Getting Started with Matrix on Cloudron

Matrix is a new, open-source protocol for decentralized chat networks. Being a protocol, meaning that it requires a server (we will use Synapse) and a client (we will use Element) to function the way you expect chat programs, like Slack, to work.

Matrix is designed with decentralization in mind, meaning it is designed to function as a network of servers, of which your installation is just one node. This is great for a lot of purposes but can be confusing for people who are less tech-savvy, and it’s not designed with the same ideas in mind as corporate-focused Slack replacements like Rocket Chat and Mattermost. Matrix is an excellent option for activists and non-profit organizations that want a secure, collaborative, easy-to-use alternative to Slack.

This guide will explain everything you need to know to get Matrix installed and configured with Cloudron. It’s going to heavily mirror the official Cloudron documentation, so if something seems wrong or out of date please compare with their docs or head to the Cloudron forums. To get started, install Matrix Synapse from the Cloudron app store. I strongly recommend using matrix.yourdomain.com as the location. This isn’t required but it makes later steps easier and many guides online (including this one) will assume this.

Let’s quickly detour into a quick explanation of why this is important, and go into a little more detail on how Matrix works.

Meeting Morpheus (What is Matrix?)

As mentioned earlier, Matrix is a protocol. A protocol is not a computer program; it’s like a written specification that tells computers how to talk to each other. To turn a protocol into something we can use to chat with, we need a server and a client.

The server is the main component of what you will install with this guide; it allows Matrix clients (for example, their Android app) to talk to the server. There are multiple servers and clients for the Matrix protocol. We’re going to install Synapse, which is the most popular server program that implements the Matrix protocol. (Matrix calls the server a homeserver and we will use that word going forward to refer to what we will install)

A server/client model may sound familiar – nearly all apps use this model to communicate. But Matrix adds an additional feature uncommon for chat apps like Slack or Hangouts – servers can also talk to other servers (imagine email, but better). This means you can message someone on a totally different homeserver than you seamlessly as long as your servers are connected (in Matrix terms – federated).

Let’s look at a quick example with two DSA chapters, Springfield and Riverdale. The Springfield and Riverdale DSA chapters each have their own Synapse installation, and each member can only talk with other members of their own chapter. One day, they decide to federate their servers – this allows both members to join a Room and chat with each other. Rooms (called Channels or Groups by some other chat apps) allow members from both chapters to chat without either chapter giving up control or security access to the other. User in the Springfield server can chat with Riverdale users only in shared Rooms. The admins of each server can only see messages the other server’s users send in shared Rooms as well.

Your name in Matrix reflects this two-tier nature – your username will reflect your homeserver. For example, if mine is @joe:socialism.tools and I chat with @joe:neoliberalism.fail in a shared room, we can still tell each other apart.

Let’s compare this with Slack. Slack is the one major chat app with federation, but it’s limited to paying customers. What activist orgs will do in this case is someone will spin up a new Slack instance, and then invite members from any related Slacks to make a new account and join. This is cumbersome and obscures the source of the members (Rooms for introductions are used to help people identify where they came from, but again, this is cumbersome). This process needs to be repeated for each new working group, action, etc that needs to be spun up. As some of you may know, that’s a lot of Slack workspaces! Matrix makes it easier to collaborate securely with many different organizations / Matrix servers.

Enter the Matrix (Installation)

Ensure you’ve installed Synapse from the Cloudron app store at matrix.yourdomain.com. You now have a homeserver! But we need to perform a few additional steps. To make your homeserver available for federation, you’ll need to configure a few other things. We’ll set up the well-known URI first. This is a special URL that makes it easier for other computers where to find a program (in this case, your Matrix server). Click the gear (config) icon that appears when you hover over the Matrix app in Cloudron, then Console, then Terminal. Copy the following two lines of script into Notepad or another app where you can edit them.

mkdir -p /home/yellowtent/boxdata/well-known/example.com/matrix echo '{ "m.server": "matrix-homeserver.example.com:443" }' > /home/yellowtent/boxdata/well-known/example.com/matrix/server

Replace example.com with your regular domain name, for example springfield-dsa.org. Put your Matrix server location in the matrix-homeserver.example.com seciton. Then, copy it and paste it into the web terminal and press enter. Keep the Terminal tab open and go back to your Cloudron tab. Click the Location menu item and click Save without hitting anything else. Wait until it’s done processing, then go back to your Terminal tab and wait a few moments.

Type curl and then paste your well-known URL and press enter. Here’s what happens when I print mine (I pressed enter after the word “server” and the line with curly braces was returned)

You should get something very similar to the above. If not, check the Cloudron docs to see if you missed a step. You should also type your domain name (without matrix-) intro the Federation Tester to confirm everything is working as expected. There’s just one step left – make yourself an admin!

Again, copy the following line and edit @user:example.com to match your information (your Matrix username will match your Cloudron username. If you don’t know what it is, go back to the Cloudron dashboard look in the top right corner):

PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} -c "UPDATE users SET admin=1 WHERE name='@user:example.com'" UPDATE 1

Congratulations, Neo – you are now fully plugged into the Matrix! You can now connect with a Matrix client – Element, for example. Test that you can connect, and then come back for some additional configuration features you can use.

Change your Matix (Configuration)

Matrix has a ton of configuration options and plugins, but we’ll go over just a few important tweaks here you may need. First, if a user types your Matrix URL into their browser, they get the default Matrix page:

Boring! Let’s add some pop. I copied the file that’s there (you can open it via the Terminal and select all > copy) and then added my own little touches:

While you’ll need to know HTML to create a fancy landing page, you can work with the building blocks that are there to add links (like element.yourdomain.com to join the web server).

The other file you can edit to make Synapse fit your needs in the config file at /app/data/configs/homeserver.yaml. Type nano and then that path to edit the file when you have the Terminal open. The config file tries to describe what it does inside of it for most functions. A pound/hash/octothorpe (#) at the start of a line means the line is commented out and will be ignored by Synapse.

For example, if you run on a very resource-constrained server, you may want to look at changing the limit_remote_rooms setting to block users from joining very large remote rooms. Please be careful when editing the config file – the spacing of lines matters, and saving the config file when it isn’t formatted correctly will likely cause issues with your server. You will also need to reboot the Synapse app after any settings changes.

Taking control of your chapter’s digital tools: Part 2 – A closer look at email, calendar, contacts, files

If you followed Part 1, you have a Cloudrun server set up with all the new tools you’ll use to work with your team. But how can you make these tools work more effectively for your organization, and be easier for people to use? This guide will go a little more in-depth on what you can do with Cloudron, and will focus on features you are likely to need that haven’t been covered yet and quick ways to make your server easier to use.

Email

Autodiscovery

If you set up an email client (like Apple Mail or Thunderbird) already, you may have found out that there’s a lot of settings to configure! Modern email servers use a file called autodiscover.xml that tells email clients how best to connect to them. Cloudron has instructions for creating this file but doesn’t do it automatically. I recommend editing the XML file on your computer. I use Notepad++ on Windows to edit plain text files like this, and it will highlight syntax for you (after saving the file as XML – you need to change that from TXT using the dropdown when saving).

As an example, here’s my configuration file:

If you need some help, check out the Mozilla documentation on the autoconfig file.

If you’re comfortable SSHing into your server to change the file in the documentation, do that. If you don’t know what that means or are lazy (like me), go to your Cloudron App Store and install Surfer. Enter “autodiscover” as the subdomain (for example, mine is autodiscover.socialism.tools). Log in (you will need to click Surfer and add /_admin at the end of the URL to access the admin panel) with your Cloudron credentials. Then create a folder called mail:

Open it and upload your file, making sure it’s named config-v1.1.xml.

Now it’s much easier for you and any users to login to their email accounts – they just need the domain name and their Cloudron password to login.

Note: For whatever reason, the curl test command listed in the Cloudron documentation failed for me, but the autodiscover still worked in Windows Mail and K-9 Mail. Additionally, autodiscover will not work with some other email clients, like Microsoft Outlook.

It’s still recommend that you have manual connection information available somewhere for users that need it. You can host it on your WordPress blog with a Page, or start a new Surfer app called “files” or something and use the HTML template from Part 1’s instructions on Matrix to display a webpage with the information.

