The UK PM has just announced an under-16 social media ban.

This is the ‘Trojan Horse’ in action. You cannot enforce a ban without an Age Verification layer, and you can’t have Age Verification without a National Digital ID or biometric database. They are using the ‘child safety’ card to build a mandatory surveillance gate for the entire internet.

Between the new taxes and the constant bans, it’s clear this government has zero respect for personal agency or digital sovereignty. If you aren’t already moving your data off the cloud and into your own home lab, start now. The gap between our current society and a total surveillance state just got a whole lot smaller.

Those are solid resources but I built mine specifically for the folks who don’t want to pipe a remote bash script into their shell during a malware outbreak. My goal was simple, a private way to audit the list without needing to clone a repo or install Python dependencies.

Use the forensics scripts if you’re a power user, but if you just want a quick, client-side check that doesn’t touch your filesystem, that’s what the tool is there for.

Dedicated PC on LAN talks directly to VPS via Wireguard. The local machine acts as an exit node so when I add a local IP and port to my reverse proxy the whole thing acts like a local network.

I wrote about my setup last month; https://the.unknown-universe.co.uk/home-lab/wireguard-vpn-two-vps/

You’re right, I missed that.

I personally use a reverse proxy and Wireguard setup to access remotely.

I have a dedicated VPS with reverse proxy connected to my network via Wireguard. It acts as the front door to my network so I don’t have to port forward or rely on Cloudflare etc. I used to use Tailscale as the go between but switched to WG recently. Both work fine for streaming content whilst self-hosting all other services including my website.

My bad, GOG is absolutely the gold standard for DRM-free ownership. Personally, I buy on Steam for the convenience and the Proton support but I still collect every free titles on GOG

It’s why I treat everything cloud-based as a rental now. If I can’t install it locally and back up the data myself, I don’t really own it.

The home server is an old, low-powered mini PC running Debian. It acts as the bridge between the WireGuard tunnel and my local LAN.

I’ve just finished migrating one of my AdGuard Home instances onto it today. Its role is now twofold:

Routing: It has ip_forward enabled and a bit of NAT (iptables/nftables) so that traffic arriving from the VPN can actually “hop” onto the local network to reach my other VMs and containers.

DNS: It provides ad-blocking for the tunnel. VPN clients point to this node’s internal WireGuard IP for DNS queries.

Technically, it’s just another WireGuard peer, but with AllowedIPs configured to advertise my 192.168.x.x subnet back to the hub (VPS2). This is what allows  VPS1 and my mobile devices to resolve and reach home services without a single open port on my router.

You’re right, and for a lot of people, one VPS is the sensible choice. I actually addressed this in the post:

"VPS1 is my web-facing server. It handles the public side of things. VPS2 is the VPN hub. At first glance, that probably looks unnecessary. Strictly speaking, it is unnecessary. I could have crammed WireGuard onto VPS1 and called it done. But splitting the roles makes the whole thing cleaner.

One machine serves public traffic. The other handles VPN duties. That means fewer networking compromises, fewer chances of Docker or firewall rules becoming annoying, and a clearer separation between the public-facing stack and the private tunnel. It also means I can change one side without poking the other with a stick and hoping nothing catches fire."

It’s not that I didn’t like it, I just wanted to back to basics! A simple config file on each machine, job done

Exactly that, VPS2 handles the WireGuard port and has no domain pointing to it, so it’s basically hiding in plain sight. VPS1 holds the domain and handles the web traffic.

I keep SSH open on both, but locked down (key-based auth + restricted to my IPs).

Your idea of using the provider firewall (Ionos in my case) as a “mechanical” lock is a good one, block it at the edge and only open it when needed. I’ve thought about doing that, but I’m generally happy relying on a hardened SSH config and the provider’s KVM if everything goes sideways.

Thank you for the heads up, turns out it was the custom html code in the code blocks causing the issue. Fixed now.

No, apt isn’t just a rename. apt upgrade largely replaces apt-get upgrade, but it’s a bit more aggressive: it may install new packages if required as dependencies (it still won’t remove packages). If an upgrade needs to remove packages to resolve dependencies, use apt full-upgrade (same as apt-get dist-upgrade).

dist-upgrade and full-upgrade are essentially the same command but yeah, I won’t be using apt upgrade again in the future! Like I said in my post, the joys of being self taught is that you learn by my making mistakes and that’s part of the “fun” 🤣

Glad you found it useful. I’m the same, I can’t stand those long posts that make you read a life story before getting to the commands, even worse when a page is riddled by ads or behind a paywall!

I figured if I’d missed it, a few other people probably had too.

I’ve not come across this with my non Debian based systems. Only use Debian for servers because it’s so stable, Arch and Fedora everywhere else!

Why?

I self host so the data in the cloud is stored on my own equipment, yes it is still technically online but it saves a copy locally so you only need an active connection to sync new items.

I regularly use multiple devices and having that sync is vital. Even at work, I cannot install software but I can install browser extensions. This means I can use my instance for both personal and work. I have also set up most of my family with access, all for free!

Which phone and message app are you using? I also don’t see a way to view photos or files and which camera app?

Obviously GrapheneOS is the best way to go for privacy but if you do stick to OEM Android then make sure you’re using apps like the Fossify suite. I use their apps with all contacts and calendar synced via davx and self hosted on Nextcloud.

What about KeePass, where is that data backed up?

I recently wrote about why the year of Linux might actually be a trap. Most users want control handed to them even if it means giving up their privacy. If Linux goes mainstream, it could lose what makes it special.

https://the.unknown-universe.co.uk/privacy-security/year-of-linux-trap/