Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

MigratingtoLemmy

@MigratingtoLemmy@lemmy.world

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Starting from zero

I'm interested in exploring the world of self hosting, but most of the information that I find is incredibly detailed and specific, such as what type of CPU performs better, etc. What I'm really looking for is an extremely basic square 1 guide. I know basically nothing about networking, I don't really know any coding, but it...

MigratingtoLemmy ,

Could you let me know about the problems you're facing? I'll try to help if I have ever heard/used the service before

MigratingtoLemmy ,

At which point such an user might already be looking at TrueNAS/DIY setups TBH

MigratingtoLemmy OP ,

AFAIK bpg's provider has significantly better feature-support than Telemate

MigratingtoLemmy OP ,

Very unfortunate. I'm considering OpenStack as an alternative for its support but TBH it's not what I want.

MigratingtoLemmy OP ,

It's just that when something breaks in Proxmox the remediation is completely manual and I hate that.

Thanks, I look forward to someone creating a provider which encompasses all of Proxmox.

MigratingtoLemmy OP ,

A lot of them do actually. Most mid-tier cloud providers (Linode, Digital Ocean, Vultr) and less expensive providers (IONOS, for example) do have official terraform providers. Smaller providers like Racknerd don't but that is somewhat understandable.

Incidentally, Porkbun is a known DNS provider which doesn't have terraform support (which is why I'm evaluating Cloudflare in the first place for a domain).

XCP-ng has an official terraform provider, whilst ESXi and Proxmox don't. The unfortunate part is that there isn't even a provider for KVM, which really sucks.

MigratingtoLemmy OP ,

Thanks I'll take a look

MigratingtoLemmy OP ,

Thanks, it's very new and I'd like to give it some time to mature. With that said, I'm happy to see a SUSE developer take it on.

It also has some great capabilities and let's me handle my storage and hardware whilst providing me paradigms akin to the Cloud a la Openstack (to an extent). It seems great, thanks for mentioning it.

MigratingtoLemmy OP ,

Could you tell me which cloud providers are using Incus?

It's a bit hard to search info about it with the name. But it's a fantastic project

Is there a FOSS/privacy oriented IoT community?

Is there a community specific to FOSS or just general privacy oriented IoT? With plenty of hardware discussion along with software. Routers, piholes, Meshtastic, anything IoT but open source. If it touches a network but you want it to do something it doesn't. Flashing a doorbell camera with FOSS firmware. Hosting media servers...

MigratingtoLemmy ,

Probably homelab/self-hosted communities, but you'll have to preface that you're focussing on the security aspect than the usability of the application/device. With that said, I'd like for the kind of community you mention to be big and have a lot of engagement but I think it's too niche even amongst niche communities like self-hosting.

With that said, the principles are largely the same. Netsec applies to everything that touches the network, FOSS or otherwise. If you're using Zigbee, you're going to have to read about RF and how to secure yourself (Zigbee uses symmetric encryption from what I've heard and I really don't like the idea). Funnily enough, when I had posed a question on RF privacy here I was ridiculed and downvoted, seemingly by a community that "cares" about privacy.

Yes, there's a lot of hypocrites here. Which is also another reason why you probably won't find much traction for the community you're thinking of. But I'll stop there.

Edit: I completely missed the HA, Node-red and OpenHAB communities, but you'll probably find them in other forums and not particularly active here other than Home Assistant

MigratingtoLemmy ,

People like this usually hang around the microcontroller spaces since these people will almost always make a case with a 3D printer and order ESPs from Aliexpress and program their own device/install Tasmota or something. Some people maintain a happy medium with purchasing pre-built hardware and running FOSS on them, but IMO the real fun is when you do most of it yourself. Not discounting how good OEM hardware can be in terms of overall functionality, of course.

The downside to writing your own code is maintaining its security which is a pain though.