Mailbox Management

When on your Cloudron management page, click your username in the top right and select Email to view your email settings. For each domain on your Cloudron server, you can select the paper plane icon to send a test message to your Cloudron email, or the pencil icon to make changes. Click the pencil icon on your main domain.

If it’s not turned on already, ensure Incoming Email is on. Cloudron should do all the configuration changes for you, but if not, review the docs or ask for help.

You already know how to get your email, but there’s more you can do with Cloudron’s mail, like sharing inboxes or creating distribution lists.

Shared Inboxes

Important: If you installed Cloudron before version 6 (Around Dec. 2020 or earlier) you will need to perform a manual step to enable mailbox sharing.

Shared Inboxes allow a single user account to be shared with multiple people. Only some applications support this feature. SoGo and Roundcube both support mailbox sharing. In Roundcube, sharing is configured on a per-folder basis. Find your folder in Settings > Folders to configure sharing. I reccomend sharing folders only with individuals and giving them the fewest possible permissions they need to work effectively for your organization.

Filters

You can also configure filters (known in Outlook as Rules) for your email. Filters are shared across mail clients, so creating a filter in Roundcube will still work for users using Sogo to access their mail. To create a filter in Roundcube, go to Settings > Filters. Filters can be helpful for routing large amounts of mail to the right people when combined with shared folders.

Canned Responses

Roundcube also offers canned responses. This makes replying to many emails with the same repsonse easier. You can find the canned responses setting under Settings > Responses.

There’s even more features available in Roundcube, we’ll move on for now.

Calendar

There are two apps that can be your calendar server in Cloudron – Radicale and Nextcloud. I reccomend Nextcloud as it’s easier, and you can also add an appointment scheduling feature.

To get started with calendaring in Nextcloud, make sure your Calendar app is active – if you don’t see it in the App Bar in next cloud, click your profile menu (located in the top-right of the page), click Apps, then find and install/enable Nextcloud Calendar.

a screenshot of the Nextcloud calendar app

Nextcloud calendar makes it easy to collaborate on calendaring activities with other Nextcloud users, but it becomes much more difficult when trying to collaborate with Google, Microsoft’s or Apple’s unique calendaring systems. Sending out invitations works just fine, howevever. This is what invitees will see:

screenshot of a Nextcloud calendar invite

Nextcloud Calendar works on mobile, too. You can choose to use the Nextcloud app (Android) (iOS). You don’t have to use the app, though. You can also sync your calendar to your native Calendar/ app on iOS (you can do it for contacts, too). Doing this procedure on Android unfortunately requires a third party app.

Contacts

As with Calendar, the Contacts Nextcloud app should have everything you need. If you use Google Contacts, you can click export on contacts.google.com to get a file you can then upload into Nextcloud to move all your contacts.

Files

I’m going to cover just file management here – not editors like Word or Google Docs – becuase they need their own section. That said, Nextcloud’s support for file syncing is supriningly great. It has everything you expect to find, with the exclusion of so-called “selective sync” or “on-demand” sycning, where files are only downloaded when you try to open them. It was announced in 2019 but appears to have not been integrated into the stable desktop client on Windows yet as of April 2021. Development appears to have been delayed at some point and then restarted in mid-2020.

You can also utilize end-to-end encryption to protect files or foldes from even your server administrator from being able to see them. This can be a little more involved to use, but there’s a start guide here.

Checking in

At this point in the guide, we’ve built on the server and communication structure we built in Part 1 by making email easier, setting up calendaring capability, and learning how to utilize Nextcloud as a file and contacts server. There’s two major things that we have yet to cover in detial that orgs need – a way to create and edit documents, spreadsheets, and presentations; and a website. In (the soon-to-come) Part 3, I’ll consolidate the WordPress guidance here into a walkthrough to take you from WordPress newbie to expert, Part 4 will finally approach the hardest question of all: how we can replace Google Docs or Office?

The top 3 digital security tips for activists

Keeping your online accounts safe is critical, especially if you are an activist. There are a countless number of organizations that will try to access your account for profit or for material to smear you or your organizations with. This page is not a comprehensive guide on how to stay safe online, but it is designed to make you much safer than you were before in a very small amount of time.

