ladas552.me
My Blog, build with Norgolith
blog.ladas552.me
blog
1@document.meta
2title: My "Secure" Setup
3description: Horrible practices or Guide to exploiting my OS if you ever want to
4authors: [
5 ladas552
6]
7categories: [
8 Linux
9]
10created: 2025-11-10
11layout: post
12version: 1.1.1
13@end
14
15* My Secure Setup, or How to Give a CS Prof a Heart Attack
16** Gobble Gobble
17 ___
18 Writing Guide posts and hardware reviews is taking a ton of mental energy and time, so I am writing this lighthearted post while I am in the mood.
19
20 Below will be listed my horrible security trou obscurity practices that give people chills whenever I mention them. If you want, you can hack me or something with this knowledge, *idc*.
21
22** My declarative systems
23 ___
24*** Config
25 ___
26 It runs NixOS, so my only layer of attack surface are only nixpkgs and whatever modules I import into the {https://github.com/Ladas552/Flake-Ocean}[NixOS config].
27
28 Pretty cool, if you don't consider my secrets are out in the public. Well not *100%* open, they are encrypted, but it's just a matter of time for some quantum computer to get my passwords to my selfhosted accounts.
29
30 Most of my services are running trou a VPN, but the url, that services run trou is public. So theoretically if you get access to my VPN, auth code for it is also in the config, you can just steal all my cat pictures!
31
32 But that doesn't sound too bad tbh, if considering Tailnet has an option to accept connections manually, even if auth key is present.
33
34 *But further we go, worse it gets.*
35*** ZFS
36 ___
37 ZFS is robust file system that I use via NixOS options with minimal maintenance. With It I can be assured to never loose data unless my SSD literally gets snapped in half.
38
39 It also allows for native filesystem *encryption* on password and key levels. Which I don't use because I find it inconvenient and not really beneficial in my case.
40
41 Hear me out, I live in a fucking steppe, so far, I only encountered 4 Linux Users from my country, or like 7 people who can some what operate a Linux system. If you find a person, who can snatch my drive, from a laptop, connect it to their PC, realize that it's ZFS file system and they need special kernel module that isn't in default kernel to read from my drive, then fucking go out of their way, to compile a custom Linux kernel with zfs module, just to read my University essays or some crap. I will get them a medal, and my CVV for the debit card right away. They deserve it for the effort.
42
43 And in my opinion, every encryption would fail a wrench test
44 +html.alt Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)
45 +html.class center
46 .image https://imgs.xkcd.com/comics/security.png
47
48 But you get my point. Yes, encryption would make my life *more secure*, but in my circumstances, ZFS encryption would just make me enter an additional password every boot, so that's be annoying. Not like I enter my password on boot anyways...
49*** Lockscreen
50 ___
51 I use *autologin on my laptop*. Yes, the same Laptop I take to Uni. The same that contains all my ssh keys, Keepass database, all my social media logged in and so on. It auto boots using greetD into a niri session, *no password* required, full access etc. etc.
52 @code md
53 > Why?
54 > I'm just lazy yk
55 > No, like, why are you admitting to doing crimes against humanity?
56 @end
57
58 One of the more controversial decisions I make every passing day of my life. Yes, any person who presses a power button can use my accounts, play games, and even `rm -rf ~/*` if they want to.
59
60 But the difference between me and any other person in my country is that, I know how to use keybinds, and only I know them. Yes, you a probably Linux Junky knows all the common keybinds for opening a terminal, in my case it's `Super+T`. But remember, there are no (host & single) Linux Junkies in my area.
61
62 So they end up with just a wallpaper and a mouse cursor. No, I don't have a bar, or any frontend autostarted apps. It just looks like this when I boot up:
63
64 +html.alt my desktop, which is just a wallpaper without any bars or windows. It's an art of a big cloud view on a green field with some sunflowers
65 +html.class center
66 .image ../../assets/desktop/screenshot.avif
67
68 {https://wallhaven.cc/w/rr2yow}[Here's a link for wallpaper]
69*** SSH keys
70 ___
71 But thous are all in person problems, if I don't have anyone near me, then I am safe, right? Well let me tell you how I use ssh keys for remote connections and committing to git.
72
73 I only got 1 private ssh keys, yet I own like 5 machines I can commit from, how is that? Because *Idk* how ssh keys work, or *gpg* for that matter. Even sops are just decrypted with the same private key. So basically if you get your hands on it, my whole digital life is over.
74
75 So don't do that, pretty please *:D*
76** Android and cloud
77 ___
78 Now to the worst part of all, system outside of my totalitarian control of the iron fist. My phone and some cloud solutions I use. Where the real horror begins!
79
80 Just to clarify, I am not so upset about privacy of things, if I was, You wouldn't be reading all this. But I gotta acknowledge this from security stand point in that you can't trust software, it's inherently can't be trusted. Yes, you can make it more secure, but it will always have flaws anyways if it's something outside of your direct control.
81
82 Anyways, let's continue with our *Circus of Horrors*.
83*** I don't trust google
84 ___
85 As I said before, I have my ssh key all over tha place, and I also have keepass database for password manager. So I sync them with my phone, and they are directly stored on my Android too.
86
87 It's Android 13, Chinese phone with google tools as system apps, you know how it goes. So all my resources could be compromised by just google leaking the google drive that they back up my files with, or by just taking my phone as remote access hostage.
88
89 Not to mention my tailnet account is also connected to google and my phone, so all my self hosted services are already compromised that way.
90*** I don't trust telegram
91 ___
92 I also have my keys and some goverment documents on telegram. Yes the "e2e" chat platform with scammers and such that you need a government phone number to get an account.
93
94 Yes, the same platform that leaks data, sells owned accounts and so on. Why? It's convenient. I can just send a file to myself and forget about it, it will be there for as long as they don't start to delete my older messages. Not to mention easily shareable to other people.
95** What a Shitfest
96 ___
97 I know, right? Crazy to think about. And to think that most people are doing a lot worse lol. Using proprietary outdated software. No password managers and not having 2FA. *Nightmare!*
98
99 Well, for you, a Cyber Security savvy person, Yes, absolutely. For me, I just don't care this much, and most people care even less. It's bad. Hopefully more people will understand that security matters. And some day I will get that too. But for now I can only say:
100 > I have sinned in the past, and I will sin again. Don't repeat after me. Or we will end up in the same kettle.