I don't think you'll find many people like the type you're looking for here outside of the few in the communities I mentioned previously. You'll have to look at other forums, unfortunately.

MigratingtoLemmy ,

Thank you for clarifying, and my apologies

MigratingtoLemmy ,

Could you tell me more about how secure the key exchange is?

MigratingtoLemmy ,

Thanks

How would I automate (VM/LXC)-agnostic templates in Proxmox without creating golden images?

For context: I want to automatically enable Intel SGX for every VM and LXC in Proxmox, but it doesn't seem like there's a way to do it using APIs AFAIK (so Terraform is out of the question unless I've missed something) other than editing the template for the individual LXC/VM....

MigratingtoLemmy OP ,

I will probably have to run cloud-init/ansible on the PVE host for this to work. I'd probably go with Ansible, but I would have liked for this to be possible directly through Terraform. I don't know if it's the developer of the provider who didn't include this.

With that said, we do have AppArmour support for VMs, which is a secure enclave too (if I understand correctly). Don't quite know if switching on and using both SGX and AppArmour would be a good choice - would you happen to know about this?

MigratingtoLemmy OP ,

I was under the impression that cloud-init could only really be used to run commands inside the guest? Well, I could technically use Ansible and edit the file every time I provision something - this was just an example of however much the community tries, there might be something missing in the provider because proxmox doesn't take this on directly.

I should have worded that better. In using MAC, AppArmor effectively reduces access to files that would be essential for the VM to run. That is the sense in which I mentioned "security enclave" but I can see now that that isn't quite correct.

Either way, that is my philosophical reasoning for complaining this much. Ansible is pretty decent and has decent Proxmox integration, but Terraform is, in my opinion, superior when it comes to deploying infrastructure. That might be a bias from my side, of course. For now, I'm also going through the OpenStack documentation to see if the things I want to achieve can be done there, because they have an official Ansible project alongside their version of Cloudformation - Heat.

Thanks

MigratingtoLemmy OP ,

Can't cloud-init only really run scripts in the guest and not on the host?

MigratingtoLemmy OP ,

Intel SGX requires for me to set a CPU flag in the .conf file. For now, it's a shell script and I can do it with Ansible, but I'd like to not have to do such half-baked measures

MigratingtoLemmy ,

TBH if it was Graphene doing it to improve my battery life and I could audit the ACLs set up so I can confirm that it doesn't leave the device, then I'd keep it switched on. Of course, I'd want to data to be deleted on a schedule with just the inferences maintained and want it locked down and encrypted as much as possible.

MigratingtoLemmy ,

I completely get you. Agreed

MigratingtoLemmy OP ,

Is that your firewall? I admit it's a great idea but do you use something else for routing?

MigratingtoLemmy OP ,

My apologies, I didn't realise the LTS version's source was free. I'll edit the post, thanks for pointing it out. Could you tell me more about your VyOS setup?

MigratingtoLemmy OP ,

AFAIK options 2 and 4 only. I can't trust a USB to ethernet adapter for stability either

MigratingtoLemmy OP ,

You have really piqued my interest. I have always thought about running my DIY Router + Firewall + switch but had never really spoken to anyone who had done it before (guides on the internet notwithstanding).

However, if I do something like this, it will likely be on OpenBSD. Now, I haven't delved deep enough into the BSDs to know if it's better than Debian since all distributions can be made as secure as we want. However, OpenBSD just has a better image in my mind in terms of security and some of their choices in the OS are to my liking.

MigratingtoLemmy OP ,

Most home setups will likely work fine with just one firewall, but I am planning for 2 at the very least for my network. Also, sometimes it might be better to run a separate router in a VM and have a distinct network behind it if you want to segment said network more thoroughly/want to emulate an enterprise environment etc. I personally see good use for running 2 or more routers (software/hardware) in a lab, but YMMV

MigratingtoLemmy OP ,

Thank you for documenting the process, was a very interesting read.