1. Enable Two-Factor Authentication

What is two-factor authentication?

Two-factor authentication (2FA) means using a second factor when logging into an account; you’re probably using a password as your first factor for most of your accounts. If you’ve ever entered your username and password into a site and then got a text message, that’s two factor authentication. Two-factor authentication can protect your from attacks where hackers have your password (we all re-use password, and sometimes passwords are leaked).

There are three main methods used as “second factors”. One is text message codes, these are the most common. The second is to use an app to generate codes. This is more secure than using text codes, and works when you’re offline. I strongly recommend Authy, which is free and can back up your codes.

The most secure method of two-factor authentication is to use a security key. A security key protects you against nearly all attacks and is strongly recommend, but it costs money. If you are interesting in purchasing a security key, click here for a short quiz that will help you select the best option for you.

Where should I enable 2FA first?

While you should set 2FA up on all accounts you have, these accounts are critical to your security and you should enable 2FA immediately if you don’t have it on already:

  • Email or file storage services – Gmail, Google Drive, Outlook, Microsoft OneDrive
  • Chat or social media services – Facebook, Twitter, Instagram, Slack, Discord, Messenger, WeChat, dating/hookup apps, etc
  • Banking or financial services – your bank, Venmo, Cashapp, credit card apps, etc

Where can I get more help?

For most sites, you should go to your account settings and then “security” or “login” to view their 2FA options. For detailed instructions, search your provider’s name on twofactorauth.org.

If you want to read more about 2FA or need help, check out the resources from ragtag.org.

%

of attacks are stopped by 2FA

2. Keep your devices safe

It’s critical to keep your physical devices – your phone, your laptop – safe. These tips will help you ensure that even if they fall into the wrong hands, your data is safe.

3.1 Set a screen unlock method, preferably a code

Do not leave your phone unlocked. If you have an unlocked device, it is absolutely critical you put some kind of lock on it like face detection, fingerprint detection, a pattern lock, or a PIN code. PIN codes or passwords are preferred – law enforcement can compel you to provide your face or fingerprint to unlock a device but (legally) not your PIN or password. Don’t forget to lock your laptops, desktops, gaming consoles (if available), smart devices, and other things as well.

3.2 Keep your devices up to date.

Ensure all of your devices are up-to-date. Keep auto-update on for your devices and apps. Yes, it’s annoying, but it’s important.

3.3 Ensure encryption is enabled

Encryption refers to the process of storing data on your device in a way that can’t be read without a special key. With encryption, someone can steal your laptop, take out the hard drive, plug it in, and not be able to see a thing. Without encryption, they could see all your files.

Luckily, all Mac computers and iPhones sold in the last few years have encryption enabled by default (when a passcode is used). Nearly all newer Android phones also have encryption enabled (again, when a passcode is used). Windows devices are very hit or miss, so here’s instructions for Windows users on how to encrypt their device.

3. Learn to spot bad actors

Why does this exist? Aren’t there a lot of other security guides?

Most other security guides tend to be one of three things:

1) Written by a company with a vested interest in selling something or generating fear to create demand for their something

2) Written by tech folks but too long or too complex to read and complete quickly

3) Written for a non-activist audience and missing things important to them that may not be as important for others.

My hope for this guide is that it is fast, easy to read, and full of just enough relevant information for activists to get them the most protection with the least investment of time.

What about antivirus?

You do not need to pay for antivirus. If you are on Windows, uninstall any antivirus you have and make sure Windows Defender is on. On Android, do not install APKs, only get apps from the Google Play Store. On Mac, get your apps from the Mac App Store. Basically: do not run or install software from sources you do not trust, and you’ll be OK. Antivirus programs can create many more problems than they solve. The best antivirus is knowledge, vigilance, and your other security measures like 2FA.

What about password managers?

Password managers are fantastic, I use one and love it, and strongly recommend them. But they require a non-trivial time commitment to set up, and can be too complex or overwhelming for some users. My hope is that 2FA will help protect against reused password attacks.

What about VPNs?

VPNs can be useful in very specific circumstances, such as when you’re traveling and forced to use open wifi networks, but generally aren’t worth the pain for day to day use. If you fall under that use case, or are very concerned about protecting your privacy from your ISP, try Mullvad.

FAQ

Why does this exist? Aren’t there a lot of other security guides?

Most other security guides tend to be one of three things:

1) Written by a company with a vested interest in selling something or generating fear to create demand for their something

2) Written by tech folks but too long or too complex to read and complete quickly

3) Written for a non-activist audience and missing things important to them that may not be as important for others.

My hope for this guide is that it is fast, easy to read, and full of just enough relevant information for activists to get them the most protection with the least investment of time.

What about antivirus?

You do not need to pay for antivirus. If you are on Windows, uninstall any antivirus you have and make sure Windows Defender is on. On Android, do not install APKs, only get apps from the Google Play Store. On Mac, get your apps from the Mac App Store. Basically: do not run or install software from sources you do not trust, and you’ll be OK. Antivirus programs can create many more problems than they solve. The best antivirus is knowledge, vigilance, and your other security measures like 2FA.

What about password managers?

Password managers are fantastic, I use one and love it, and strongly recommend them. But they require a non-trivial time commitment to set up, and can be too complex or overwhelming for some users. My hope is that 2FA will help protect against reused password attacks.

What about VPNs?

VPNs can be useful in very specific circumstances, such as when you’re traveling and forced to use open wifi networks, but generally aren’t worth the pain for day to day use. If you fall under that use case, or are very concerned about protecting your privacy from your ISP, try Mullvad.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

This tip isn’t a tech tool – it’s a quiz. An extremely common way to break into accounts is via phishing – the practice of a malicious actor tricking a user into giving them login credentials. Phishing is extremely common and one of the biggest cybersecurity threats due to how simple of an attack it is to execute and how little technical knowledge it requires from the attacker.

For example, John Podesta clicked a fake Gmail link in 2016 and input his Google credentials into a hacker’s web page, giving them full access to his account (a security key, but not other 2FA methods, would have stopped this – security keys only work on the sites they are programmed to work on).

To learn how to protect yourself from phishing, click the first link below to cover the most common set of phishing scams. If you have time, take the other five quizzes to get a thorough test on your phish spotting skills.

  • https://phishingquiz.withgoogle.com/
  • https://www.phishingbox.com/phishing-test
  • https://helpdesk.ragtag.org/hc/en-us/articles/360016148492-How-to-Spot-a-Phishing-Email

In short, look for the following red flags:

  • Sites should have their proper domain name highlighted in your browser. paypal.paypalpayments.com is fake, payments.paypal.com is not.
  • Email buttons and links can say they’re going to one URL while going to another. Long-press or hover over the link in your email to view the URL
  • Make sure your emails are coming from proper domains and not suspicious ones. If you don’t fully trust an email, ignore it.

But phishing isn’t always required to harm an organization. Project Veritas, a right-wing disinformation outfit, regularly use hidden microphones and cameras, outright bribery, paid plants, and more to attack progressive or leftist institutions.

When communicating in public, or even privately over any electronic medium, be aware of what you’re saying and how what you say could be taken out of context. Be wary of media invites from unknown sources, or suspicious invites from known sources. It also wouldn’t hurt to read up more on their past attacks.

FAQ

Why does this exist? Aren’t there a lot of other security guides?

Most other security guides tend to be one of three things:

1) Written by a company with a vested interest in selling something or generating fear to create demand for their something

2) Written by tech folks but too long or too complex to read and complete quickly

3) Written for a non-activist audience and missing things important to them that may not be as important for others.

My hope for this guide is that it is fast, easy to read, and full of just enough relevant information for activists to get them the most protection with the least investment of time.

What about antivirus?

You do not need to pay for antivirus. If you are on Windows, uninstall any antivirus you have and make sure Windows Defender is on. On Android, do not install APKs, only get apps from the Google Play Store. On Mac, get your apps from the Mac App Store. Basically: do not run or install software from sources you do not trust, and you’ll be OK. Antivirus programs can create many more problems than they solve. The best antivirus is knowledge, vigilance, and your other security measures like 2FA.

What about password managers?

Password managers are fantastic, I use one and love it, and strongly recommend them. But they require a non-trivial time commitment to set up, and can be too complex or overwhelming for some users. My hope is that 2FA will help protect against reused password attacks.

What about VPNs?

VPNs can be useful in very specific circumstances, such as when you’re traveling and forced to use open wifi networks, but generally aren’t worth the pain for day to day use. If you fall under that use case, or are very concerned about protecting your privacy from your ISP, try Mullvad.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

This tip isn’t a tech tool – it’s a quiz. An extremely common way to break into accounts is via phishing – the practice of a malicious actor tricking a user into giving them login credentials. Phishing is extremely common and one of the biggest cybersecurity threats due to how simple of an attack it is to execute and how little technical knowledge it requires from the attacker.

For example, John Podesta clicked a fake Gmail link in 2016 and input his Google credentials into a hacker’s web page, giving them full access to his account (a security key, but not other 2FA methods, would have stopped this – security keys only work on the sites they are programmed to work on).

To learn how to protect yourself from phishing, click the first link below to cover the most common set of phishing scams. If you have time, take the other five quizzes to get a thorough test on your phish spotting skills.

  • https://phishingquiz.withgoogle.com/
  • https://www.phishingbox.com/phishing-test
  • https://helpdesk.ragtag.org/hc/en-us/articles/360016148492-How-to-Spot-a-Phishing-Email

In short, look for the following red flags:

  • Sites should have their proper domain name highlighted in your browser. paypal.paypalpayments.com is fake, payments.paypal.com is not.
  • Email buttons and links can say they’re going to one URL while going to another. Long-press or hover over the link in your email to view the URL
  • Make sure your emails are coming from proper domains and not suspicious ones. If you don’t fully trust an email, ignore it.

But phishing isn’t always required to harm an organization. Project Veritas, a right-wing disinformation outfit, regularly use hidden microphones and cameras, outright bribery, paid plants, and more to attack progressive or leftist institutions.

When communicating in public, or even privately over any electronic medium, be aware of what you’re saying and how what you say could be taken out of context. Be wary of media invites from unknown sources, or suspicious invites from known sources. It also wouldn’t hurt to read up more on their past attacks.

FAQ

Why does this exist? Aren’t there a lot of other security guides?

Most other security guides tend to be one of three things:

1) Written by a company with a vested interest in selling something or generating fear to create demand for their something

2) Written by tech folks but too long or too complex to read and complete quickly

3) Written for a non-activist audience and missing things important to them that may not be as important for others.

My hope for this guide is that it is fast, easy to read, and full of just enough relevant information for activists to get them the most protection with the least investment of time.

What about antivirus?

You do not need to pay for antivirus. If you are on Windows, uninstall any antivirus you have and make sure Windows Defender is on. On Android, do not install APKs, only get apps from the Google Play Store. On Mac, get your apps from the Mac App Store. Basically: do not run or install software from sources you do not trust, and you’ll be OK. Antivirus programs can create many more problems than they solve. The best antivirus is knowledge, vigilance, and your other security measures like 2FA.

What about password managers?

Password managers are fantastic, I use one and love it, and strongly recommend them. But they require a non-trivial time commitment to set up, and can be too complex or overwhelming for some users. My hope is that 2FA will help protect against reused password attacks.

What about VPNs?

VPNs can be useful in very specific circumstances, such as when you’re traveling and forced to use open wifi networks, but generally aren’t worth the pain for day to day use. If you fall under that use case, or are very concerned about protecting your privacy from your ISP, try Mullvad.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

Taking control of your chapter’s digital tools: Part 1 – Setup

Who this page is for

Are you a new DSA chapter? Are you an existing chapter using mostly Slack and Google Docs? Do you want to take control of your chapter’s data, preserve your privacy, and perhaps get new functionality you didn’t have before?

After much research, I believe I’ve found the easiest, cheapest, and most secure Google alternative. While you may not be able to move off Docs entirely, I can give you a good start.

Your chapter can make the switch from closed-source programs that harvest your data and restrict features for non-paying users to useful, free, open-source software – with minimal effort and cost. As a fun bonus, you’ll also be avoiding some of the country’s worst tech offenders and abusers of power. But you may be asking – why bother doing all this in the first place?

Why use open-source software?

