch your legs for a minute while waiting for your server status to change from “Installing” to “Running”, then click its name.
- Copy and save into a separate text file two very important things on screen: the IP Address, and root Password.
Attach storage
- In your Vultr.com account, click “Products” on the left, then “Storage - Block / Object” up top.
- Under Block Storage, click the name of your storage, (should be called “encrypted”).
- Underneath its location, see where it says “Attach to:” and a pull-down menu that says “Instance”? From that menu, choose the only option, which should show OpenBSD 7.3 and your domain name.
- To “Attach Volume? Are you sure you want to attach this volume?” Click [Attach Volume]. (What you did here was the equivalent of plugging in a USB stick into a computer. You’ll keep this storage separate and encrypted.)
Point your domain here
- In your Vultr.com account, click “Products” on the left, then click the name of your server in the middle of the page.
- Click “Settings” in the top menu.
- Click under “Reverse DNS” in the center-right, where it says something like 123.45.67.89.vultrusercontent.com.
- Erase everything in that form field, and replace it with your domain name, then click the check-mark.
- You should see your domain name under “Reverse DNS” now.
- Copy your IP Address from this page, or from the last step of Create Your Server.
- Go back to your Porkbun.com account in another browser tab.
- Under your domain name, click the little word “DNS”.
- Scroll to the bottom of this page, under “Current Records”, and click the little trash can under “OPTIONS” for each entry.
- Each will ask, “Are you sure you want to delete this DNS record?”. Click the blue [OK].
- Scrolling up, under “Here you can configure custom DNS records for your domain.”, set Type to A - Address record.
- Leave “Host” blank.
- Under “Answer”, paste your IP address.
- Click the blue [Add] button, bottom-right.
-
Repeat that step again, with Type as “A - Address
record”, but this time,
Type
*
(asterisk) under “Host”, then again under “Answer” paste your IP address. - Click the blue [Add] button, bottom-right.
- Click the little x in the top-right corner of this pop-up window.
- Now your domain name points to your new server, with or without “www.”.
SSH into root
- Copy (⌘-C or Ctrl-C) the IP Address from the last step of Create Your Server.
- Open your terminal from the Create an SSH key section.
- Whenever I say to type something into the terminal, hit your [return] or [enter] key afterwards.
-
Type into the terminal:
ssh root@YOUR-IP-ADDRESS
. So for example:ssh root@123.45.67.89
-
It should say something like:
The authenticity of host '123.45.67.78 (123.45.67.89)' can’t be established. ED25519 key fingerprint is SHA256:OyiqVsjRX8U2f0UTUY4D0erdl6855YNRXyQk2D. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])?
-
Type
yes
-
It should say something like:
Warning: Permanently added '123.45.67.89' (ED25519) to the list of known hosts. OpenBSD 7.3 (GENERIC.MP) #1125: Sat Mar 25 10:36:29 MDT 2023 Welcome to OpenBSD: The proactively secure Unix-like operating system.
- Congratulations! You’re inside a remote computer!
-
Type
syspatch
to apply security updates. -
Type
reboot
. It should say something like:Connection to 123.45.67.89 closed by remote host. Connection to 123.45.67.89 closed.
-
Wait a minute for it to reboot, then repeat step 4 above. Type into
the terminal:
ssh root@YOUR-IP-ADDRESS
-
Once again it should say, “
Welcome to OpenBSD
”, and more. Stay logged in, and go to the next section.
Customize the instructions!
Enter your domain name and the username that you create, below, and this will customize all following instructions for you.
Now when you see this button: click it to copy that line so you can paste it into your terminal, without error.
Create your username
- You should be in your terminal, logged in to your server as root, from the previous section.
-
Type
adduser
-
“
Enter your default shell: csh ksh nologin sh [ksh]:
”, hit [return] or [enter] -
“
Default login class: authpf bgpd … vmd xenodm [default]
”, hit [return] or [enter] -
“
Enter your default HOME partition: [/home]:
”, hit [return] or [enter] -
“
Copy dotfiles from: /etc/skel no [/etc/skel]:
”, hit [return] or [enter] -
“
Send welcome message?: /path/file default no [no]
”, hit [return] or [enter] -
“
Prompt for passwords by default (y/n) [y]:
”, hit [return] or [enter] -
“
Default encryption method for passwords: auto blowfish [auto]:
”, hit [return] or [enter] -
“
Enter username []:
”, create your one-word lower-case name, usually your first/given name, the one that will be the part before the @ in your new email address (yourusername@yourdomain.name). You are the only user on this system, so basically every name is free. -
“
Enter full name []:
”, type your full name. -
“
Enter shell: csh ksh nologin sh [ksh]:
”, hit [return] or [enter] - “
Uid [1000]:
”, hit [return] or [enter] -
“
Login group yourusername [yourusername]:
”, hit [return] or [enter] -
“
Invite yourusername into other groups: guest no [no]:
”, Typewheel
-
“
Login class authpf ... xenodm [default]:
”, hit [return] or [enter] -
“
Enter password:
”, type a new password only you will know. It won’t appear on the screen as you type. -
“
Enter password again:
”, type that password again to verify. It still won’t appear on the screen, so type carefully. -
It will show you your info, then when it says “
OK? (y/n) [y]:
”, hit [return] or [enter] -
“
Add another user? (y/n) [y]:
”, Typen
-
Type
echo 'permit nopass yourusername' >> /etc/doas.conf
- Open a new terminal window on your computer, so that this first window stays logged in as root.