Indeed, they have great documentation on this. Fantastic to have an official guide on something I'd like to do!

MigratingtoLemmy OP , (edited )

Thanks for explaining your rationale for the question. I'm in the US and whilst power isn't the least expensive in the world, it's not as bad, as say, Germany.

If you look at my history, in my previous post I was talking about hosting AD. Alongside that, I will also be hosting (sometime in the near future) an IOT controller, messaging, many IOT devices etc. Instead of just creating VLANs (which is certainly a valid approach), I'd like to create a separate network (and bind the VMs behind the router to only be able to pass traffic through that router with ACLs and defining it as the gateway).

I do not have a massive consumer base at home (the nod towards "12 laptops, bunch of PCs and a home datacenter" isn't really for me), but I will have a lot of service VMs, containers etc. Some of them, I'd like for them to stay contained and not have to write additional firewall rules/ACLs on my main router - I can write those in the config of the secondary router and have a clean separation between a testing network (which is the purpose for the secondary router as a VM, for me) and my actual gateway.

Now, in terms of hardware, I'd like to run 2 different firewalls too. Partly because I'm paranoid about Intel ME - the plan was to run an OpenWRT router which would be connected to the internet, with a second router on x86 (which is why I made this post and was looking forward to this discussion) behind it, whilst intentionally double-NATting myself. I will also be setting up ACLs on the OpenWRT router/firewall to attempt to prevent Intel ME from ever accessing the internet - I believe that even if ME can utilise the same MAC of the NIC to send packets, it cannot use the same IP address. I'm also in the phase of researching other parameters on which I can filter out such traffic and only allow traffic from my trusted node (i.e. router/firewall OS) to access the internet. This argument probably won't hold up very well against real-world scenarios and I might face hitches along the way, but I want to try it.

Also, I'll feel safer experimenting on my "main" firewall/router (the x86 box - like I mentioned to another commenter, I might run a DIY OpenBSD router on it) if I have a firewall/NAT setup in front of it to take care of my network.

Thanks for the question, and I'm sure my words don't make much sense (technically speaking), but this is simply what I cobbled together thinking about what I can realistically do.

MigratingtoLemmy OP ,

You're right, I should have thought a bit more before I answered. Thinking about it, double NAT doesn't achieve anything. With that said, the main way in which this is a problem is if one were to forward ports, in which case they'd need to forward ports from both firewalls.

Yes, I will be dealing with firewalls on both appliances.

I too will be investing more into Zigbee in the future, but having a central controller with MQTT can help. I haven't decided if I want to go completely without WiFi. There's certainly security considerations to going to Zigbee. Like you, I do not plan to utilise many proprietary IOT solutions and buy into the massive appliances being controlled with outdated software. I'll stick to dumb appliances as much as I can.

I don't think it's particularly malicious either, but the problem I have is that it is essentially at ring 0. As such, my OS can't do anything about it, which means I'm going to have to find alternatives to deal with it. I would have loved to have every device have a FOSS bootloader but I suppose that's a long way away.

Thanks for your comment.

MigratingtoLemmy OP ,

I don't think Zigbee is proprietary, but I might have missed something. Like you, I also really like the ESP controllers that I can get and run my own code/mature projects on them (this is for both Zigbee and WiFi versions)

If you can replace your thermostat, that would make your heating reasonably smart. With that said, I'm now used to manually turning it down when I leave.

MigratingtoLemmy OP ,

Is it your main firewall?

Do you do in-place upgrades, and you do have HA for your firewall?

MigratingtoLemmy , (edited )

I will assume that you will expand your homelab with time.

I will also assume that you're not going to open ports from your home network to the internet. If you need to do that, come back here/research Cloudflare tunnels (I have an alternative to those but that will need some explaining).

Now, purchase a 4 port/6 port "Router Firewall" from Aliexpress. They'll cost you $200 + RAM + SSD, but with that you'll have an x86 router + switch (the celeron/pentium/i3s are plenty capable to switch without dedicated hardware). Get a TPLink/Mikrotik WAP and install OpenWRT.

