Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.

Phone : GrapheneOS(pixel 7a)

  1. No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).

  2. Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.

  3. Work Profile (with Island) with GrapheneOS’ sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time. If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn’t matter). If only app is available (and not web version) and it doesn’t work on main profile, will use it in work profile.

  4. Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don’t have apps or want to use their apps.

  5. Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that don’t need them.

  6. Mostly use foss apps from f-droid(droidify).

  7. Email: moved from gmail to protonmail

PC/laptop: Arch linux kde on pc and fedora kde on laptop.

  1. Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.

Home Server: Raspberry Pi 4B

  1. SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
  2. Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
  3. Nginx Geo-blocking: Only allows access from my country IPs
  4. Weekly backups because data loss sucks.

Network & Router: OpenWRT (TP-Link)

  1. Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.
  • potemkinhr@lemmy.ml
    5·
    3 days ago

    Various stuff, some not best practice per se but here it is (more focused on digital sovereignity than anything else these days):

    • Degoogled my android phone to the greatest degree without breaking essential stuff. Noticed better battery life so a unintended win
    • moved off from Outlook to paid hosted email in my country. Cheap, reliable and have full control over it. Also in case of any issues way easier to get support
    • Cancelled M365 subscription as I don’t use office and was using it purely for cheap OneDrive backup for family
    • Moved all my files for me and my family off of OneDrive to my Synology NAS. Ended up using more of its functionality, happy with the purchase. Doing the occasional backup to the external drive just in case
    • Ditched proprietary authentication apps in favor of Keepassxc. TOTP codes on any synced device so if I lose my mobile phone I don’t get locked out of anything. Local only was mandatory
    • For work stuff I use ente auth, separating work and private MFA
    • Replaced windows on all my machines with linux. Its become more user friendly in recent years and does not get in my way.
    • Replaced all US service providers with EU ones where possible, if any service gets cut off for EU I won’t lose access to anything important, never know with Trump these days…