-
In the new terminal window, type:
ssh yourusername@yourdomain.name
-
It should say something like
The authenticity of host 'yourdomain.name (123.45.67.89)' can’t be established. ED25519 key fingerprint is SHA256:qVsjRX8U2f0UTUY4D0erdl6855YNRXyQk2Dgv4. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:1: 123.45.67.89 Are you sure you want to continue connecting (yes/no/[fingerprint])
-
Type
yes
-
After a “
Warning: Permanently added
…”, and “yourusername@yourdomain.name’s password:
”, type your new password. -
If it says “
Welcome to OpenBSD
” (among other things), congratulations, you did all the above steps correctly! If not, go back to the first terminal window that is still logged in as root, and try to repeat those steps. But assuming it worked, continue: -
Type
exit
to log out (it should say “Connection to yourdomain.name closed.
”) -
Copy your SSH public key to the server:
-
Windows? Type
Get-Content $env:USERPROFILE\.ssh\id_ed25519.pub | ssh yourusername@yourdomain.name "cat >> .ssh/authorized_keys"
-
Mac? Type
ssh-copy-id yourusername@yourdomain.name
-
Windows? Type
- Type your new password when it asks.
-
Type
ssh yourusername@yourdomain.name
-
If it says “
Welcome to OpenBSD
” (among other things), without asking for a password, congratulations! This is how you will log in from now on, and it’s using your key instead of your password.
Another user?
Want someone else to also have access to this server, or receive their own email at theirname@yourdomain.name?
- Ask that person to create an SSH key on their own computer, as described here.
- Change “Customize the instructions” to their new username you are about to create.
- Repeat the “Create your username” section for their new username, but…
- … notice it now skips step 3-9.
- … and that person should do steps 22 to 32 on their own computer, uploading their own SSH key.
Do this for as many users as you would like. There is practically no limit. Do it before you lock things tightly in the next section.
Secure your login
This is an optional but highly recommended step to secure your server so nobody can log in without your uniquely-generated SSH key.
-
As described in the last few steps of the previous section,
log in to your server. (
ssh yourusername@yourdomain.name
) -
Type
doas su
-
Type
sed -i 's/RootLogin yes/RootLogin no/g' /etc/ssh/sshd_config
-
Type
echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config
-
Type
rcctl restart sshd
-
Type
exit
andexit
again until it says “Connection to yourdomain.name closed.
”) -
Type
ssh yourusername@yourdomain.name
-
If it says “
Welcome to OpenBSD
”, congratulations! Your server is now extremely secure. Go back up your SSH keys — the two files you created in “Create an SSH key” named “id_ed25519” and “id_ed25519.pub”. You can even copy these two files to another computer to be able to log in from there.
Format storage
-
Log in to your server. (
ssh yourusername@yourdomain.name
) -
Type
doas su
-
Type
disklabel -E sd1
-
It will say “
Label editor (enter '?' for help at any prompt)
” -
Type
a a
(“a”, then space, then “a”) - “
offset: [0]
”, hit [return] or [enter] - “
size: [83886080]
”, hit [return] or [enter] -
“
FS type: [4.2BSD]
”, TypeRAID
-
“
sd1*>
”, Typew
-
“
sd1>
” again, Typeq
- It will say “
No label changes.
” -
Type
bioctl -c C -l sd1a softraid0
-
“
New passphrase:
”, type a new password only you will know. It won’t appear on the screen. -
“
Re-type passphrase:
”, type that password again to verify. -
It will say “
softraid0: CRYPTO volume attached as sd2
” -
Type
disklabel -E sd2
-
It will say “
Label editor (enter '?' for help at any prompt)
” -
Type
a a
(“a”, then space, then “a”) - “
offset: [0]
”, hit [return] or [enter] - “
size: [83885552]
”, hit [return] or [enter] - “
FS type: [4.2BSD]
”, hit [return] or [enter] -
“
sd2*>
”, Typew
-
“
sd2>
” again, Typeq
- It will say “
No label changes.
