2023-05-11: thinkpadding

today, while cleaning house, i discovered my old thinkpad from many years ago. it's certainly not powerful by today's standards, but to my surprise, it still works. this was a blessing for me, considering i could repurpose this long-forgotten machine as proper isolation of my identity. no more messing around with ssh key isolation and networking, i can properly configure a machine to fit my needs.

my favorite desktop os is fedora, so that's what i ended up going with. i've elected to pick a setup as minimal as possible - i've only installed a vpn, a text editor, and a password manager. there was a web browser (firefox) preinstalled, and i'm used to gnome and wayland. i've only copied over my passwords, totp codes, ssh keys, gpg keys, and vpn keys.

i made two custom passphrases for the partition encryption key and my account's password. no point in writing those down in a password manager when they'd be locked behind the password, so i've kept them on paper like for the backup password. i chose a string of words instead of random characters in hopes it would be easier to remember (it did take quite some restraint to not use the password correct horse battery staple).

of course, this now opens up the problem that all my traffic coming from this machine is associated with my home internet. to solve this, i've set up networking to not initialize until my session starts, and then a script to immediately connect to a vpn after login. it randomly picks between a few options - my server, branded vpns, proxies that i trust. i also configured my home network's firewall to not allow local traffic on this machine.

it feels a lot more responsive to edit things now, considering i'm not writing over a very laggy ssh connection. i found a tool called mosh that's supposed to help this issue, but it didn't have any visible improvements for me. not that it matters anymore, though.

i'm pretty privacy focused, but this configuration definitely empowers the feeling of security. everything is isolated, encrypted, and routed in such a way that it feels truly anonymous. it's a truly clean system - there's absolutely nothing on this machine that shows who i really am. the closest you'll get is location services (disabled) and ssid name (purposefully ambiguous). i've taped over the camera and disabled the microphone in software - haven't rebooted yet to check if i can disable it in the bios.

since i'm now writing my website on my laptop, i've set up a script to send it over to my server. sending the entire directory with scp was abysmally slow, so i opted to turn it into a tar archive first and then extract it serverside.

~ lily