uses
Tools powering this site and the infrastructure behind it. Each entry includes a threat model justification.
1. Philosophy
- Own the hardware or you don't own the content.
- Zero tracking. No cookies. No analytics. No exceptions.
- Full rebuild from source on a fresh OS in under an hour.
- One tool per job. No dependencies that rot.
2. Software
| Technology | What I Use | Threat Model |
|---|---|---|
| Registrar | Cloudflare | WHOIS privacy, low cost, integrates cleanly if you use other Cloudflare products. |
| DNS | Cloudflare | Portable DNS, secure infrastructure, and acceptable privacy. |
| Security | Cloudflare + fail2ban | Automated auth-failure bans. Minimal Cloudflare functionality enabled. |
| Routing | UniFi | Local network segmentation. |
| Server | Self-hosted | Physical control. No hypervisor escape vector. No subpoena to a DC. |
| Operating System | Ubuntu + macOS | Ubuntu: telemetry off, LTS, stable. macOS: workstation only. |
| Web Server | Nginx + Tor | Static file serving. Tor layer for censored-network access. |
| SSL | Certbot | Free automated TLS. No commercial CA dependency. Ensures Cloudflare can't view unencrypted traffic. |
| Static Site Generator | Weblorg + build.py | Org-mode source compiles to plaintext HTML via native Lisp. |
| Terminal | iTerm2 | Functional. Inherited from macOS. |
| Shell | Zsh | Portable, POSIX-adjacent, available on every target OS. |
| Editor | Doom Emacs | Editor and markup are the same tool. No proprietary format. |
| Markup Language | org-mode | Plain text. Readable without any software. Version-control native. |
| Image Processing | webP (CLI) | CLI-only. No GUI, no cloud, no account. |
| Browser(s) | Tor + LibreWolf | Tor for anonymity-critical use. LibreWolf for hardened daily use. |
| Version Control | Git (CLI) | Decentralized. The repo is the backup. |
| Git Host | SourceHut + GitHub | SourceHut is the primary and GitHub is the mirror. |
| CI/CD | build.py + builds.sr.ht | A Python script and SSH. builds.sr.ht for convenience but not required. |
| Email Host | Migadu | Straightforward usage-based provider from Switzerland. |
| Search Engine | SearXNG (self-hosted) | Queries route through my own instance. No third-party search profile. |
| Backups | N/A | Nothing to back up. No user data. Source mirrored via Git. |
| Monitoring | N/A | Monitoring creates logs. Logs are a liability. |
| Analytics | N/A | No interest in visitor data. Content finds its way via RSS. |
| Social Media | N/A | — |
| Newsletter | RSS Only | No subscriber list. No email vendor. No data relationship. |
3. Hardware
Custom rack-mounted server. Physical control, no hypervisor, no vendor lock-in. See: server build post.
| Component | Spec |
|---|---|
| Chassis | Rosewill RSV-R4100U 4U Rackmount |
| Motherboard | NZXT B550 |
| CPU | AMD Ryzen 7 5700G |
| RAM | 64GB DDR4 (2x32GB) |
| Boot Drive | 500GB WD M.2 NVMe SSD |
| Storage (HDD) | 6 x 8TB WD Red Plus |
| PSU | Corsair RM850 |
| Cooling | Noctua (1x120mm front, 2x80mm rear) |
Physical hardware under personal control eliminates the hypervisor escape vector and the cloud provider subpoena vector. Full recovery from a fresh OS install: under one hour.
Secondary: Raspberry Pi 4 for miscellaneous self-hosted services.