” -
Type
newfs sd2a
-
It will say something like “
/dev/rsd2a: 40959.7MB in 83885536 sectors of 512 bytes
” then many lines of numbers. Congratulations you now have encrypted storage. Let’s make it easy to mount and unmount. -
Type
pkg_add rsync--iconv
-
Type
exit
-
Type
mkdir bin
-
Type
cd bin
-
Type or copy-paste this next line, all on one line:
echo '#!/bin/sh\ndoas bioctl -c C -l sd1a softraid0\ndoas mount /dev/sd2a /mnt\nls -l /mnt' > m
-
Type or copy-paste this next line, all on one line:
echo '#!/bin/sh\ndoas umount /mnt\ndoas bioctl -d sd2\necho "unmounted"' > m-x
-
Type
chmod 700 m*
-
Type
m-x
and it should say “unmounted
” -
Type
m
-
When it says “
Passphrase:
”, give it the storage password you created in step 13. -
Type
doas chown $USER:wheel /mnt
-
Type
doas chmod 770 /mnt
-
Now detach it by typing “
m-x
”. Attach it again by typing “m
”. Practice a few times. These are your shortcut commands to attach (m
) and detach (m-x
) your private encrypted storage. Like plugging in and removing a USB stick.
Use your storage
-
Log in to your server, if you are not already.
(
ssh yourusername@yourdomain.name
) -
Attach your private encrypted storage by typing “
m
” -
When it says “
Passphrase:
”, give it the password you created in the previous section. -
If it says “
softraid0: chunk sd1a already in use, mount_ffs: /dev/sd2a on /mnt: Device busy
”, that’s fine. It just means it was already attached. -
If it says “
mount_ffs: /dev/sd2a on /mnt: filesystem must be mounted read-only; you may need to run fsck
”, just typedoas fsck_ffs -y /dev/sd2a
to fix it. It means at some point you unmounted the encrypted /mnt partition while one of your terminal user sessions was still in it. It's the equivalent of closing a shop at night while a customer is still inside. When it says “you may need to run fsck” it’s like saying “you need to check the inventory before we open”, to make sure nothing is missing. -
Type
exit
-
On an Apple Mac? Type
rsync -avz Documents yourusername@yourdomain.name:/mnt/
and you will see it uploading your Documents folder to your private encrypted storage. Use this same format to upload any other folders, replacing “Documents” in the command. If you are happy synchonizing on the command line like this, you can skip over the next FreeFileSync section, or try it to see if you prefer it.
FreeFileSync
Everyone using Windows, and Mac people that prefer a point-and-click program, should use FreeFileSync. Here’s how:
- Download FreeFileSync and please give an optional donation there if you can afford to. Donating also unlocks more features. Thanks to Jon Lis for the recommendation.
- Install and open FreeFileSync.
- Top-center: click the grey [Browse] button and find the folder with the stuff you want to upload.
- Top-far-right: click the white cloud icon then SFTP at the top.
- Server name or IP address: yourdomain.name
- Left side: click (*) Key File
- Username: yourusername
-
Browse to find your private key, called
id_ed25519 from the “Create an SSH key” section. (Not the file that ends in “.pub”, but the one next to
it.) NOTE: Because the /Users/yourusername/.ssh directory is “hidden” by Windows and Mac by default, I find
it easier to just type the path directly, like this:
- The username, for this next line, should be your username on your home computer, not your remote server.
-
Windows? Type
C:\Users\yourusername\.ssh\id_ed25519
-
Mac? Type
/Users/yourusername/.ssh/id_ed25519
- Directory on server: /mnt
- Click OK to go back to the main screen.
- Top-right: click the green gear wheel.
- Left button: click “MIRROR →”
- Click OK to go back to the main screen.
- Top-center: click “COMPARE”, and make sure your files are there.
- Top-right: click “SYNCHRONIZE Mirror →” then [Start]
Verify and unmount
- When it’s done uploading, log in to your server again, from your terminal.
-
Type
find /mnt
- You should see a long list of the files you uploaded.
-
Type
m-x
to detach your encrypted storage. -
Type
find /mnt
again, and now you should see nothing there! Congratulations! You now see how this will work in the future:-
Log in and type “
m
” to attach your encrypted storage. - Upload your files with rsync or FreeFileSync.
-
Log in and type “
m-x
” to detach the storage, for security.
-
Log in and type “
More storage?
If you need hundreds of gigabytes, or even terabytes of storage, I recommend Hetzner’s “Storage Box”. It’s the best storage value I’ve found. Also consider Backblaze Personal Backup.
I personally use Vultr’s storage (as described above) for sensitive information I definitely want completely encrypted. Then I use Hetzner’s Storage Box for all my photos, videos, music, and other big files that don’t absolutely need to be encrypted.
Phones
Sometimes people email me, after setting up everything here, to ask, “So how do I sync all my photos and videos from my phone to this storage?” Well, bad news.
Because phones are quite locked-down by Google and Apple, they’re not (yet) general-purpose computers. So copy everything to your computer, back it up from your computer, then erase it from your phone. Until your stuff is off your phone it’s not fully in your control.
If this changes, and you know of a way to sync all of your photos and videos directly from your phone to a remote SFTP server, please let me know and I will update these instructions.
Web server
- Log in to your server, if you are not already.
-
Type
doas su
-
Type
cd /etc
-
Type
ftp https://sive.rs/file/httpd.conf
-
Type
ftp https://sive.rs/file/relayd.conf
-
Type
ftp https://sive.rs/file/acme-client.conf
-
Type
sed -i s/example.com/yourdomain.name/g httpd.conf relayd.conf acme-client.conf
-
Type
rcctl enable httpd
-
Type
rcctl start httpd
- It should say “
httpd(ok)
”. -
Type
acme-client -v yourdomain.name
-
Watch it work for 10-20 seconds until it ends with the word
“
created
”. -
Type
rcctl enable relayd
-
Type
rcctl start relayd
- It should say “
relayd(ok)
”. -
Type
echo '<h1>It worked!</h1>' > /var/www/htdocs/index.html
-
Type
rm -r /var/www/htdocs/bgplg
-
Type
mkdir /var/www/htdocs/pub
-
Type
chown -R yourusername:yourusername /var/www/htdocs
- In your browser, go to https://yourdomain.name/ and you should see a big “It worked!”. Congratulations! You now have your own secure web server. Now we need to make sure it stays secure by having it automatically renew its secure certificate.
-
Back in your terminal, type:
crontab -e
-
You will see a page full of text, starting with
SHELL=/bin/sh
. This is your first time editing a file. Don’t be scared. Here we go: -
Type
15G
(that’s a capital G) without hitting [return] or [enter] and you’ll see your cursor now at the start of the line that ends in “weekly
”. -
Type
yyp
without hitting [return] or [enter] to copy+paste that line. -
Type
f/
without hitting [return] or [enter] to move your cursor to the first/
. -
Type a capital
C
without hitting [return] or [enter] and you’ll see the last character became a$
. -
Type
acme-client yourdomain.name && rcctl reload relayd
- Hit your [esc] key in the very top-left corner of your keyboard. Nothing will change on the screen, yet.
-
Type
:wq
(the “:” at the beginning is important) then [enter] or [return]. -
That should bring you back to your command line, where it says,
“
crontab: installing new crontab
”. -
Type
crontab -l
(that’s a lowercase “L”), and you should see the file you edited, with the line you added. If so, congratulations! You just used the legendary vi editor! -
Type
exit
to get out of “root” mode and back into your usual username.
Simple website
- On your home computer, in your main home directory, make a directory/folder called “htdocs”
- Download this file called “template.html” and save it in your “htdocs” directory.
- Download this file called “style.css” and also save it in your “htdocs” directory.
- Make a copy of the “template.html” file, and name the copy “index.html”. This will be your home page.
- Edit the index.html file in a text editor (NotePad or TextEdit) and change my default text to whatever you want.
- When you need to add a new page, just copy the template again, call it “about.html” or whatever, and make a link to it from the home page. The header of each page will link back to index.html : your home page.
- If you want to change the look of your site, just edit the style.css file. Search the web for “CSS tutorial” if needed.
- To upload it to your public server, do one of the next two steps:
-
Apple Mac? Open a new terminal window on your
computer, type
rsync -avz htdocs yourusername@yourdomain.name:/var/www/
- Windows? FreeFileSync again, but now change the “Directory on server” to /var/www/ (you can find it by clicking [browse] or typing it directly) then upload this htdocs directory there.
- Go to https://yourdomain.name in your web browser, refresh the page, and you should see your updated website.
-
Any trouble, just know that the goal is to get that index.html file
into this location on your server:
/var/www/htdocs/index.html
because that’s where the web server is expecting it to be. That’s where we put the original “It worked!” file, so your newindex.html
file should replace that one. - If you want short URLs, without the .html, you can (for everything except index.html) because I set the default type to be HTML. Just remove the “.html” from your HTML filenames, update your links, and voilà!
File sharing in /pub/
Your website is configured to list all files in the /pub/ directory of your website. So basically anything in /var/www/htdocs/pub/ is public. Let me show you by example, by putting some files in it.
- Log in to your server, if you are not already.
-
Type
cd /var/www/htdocs
-
Type
mkdir -p pub
-
Type
cd pub
-
Type
ftp https://sive.rs/file/hello.txt
-
Type
ftp https://sive.rs/file/hello.pdf
-
Type
ftp https://sive.rs/file/derek.jpg
-
Type
ftp https://sive.rs/file/guitar.mp3
-
Type
ftp https://sive.rs/file/ymap.mp4
-
Type
exit
when done. - Go to https://yourdomain.name/pub/ in your web browser, and you should see the files. Click on each to test.
- Right-click or [Ctrl]-click on any filename in the list, then from the pop-up menu choose “Copy link address” or “Copy Link”.
- Go paste that URL (https://yourdomain.name/pub/guitar.mp3) into an email or text to your phone. Then click that link from your phone. See?
If the files you want to share are already on your computer, then just make a pub/ directory inside htdocs/ (so, htdocs/pub/), put your files in there, then use FreeFileSync or rsync to upload them as you did in the previous section called “Simple website”. Consider them part of your website.
Or if you have a URL from somewhere else online that you want to download to your server, just do it as we did in the numbered steps above. Then use FreeFileSync or rsync to download from your server to your computer first, before your next upload sync.
Contacts and Calendar
Your phone currently keeps its contacts and calendars with Google or Apple. Host them yourself using Radicale. Here’s how.
- Log in to your server, if you are not already.
-
Type
doas su
-
Type
pkg_add radicale
-
Type
sed -i 's/#type = none/type = htpasswd/g' /etc/radicale/config
-
Type
htpasswd /etc/radicale/users yourusername
-
“
Password:
”, make a new password that’s easy to type on your phone. -
“
Retype Password:
”, type that password again to verify. -
Type
chown _radicale /etc/radicale/users
-
Type
rcctl enable radicale
-
Type
rcctl start radicale
-
Type
exit
- In your browser, go to https://dav.yourdomain.name/
- You should see a Login page. Give it the Username and Password you created in this section. It should work, and bring you to a page called “Collections”.
- Click “Create new addressbook or calendar”
-
Title: yourdomain.name, leave
Description empty, and
change Type to
addressbook
. Then click [Create]. - You should now see it listed with a long URL. Again, click “Create new addressbook or calendar”
-
Title: yourdomain.name, leave
Description empty, and
change Type to just
calendar
. Then click [Create]. - You should now see both listed with a long URL. Let’s connect your phone.
Android phone
You need an app called “DAVx⁵”, so install it first. Then…
- Open the DAVx⁵ app
- Click the orange (+) in the bottom-right
- Click (·) “Login with URL and user name”
-
Base URL:
https://dav.yourdomain.name/
- User name: yourusername
- Password: the “easy to type on your phone” password you made in step 7
- Click “LOGIN” in the bottom-right corner.
- It should work and bring you to the “Create account” page, where “Account name” will be yourusername. Leave everything as-is and click “CREATE ACCOUNT” in the bottom-right corner.
- It brings you to the “CARDDAV” header. Tick the toggle to turn on next to your domain name.
- Click the ♻ arrows in the bottom-right corner to synchronize your contacts.
- Click the “CALDAV” header up top. Tick the toggle to turn on next to your domain name.
- Click the ♻ arrows in the bottom-right corner to synchronize your calendar.
- Go to your Contacts app, and in the bottom-right corner, click “Fix & manage”.
- Click “Settings”
- Near the bottom, click “Default account for new contacts”, and change it to the DAVx⁵ Address book with your domain name.
- Click “< Settings” in the top-left corner.
- In the top-right corner, click the round icon there. (Might be your face or a letter.) Then change it to the DAVx⁵ Address book with your domain name. Then click X in the top-left corner.
- Click “Contacts” in the bottom-left corner. It should say “No contacts in this account”.
- Click + in the bottom-right corner to Create contact. Top of the next page should say “Save to” then your domain name.
-
Add a New Contact with First name:
Xxxxx
Last name:Xxxxx
. Then click “Save” in the top-right corner. - Go to your Calendar app, and in the top-right corner, click the round icon there. (Might be your face or a letter.) Then change it to the one with yourusername. After changing it, click the X in the top-left corner.
- To add a new Event, Click [+] in the bottom-right corner, and choose “Event” from the popup menu.
- There might be a warning, “Switch to a Google Account to take advantage blah blah…”. Click “dismiss”.
- Title this event Zzzzzz, and notice it should be saving to the calendar with your domain name and username. Click (Save) in the top-right corner.
- Now skip over to the next step that says “Test that it worked”.
Apple iPhone
- Settings → Contacts → Accounts → Add Account → Other → (under “CONTACTS”:) Add CardDAV Account
- Server: dav.yourdomain.name
- User Name: yourusername
- Password: the “easy to type on your phone” password you made in step 7
- Click “next” in the top right corner, and it should bring you to your “Accounts” page, where you see it listed, saying “Contacts” underneath.
- Click Add Account → Other → (under “CALENDARS”:) Add CalDAV Account
- Server: dav.yourdomain.name
- User Name: yourusername
- Password: the “easy to type on your phone” password you made in step 7
- Click “next” in the top right corner, and it should bring you to a “CalDAV” page, showing Calendars and Reminders. Un-tick Reminders.
- Click “save” in the top right corner, and it should bring you to your “Accounts” page, where you see it listed, saying “Calendars” underneath.
- Click “< Contacts” in the top-left corner, to go back to settings for your Contacts app.
- At the bottom change Default Account to the one with yourdomain.name.
- Click “< Contacts” then “< Settings”, both in the top-left corner, then scroll down to Calendar settings and click it.
- In Calendar settings, 2nd from the bottom should say “Default Calendar”. Tap to change it to the one with yourdomain.name.
- Go to your Contacts app and click the + in the top-right corner.