Now, to bring my previous point into focus: you will place this router/firewall behind your consumer router. This will effectively place you behind double NAT, but if you're using Comcast you shouldn't care anyway (and it doesn't matter unless you're planning to expose ports).

How many drives do you need for your NAS? Look at Lenovo P310s and replace the PSU with your own. RAM + storage will be your biggest expenses in a homelab.

Use your gaming PC as a server, and get a Dell/HP/Lenovo mini PC for HA with it. Don't even think about ESXi and jump straight into KVM/Xen. Bhyve if you're brave/want to try something new.

Use Terraform/Ansible when you can, and nothing will terrify you anymore since you can literally rebuild the entire lab inside 15 minutes of you doing nothing but waiting.

Have fun!

MigratingtoLemmy ,

Absolutely. Everyone should, in theory, be alarmed by the blatant push towards being the world's biggest MiTM by Cloudflare, but if one doesn't care about that, then it's a very good service.

I would personally consider running my own VPS with encrypted storage and run Wireguard tunnels (with the VPS as the server and my devices/home router) as the client. If I connect to the same socket, I could essentially connect to my home network without opening any ports there. Tailscale operates on a similar concept at scale, but you'd be better off hosting headscale if you care about privacy.

MigratingtoLemmy ,

That would be correct. Typically people recommend reverse-proxies for this because of their routing capabilities, but unless you have complicated checks and other functionality you need to implement, simple NAT is the best way to go about this. nftables can do exactly what you need with excellent performance.

MigratingtoLemmy ,

Ideally, to preserve them in a file and run a command to load them at start-up. This is trivial to do in OpenRC or similar init systems, whilst systemd will require a service configured for it.

MigratingtoLemmy ,

I would like to know the problems you're having with systemd, but since you wouldn't like to explain....

TBH with all the shit I give Poettering, systemd is a good system for the most part, it's just ideologically not for me, and it's also really complicated from people who have worked on it.

With that said, I'd point you towards Alpine. I once ran a server in the cloud with it and have no issues other than if you were to use musl, but if you're using GNU I don't think you'll have such issues.

Why aren't you trying the BSDs? FreeBSD is quite stable and if you're going to run VMs anyway, run a couple to host your k8s infrastructure/podman nodes and off you go!

MigratingtoLemmy OP ,

I'll keep that in mind, I've been warned by quite a few people in the comments haha

MigratingtoLemmy OP ,

The main idea was to see if AD will bring any benefit to my homelab. The idea of running a domain controller is very intriguing, and it doesn't need to be AD specifically, although I'd like to get some hands-on time with it too.

MigratingtoLemmy OP ,

Wow, that's real enterprise software!

How do you like Sophos? Is it the free version? I came across another commenter who uses it in my previous post.

MigratingtoLemmy OP , (edited )

I am considering FreeIPA myself too! Thanks!

MigratingtoLemmy OP ,

Thanks!

MigratingtoLemmy OP ,

Thanks, great to know about Restore Mode.

MigratingtoLemmy OP ,

Thanks, you're the second person who spoke about Neth server to me. I'll take a look.

I was planning to create a subdomain for it anyway, it's just that I was misled that if I didn't give it control over DNS for the network it wouldn't function properly. That doesn't seem to be case (which I'm glad for).

I do not quite understand how the attack surface is increased other than running Windows on my network. I will have to look deeper into it myself.

Thanks

MigratingtoLemmy OP ,

Will do

MigratingtoLemmy OP ,

Hey, I'd like to ask you one more thing: is it possible to set up short-term credentials which can be provisioned and invalidated automatically with policies? I'm looking towards an idea of a self-hosted AWS STS without installing a secrets manager like Conjur and I think it should technically be possible with FreeIPA. Please let me know what you think.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •