Since I use Fastmail, I have the possibility to generate masked email addresses. This means that I typically don't expose my actual email address for services I don't trust. Furthermore, I typically try to keep unique email addresses per service. So if one address starts receiving spam, I just remove that address.

This is not as inconvenient as it may sound, since Bitwarden supports auto-generating these masked email addresses through Fastmail's API.

When signing up for a service without access to generating masked email addresses, I typically sign up an email address like This way I'm still able to filter spam, unless the service recognizes the + pattern and removes it.

Aside from these "throwaway" addresses, I have a private address that I keep for personal emails & a public address where I'm available for strangers / new contacts.

Social platforms

I am very private or anonymous on most social platforms, but there are a few exceptions where I have a public persona:



My family and I use Bitwarden. We have a Yubikey each, enrolled in an n^2 fashion. We can't look inside each others' vaults, but we can recover them upon request.

In Bitwarden, I store all kinds of secrets. But mostly passwords and usernames.

2FA for services

Wherever it is supported I use Yubikeys and a randomly generated password from Bitwarden. Where Yubikeys aren't supported, I use TOTP stored in Bitwarden.

For most services, an attacker thus has to:

  1. compromise my 2FA
  2. compromise my master password or a target service's password.

Home lab

Under construction! For now, have a look at my NixOS config.

All computers that I own (excluding my phone), run either NixOS or MacOS with Nix-Darwin. This means that I'm able to configure them all with on repository to get a smooth and consistent experience.


I've built my own router on top of NixOS, letting me customize my network exactly as I want it. You can read more about that here. Getting it exactly as I want it is a process though :)


My principal use case for WireGuard is to be able to access my local network from anywhere. To accomplish this, my router allows its WireGuard peers to also access hosts on its local network.




  • describe reasoning behind datasets
  • describe settings


Currently investigating whether I should build a second NAS for remote backups or if I should use an S3-like solution.

Photo management


I use Syncthing (receive-only) to retrieve photos taken from my phone to my NAS.


I use my own script for renaming photos by date and sorting them into sensible folders. This script moves the photos from the Syncthing folder to my actual ZFS dataset for photos.

This script runs as a Systemd service.


For accessing & interacting with my photos, I self-host Photoprism. It works great when using MySQL (SQLite got very slow with lots of photos).


These aren't all the costs that I've accumulated over the years, but they're the costs that might be relevant for people other than myself to learn from.

Fixed costs

Fractal Design Node 304$84
4x Ironwolf ST8000VN004 8TB 256MB$999
Reused AMD 3 1200 AM4$0
Reused XFX Radeon RX 460$0
ASRock Fatal1ty B450 Gaming-ITX/ac$152
Crucial DDR4 2x8GB DIMM$57
WD Green M2 SSD 240GB$29
2x Yubikeys (free from work)$0

Recurring costs

What?Monthly cost
Fastmail Standard$5
Bitwarden Family$3.33
Namecheap domain$0.93