-
Add a New Contact with First name:
Xxxxx
Last name:Xxxxx
. Then click “Done” in the top-right corner. - Go to your Calendar app and click the + in the top-right corner.
-
Add a New Event with Title:
Zzzzz
. Then click “Add” in the top-right corner.
Test that it worked
- Log in to your server, if you are not already.
-
Type
doas grep -R xxx /var/db/radicale
- You should see a line with “Xxxxx Xxxxx” at the end.
-
Type
doas grep -R zzz /var/db/radicale
- You should see a line with “Zzzzz” at the end.
- Congratulations! This shows that your phone is successfully saving contacts and calendars to your server!
If you didn’t see them, check your account sync settings on your phone to make sure it’s syncing, or manually do a sync for now.
You can delete the “Xxxx” person and “Zzzz” event now. It was only for that purpose of finding it on your server.
How to copy over all your contacts and calendars? Just use whatever device you’re using. iPhone, Android, Mac, Windows, Outlook, Thunderbird, whatever it is: just use that. You don’t need to load things into Radicale. Just load them into your existing Contacts and Calendars app, and Radicale is the invisible back-end you’ll almost never need to touch.
OK, last step, let’s make sure your contacts and calendars are backed-up nightly, so if you accidently delete something, you can find it in the backup location on your server.
Backups
- Log in to your server, if you are not already.
-
Type
cd ~/bin
-
Type or copy-paste, all on one line:
echo '#!/bin/sh\ndoas cp -r /var/db/radicale $HOME/\ndoas chown -R $USER $HOME' > radbak
-
Type
chmod 700 radbak
-
Type
crontab -e
-
On the blank page, type
i
with no [enter] or [return] after -
In this next step, make sure you leave a space after every
3
and*
(asterisk) -
Type
3 3 * * * /home/yourusername/bin/radbak
- Hit your [esc] key in the very top-left corner of your keyboard. Nothing will change on the screen, yet.
-
Type
:wq
(the “:” at the beginning is important) then [enter] or [return]. -
That should bring you back to your command line, where it says,
“
crontab: creating new crontab for yourusername
” and “installing new crontab
”.
Now it will automatically backup your contacts and calendars to your home directory every night at 3:03am.
If you want to get into the habit of moving them over to your
encrypted storage when you “m
” to mount it, that’s up to you. ☺
Email basics
- Go to your Vultr account and ask them to unblock port 25 so you can run a personal mail server.
- Go to your Porkbun.com account.
- Under your domain name, click the little word “DNS”.
-
Change “
Type:
” to “MX - Mail exchange record” - Leave “
Host:
” blank. -
In “
Answer:
” type your domain name. - Leave “
TTL:
” as 600. -
In “
Priority:
” type0
(that’s the number zero) - Click the blue [Add] button, bottom-right.
- Click the little x in the top-right corner of this pop-up window.
- Go do the “Secure web server” section if you haven’t already.
- Log in to your server, if you are not already.
-
Type
cd ; mkdir -p Maildir/{cur,new,tmp} ; chmod -R 700 Maildir
-
Type
ftp https://sive.rs/file/.muttrc
-
Type
ftp https://sive.rs/file/.mailcap
-
Type
sed -i s/USER/$USER/g .muttrc
- (If you created more than one user, in the “Another user?” section, repeat these last four steps for each user.)
-
Type
doas su
-
Type
pkg_add links
-
Type
pkg_add mutt--sasl
-
Type
cd /etc/mail
-
Type
ftp https://sive.rs/file/smtpd.conf
-
Type
sed -i s/example.com/yourdomain.name/g smtpd.conf
-
Type
rcctl restart smtpd
-
It should say “smtpd(ok)”. Type
exit
- OK. You should have a working mail server installed now. Go send an email to yourusername@yourdomain.name from your existing email accounts (Gmail, Hotmail, Outlook, Yahoo, etc.) If you only have one email account, send two separate emails to help you test the next part.
-
Back in your server, type
mutt
-
You should see the subject headers from the emails you sent, with
the first email highlighted.
Type
j
andk
a few times to go down and up the list of emails. - To read an email, hit [enter] or [return] when it is highlighted.
-
To go back to the list, type
i
(for “index”) -
To reply, hit
r
then:-
It shows “
To:
” so you can edit or add recipients. Hit [enter] or [return] to leave it. -
It shows “
Subject:
” so you can edit the subject. Hit [enter] or [return] to leave it. -
It asks “
Include message in reply? ([yes]/no/?):
”. Hit [enter] or [return] for the usual norm of echoing someone’s email back at them below your reply. Orn
for not. - Now you are inside the vi text editor which is not self-explanatory, so I’ll walk you through a simple reply:
-
Hit
i
(no [return] or [enter]) to go into “insert mode” and type your message. You’ll notice it’s on the same line as some other text, so you might want to start by hitting [return] or [enter] a few times, then up-arrow to go back to the first line again. - When done typing your message, hit your [esc] key in the very top-left corner of your keyboard. Nothing will change on the screen, yet.