I understand that closed-source tools like Slack, Google Docs, and more just work for many people. People use these tools already at their jobs, at school, and even at home. Many people have a busy schedule as-is, and so we’re grateful they choose to spend their precious free time building socialism. Why would we make them learn something new or download a new app? Why risk de-incentivising people from contributing?

If you imagine a utopian socialist future, does it include Google, Microsoft, Facebook, and Amazon acting as middlemen to everything you do online? Probably not. I’ve spent a lot of time trying to make the process of using free software as easy as possible for everyone involved – from the admins, to leadership, to your users.

This guide will walk you through each and every step, from starting with nothing but a credit card to finishing with your own website, blog, chat program, file storage solution, and an email/calendar/contacts server – a total package that has a non-Google alternative for nearly all of their services. Best of all, you can likely complete setup of all of these services in a few hours.

What it means to really own your tech stack

Before going through this process, remember that your entire chapter will be making this change with you. Before starting, ensure your chapter’s leadership is on board with using any software you plan to deploy, and have a plan to pay for expenses (~$50/month). Even if leadership and many of your members are on board, you should still comminute early and often to all the comrades in your chapter to ensure they are heard and their concerns are taken into consideration as this transition is made.

Remember: be democratic. Over-communication is less likely than under-communication, so communicate early, often, and in plain language.

Also, keep in mind that anything you do will need to be passed on to someone else at some point in the future. I strongly recommend taking copious notes as you transition and storing these notes for any other admins who have access to the software in the future. You may not know when you will not be able to access the admin dashboard in the future, so always have a plan for how someone can take control of your chapter’s digital presence without you being there in a safe manner. We’ll cover this more later, but keep it in mind. Now let’s cover exactly what you’ll need to get started!

 

What you need, and how much it costs

You need three main things:

  1. A domain name is the name of your chapter or something catchy like socialism.tools. This is that thing you type into the address bar in your browser.
  2. A Virtual Private Server, or VPS, is a computer that lives in the cloud. It’s called a Virtual private server because it’s not really a black box sitting somewhere – it’s a part of a very powerful server, running many people’s virtual servers at the same time but separated from each other (private).
    • If you are extremely cost-constrained you can use a computer you already own – but be aware this is more difficult to set up, more risky, and less performant.
  3. A piece of software called Cloudron. It will run on your VPS. Cloudron mainly acts as an application controller. Cloudrun can install apps for you with one click, set them up for you, and keep them updated. Cloudrun also keeps itself updated, and provides user management and email services to all your apps. That’s very useful! Installing, configuring, and updating apps can be confusing or time-consuming, and Cloudron does it for you for a price that is far, far lower than other (business-focused) options. Cloudrun is run by a small company in Germany.

There is no away around the fact that this solution – as with any open-source solution – is going to cost money. Big Tech companies can subsidize free usage of things like Google Docs, OneDrive, Zoom, or Slack by charging their business customers a lot of money. But despite the cost of running free software, I think this is worth it to take control of your chapter – why become socialist if you don’t want to take big bets, eh? 😉

The cost breakdown will look something like this:

This adds up to $440 per year (less than $10 a week), or more if you pay for Cloudron monthly. This is the cheapest possible configuration I could find that could reasonably support a chapter.

If your chapter has a very tech-savvy Linux expert on hand, you could probably get away with not paying for Cloudron (and maybe it’s you), but remember what I said earlier – someday, someone else will need to inherit this technology stack. You might be unavailable when something breaks, and things like chat and email can be critical to people’s safety. Cloudron makes it easy to give multiple people access both to the platform itself and all the apps therein, and that simplicity and peace of mine is a huge part of why Cloudron is worth the money.

Disclosure: The two links above for a VPS and Cloudron are referral links; if you purchase services after clicking on them, I get a discount on the VPS and license key used to run socialism.tools.

Getting started

Let’s buy a domain!

Buying your domain name is like buying your digital identity. As a reminder, the domain name of this site is socialism.tools.

To begin, Go to cloudflare.com and make an account if you don’t have one already. After signup, you should now have the option to purchase a domain name:

In June of 2020, the button to buy a domain looks like this.

 

You can type in your domain name, including your top-level domain. This is .com, .biz, .org, .tools, and so on. There are tons of top-level domains, and if you aren’t sure which one you want, leave it out and see what Cloudflare suggests. For fun, let’s say we’re helping Albuquerque DSA set up their site. I like the .group TLD, so I chose that. This is what Cloudflare will show me:

 

Select “purchase” and complete the purchase process. You will be asked for your address and contact information – this information is not public. Cloudflare has something called WHOIS privacy on by default, so if someone tries to look up who owns a domain, it will not show them anything. Cloudflare is required to keep this information for legal purposes, so keep that in mind. Once you’re done, it should appear in your Cloudflare Dashboard like so:

My Cloudflare dashboard

We need to do one more thing with Cloudflare. Get an open Notepad doc open, we need to save a special string of text. Here’s what to do:

Click your user icon in the top-right corner of the page and select My Profile.

 

Click “API Tokens” and then the blue “Create token” button:

Choose Edit Zone DNS

Note: this exact process may change over time. If something seems wrong, please view the Cloudron documentation.

 

Under Permissions:, add the following two entries:
Zone > Zone > Read
Zone > DNS > Edit

It should look like this

Press “Continue to summary” and then “Save”. Now, copy the token that appears on the screen somewhere safe. You can copy and paste it into Notepad and save it as a file, or use Sticky Notes.

 

Let’s build your VPS!

Now we need somewhere to point that fancy new domain name! There are many options to choose from when selecting a company to provide you a VPS. Cloudron recommends four options that offer one-click easy installation. Amazon is a popular option, but fuck Jeff Bezos.

Digital Ocean is what I use, and is the next most popular option that offers one-click install. It also has one of the best user interfaces available, to make managing your resources and sharing them with others easier.

You can click here to set up a new Digital Ocean account with $100 in credit. Once you have an account, you can create a Droplet. A Droplet is Digital Ocean’s cute term for VPS.

Click Create > Droplets

 

Click “Marketplace” and search for and select “Cloudron”.
Leave “Basic” selected and choose the size of your Droplet. The absolute bare minimum is the $10/mo droplet and I wouldn’t recommend this unless you really, really don’t have any money. If you plan on installing more than two or three apps, especially if you want to use WordPress, I would strongly recommend going up to the $15 plan that includes 3GB of RAM as the bare minimum. If you plan on having a lot of users (say, over 100) and you can afford it, the $40 a month plan should let you sleep easy knowing you always have enough power and RAM.

I recommend the $20/mo droplet to start as it provides a good balance that should work for most small to medium chapters (you can always easily make your droplet bigger).

Screenshot of the Digital Ocean Droplet creation screen

 

Next, you’ll choose a data region. If you’re trying to avoid surveillance by the government by selecting a different country, I have bad news – it will likely not help. For performance reasons, choose a data center as close to your members as possible.

“Hey wait, you said this guide would help us avoid surveillance!”
I did, because it will protect you from bulk collection activities. Bulk collection activities are like Google mining your search history for ad data or the FBI issuing a wide search warrant for anyone who searched “communism is cool” in Facebook Messenger. The EFF has more information on this topic.

 

 

 

But this is not a guide on how to hide from the feds – doing so would so drastically increase the cost and complexity to this project so much it could not exist.

 

 

 

If sufficiently experienced hackers, such as the NSA, GRU, or others, want to get your data, they will. Do not transmit or store anything you think could be used against you on a computer. A Signal call, or even better, an in-person conversation does well when dealing with sensitive information.

 

 

 

Anyway, back to setup:

 

 

 

Leave Default VPC blank. Select the checkboxes for IPv6 and Monitoring. IPv6 is a newer web technology and monitoring will let you see pretty graphs in the Digital Ocean web interface.

 

 

 

Additional Droplet options

 

 

 

Now select Password and create – and safely store in your password manager – this password. This password will let the person with access to it access all the data you store online. Keep this safe!

 

 

 

Droplet authentication setup

 

 

 

Leave everything else as-is.

 

 

 

 

 

 

Congratulations! In a few moments, your VPS will be built and have Cloudron ready to go! Wait for the installation process to complete before moving on to the next step – configuring your new Cloudron install.

 

Pin It on Pinterest