-
Type
:wq
(the “:” at the beginning is important) then [enter] or [return]. -
Then you’ll see the “Compose Menu” which I think of as the “last
chance before sending” screen.
Hit
y
to send it.
-
It shows “
-
To send a new email, hit
m
then repeat those steps like you did for a reply, except now the “To:
” and “Subject:
” are blank and waiting for you to create. (For “To:
”, type the email address of the person you’re emailing.) -
To quit, hit
q
Mutt is a great program for reading and sending email on the command line. It’s been my email client for 20 years. Read its manual here if you want to go deeper. It does everything.
The vi text editor is a useful tool to edit text on a server. It takes a few minutes to learn, but it’s worth learning because it’s installed by default on every Linux/BSD server.
Email tips
If you are using a new domain name, then it’s likely that your outgoing emails will be marked as spam for a while. This is because spammers would register a new domain, send out a ton of spam from it, then once it’s widely reported as spam, shut it down and register a new one. So the big email providers now prejudice against new domains. My advice is to set up this account now, then slowly ease into using it.
Ideally keep it as a private email account that you only give to those few people who you really want to hear from. Then your old gmail/yahoo/outlook/etc address can be just low-priority junk. And your new private email account won’t need spam protection.
Email from anywhere
To do email from your phone, computer, or anywhere else, you need an IMAP server, so we’ll set up one called Dovecot.
- Log in to your server, if you are not already.
-
Type
doas su
-
Type
pkg_add dovecot
-
Type
cd /etc/dovecot
-
Type
rm -rf *
-
Type
ftp https://sive.rs/file/dovecot.conf
-
Type
sed -i s/example.com/yourdomain.name/g dovecot.conf
-
Type
rcctl enable dovecot
-
Type
rcctl start dovecot
- It should say “dovecot(ok)”
-
Type
exit
IMAP account settings:
Now on any device, you can add a new IMAP Mail account, with these settings:
- Account type: IMAP
- Email address: yourusername@yourdomain.name
- Username: yourusername
- Password: your password from the “Create your username” section, step 17.
- Incoming mail server: yourdomain.name
- Outgoing mail server: yourdomain.name
- Connection security: SSL
- Authentication type: Basic authentication
Email verification
To show you are not a spammer, update your DNS settings and sign your outgoing emails. Thank you to Harel Williams for these instructions.
DNS: SPF
- Go to your porkbun.com account.
- Under your domain name, click the little word “DNS”.
-
Change “
Type:
” to “TXT - Text record”. - Leave “
Host:
” blank. -
In “
Answer:
” typev=spf1 mx -all
- Click the blue [Add] button, bottom-right.
- Click the little x in the top-right corner of this pop-up window.
- Test that the SPF record is configured properly at mxtoolbox.com
DNS: DMARC
- Go to your porkbun.com account.
- Under your domain name, click the little word “DNS”.
-
Change “
Type:
” to “TXT - Text record”. -
In “
Host:
” type_dmarc
-
In “
Answer:
” typev=DMARC1; p=quarantine; rua=mailto:email@example.com
replacingemail@example.com
with your old email address where you get mostly spam, because you will often receive reports here. - Click the blue [Add] button, bottom-right.
- Click the little x in the top-right corner of this pop-up window.
- Test that DMARC is configured properly at mxtoolbox.com. Note that the selector is mail as the tool asks you for it.
DKIM
- Log in to your server, if you are not already.
-
Type
doas su
-
Type
pkg_add opensmtpd-filter-dkimsign
-
Type
cd /etc/mail
-
Type
openssl genrsa -out /etc/mail/dkim/yourdomain.name.key 2048
-
Type
openssl rsa -in /etc/mail/dkim/yourdomain.name.key -pubout -out /etc/mail/dkim/yourdomain.name.pub
-
Type
chown -R _smtpd dkim
-
Type
chmod -R 700 dkim
-
Type
vi /etc/mail/smtpd.conf
-
Type
/listen
-
Hit the letter
O
(Capital letter “O” as in Ohio) to add the next line: -
Type
filter "dkimsign" proc-exec "filter-dkimsign -d yourdomain.name -s mail -k /etc/mail/dkim/yourdomain.name.key -c relaxed/relaxed"
- Hit your [esc] key in the very top-left corner of your keyboard. Nothing will change on the screen.
-
Type
/listen
-
Type
A
to add to the end of the line, then space bar to add a space before this next step: -
Type
filter "dkimsign"
- Hit your [esc] key. Now we will do those last three steps two more times:
-
Type
/listen
-
Type
A
to add to the end of the line, then space bar to add a space before this next step: -
Type
filter "dkimsign"
- Hit your [esc] key. Now we will do those last three steps one more time:
-
Type
/listen
-
Type
A
to add to the end of the line, then space bar to add a space before this next step: -
Type
filter "dkimsign"
-
Hit your [esc] key. Now every line that starts with
listen
should end withfilter "dkimsign"
-
Type
:wq
(the “:” at the beginning is important) then [enter] or [return]. -
Type
rcctl restart smtpd
-
Type
sed '1d;$d' /etc/mail/dkim/yourdomain.name.pub | tr -d "\n" | echo "v=DKIM1;k=rsa;p=$(cat)" > /var/www/htdocs/pub/dkim.txt
-
In your browser,
go to https://yourdomain.name/pub/dkim.txt
and you should see a few lines of random characters. This is only a
convenience to make it easy for you to copy and paste into the step
below. You don’t need this “
dkim.txt
” file after that. - In a new browser tab, go to your porkbun.com account.
- Under your domain name, click the little word “DNS”.
-
Change “
Type:
” to “TXT - Text record”. -
In “
Host:
” typemail._domainkey
- Go back to https://yourdomain.name/pub/dkim.txt and copy (⌘-C or Ctrl-C) those few lines of random characters. Every letter counts!
-
Go back to Porkbun. Put your cursor in
“
Answer:
” and paste (⌘-V or Ctrl-V) those few lines of random characters. - Click the blue [Add] button, bottom-right.
- Click the little x in the top-right corner of this pop-up window.
- Test that DKIM is configured properly in DNS at mxtoolbox.com. Note that the selector is mail .
- Test that DKIM signing is configured properly on your server at dkimvalidator.com.
More indie tips
- Use Firefox.
- Install uBlock Origin in Firefox and Chrome.
- In Firefox settings, under “Privacy and Security”, choose “[X] Delete cookies and site data when Firefox is closed”, then close Firefox often to erase all your cookies and logins. Browse the web anonymously, not logged-in.
- Replace Google Authenticator with Aegis on Android or Raivo on iPhone.
- If you use Windows, replace it with Ubuntu Linux. (Use both at first, then slowly transition.)
- If you don’t want to run your own email server, use Mailbox.org or Fastmail but only by using your own domain name. Be yourusername@yourdomain.name from now on. Don’t depend on anyone else’s domain for your email or you’ll be stuck with them.
Upkeep
You honestly don’t have to do anything to maintain your server. It will just work as-is for decades! But if you like to keep it up-to-date, it only takes a minute, so run these next steps any time.
- Log in to your server, if you are not already.
-
Type
doas su
-
Type
syspatch
-
Type
fw_update
-
Type
pkg_add -u
-
Type
sysupgrade
-
Type
exit; exit
to log out.
If that last “sysupgrade
” step did
not give an “Error retrieving … 404 Not Found” error,
that means your OpenBSD operating system is upgrading itself. They
release an upgrade every 6 months. In that case,
go to this OpenBSD page and
follow the link at the top that says “Upgrading to
(7.4, etc)” to see if there’s anything else you should know.
If the “sysupgrade
” step updated your operating system
and your server rebooted, then there is just one more step:
- Log in to your server, if you are not already.
-
Type
doas su
-
Type
sysmerge
- Follow any instructions. Don’t worry about messing up because you can always start over, as described below.
-
Re-do the
syspatch ; fw_update ; pkg_add -u
steps, above. -
Type
exit; exit
to log out.
Trouble? Start over
I’ve tested the steps above very carefully and repeatedly. They work. So if you hit a major problem, something not happening like it says it should, please do this:
-
Type “
cd ; m-x ; exit
” in any terminals you still have open, until they are all closed. - Go to your Vultr account.
- See your server instance? See to the far right, a subtle ···? Click that.
- From its pop-up menu, click the last option: “Server Destroy”.
- Tick the box next to “[X] Yes, destroy this server.”
- Click the big red [Destroy Server] button.
- This will not destroy your encrypted storage. That’s another reason we kept it separate from the start. So if you already uploaded a bunch of your files and want to save them, then when re-doing the instructions, skip the “Format storage” section from step 3 through step 26 where it says, “Congratulations you now have encrypted storage.” and start at step 27.
-
On your own computer,
in the terminal, type:
rm .ssh/known_hosts
- Go back to the section called “Create your server” and try again.
You will see it goes much faster the second time, so you have only lost a few minutes. (I have started over at least twenty times to make this tutorial, to make sure all these steps work from scratch.)
Questions? Additions?
To learn more about all these steps above, just
log in to your server and type:
help
It will teach you the basics. Then for each command or file you want
to know more about, type
man
followed by the command or filename. So for example, log in and type…
Hit your [space] bar to scroll the page, then
q
to quit.
It’s one of the most wonderful things about OpenBSD:
everything you need to know is in those
man
pages!
No need for YouTube, Google, ChatGPT, or any other advertising-driven
sources of information.
I will constantly improve this page, so get on my private email list for updates.
Until then, ask any questions. If something went wrong, please give me a very specific description of exactly what went wrong at what step, what it was supposed to do, and what exactly it actually did. Click here to email me.
Requests for what to add? Again, just email me.