homefree/TODOS.md

TODOS
=====

* HA Authentication
  * Use local network authentication, then use Authentik proxy auth in front
  * LDAP auth is annoying, and presents a different auth page
  * Look into auto-initialization for HA: https://github.com/home-assistant/core/issues/16554
    * Using auth_manager API to create user, or edit .storage/auth directly / deploy it
* Authentik
  * Auto LDAP deploy
  * https://docs.goauthentik.io/docs/providers/ldap/generic_setup
* setup VLANs
  * https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
  * https://serverfault.com/questions/858556/transparent-firewall-with-nftables-and-vlans
  * https://serverfault.com/questions/1057819/route-untagged-vlan-to-a-tagged-vlan-with-nftables
* setup ipv6
* Make a flake that sets up host machine for dev
* Figure out how to use host id_rsa.pub in build, rather than hard-coded key
  * maybe share ~/.ssh/ida_rsa.pub into machine? would cause problems if share failed
* Determine if there are any problems with disabling "wait for network" to get rid of error
* Look into microvm instead of qemu, which has been difficult to work with
  * https://github.com/astro/microvm.nix
* setup DNSSEC for dnsmasq, IPV6
  * https://blog.josefsson.org/2015/10/26/combining-dnsmasq-and-unbound/

### Solutions
* Firewall
  * https://www.jjpdev.com/posts/home-router-nixos/
* NAS
  * https://github.com/reckenrode/nixos-configs/tree/c556206df2611af2f9ea83954aae1b51461e44c5/hosts/x86_64-linux/meteion
  * https://www.reddit.com/r/NixOS/comments/yr21p1/offtheshelf_nas_supporting_nixos/
* reverse proxy
  * Traefik
  * HAProxy
  * nginx-proxy-manager
  * caddy
* ad block
  * Unbound
  * AdGuard
  * PiHole
* intrusion protection
  * https://www.redhat.com/sysadmin/security-intrusion-detection
  * fail2ban
  * Suricata
  * OSSEC-HIDS
  * Snort
  * Zeek
  * Tripwire
* certs
  * certbot
  * caddy
* SSO
  * https://github.com/greenpau/caddy-security
  * authentik
  * authelia
  * keycloak
* VPN
  * Tailscale/Headscale
    * https://tailscale.com/kb/1136/tailnet
    * https://github.com/tailscale/golink
    * https://github.com/tailscale-dev/tclip
  * wireguard
  * openvpn
* Backup
  * bacula
  * kopia
  * restic
* Hypervisor
  * https://vpsadminos.org/

### VyOS comparison

* Netfiter - does it use nftables? How does its config language map to Netfilter? Can it be extracted?
* FRR - high performance IP routing suite - any use for this in a home router?
* strongSwan - IPsec VPN. IPsec is slower than Wireguard but clients are built into OSes
* Acel-PPP - VPN/tunnel server for PPPoE, PPtP, L2TPv2, SSTP, IPoE
* FastNetMon - DDoS detection
* Squid - caching proxy
* PowerDNS - commercial grade DNS server

### DONE

* Setup host so default network virbr0 starts at boot
  * currently need to us "sudo virsh net-start --network default"
* Does hardware-configuration.nix root disk device need to be updated with each build?
* Get VM starting from command line
* Figure out way to setup SSH without needing to lookup IP in virt-manager
  * Use user network, map SSH to unused port
  * https://unix.stackexchange.com/questions/489891/qemu-access-guest-vm-from-the-host-machine
  * better though would be to add hostname, e.g. homefree-vm
* Share folder automatically setup by qemu xml?
  * https://www.debugpoint.com/share-folder-virt-manager/
Working self-hosted config rebuild 2023-11-26 14:39:58 -08:00			`TODOS`
			`=====`

authentik ldap working; home-assistant auth with LDAP working 2024-04-25 23:49:16 -07:00			`* HA Authentication`
			`* Use local network authentication, then use Authentik proxy auth in front`
			`* LDAP auth is annoying, and presents a different auth page`
			`* Look into auto-initialization for HA: https://github.com/home-assistant/core/issues/16554`
			`* Using auth_manager API to create user, or edit .storage/auth directly / deploy it`
			`* Authentik`
			`* Auto LDAP deploy`
			`* https://docs.goauthentik.io/docs/providers/ldap/generic_setup`
Disable DNS for dnsmasq, enabled for Unbound 2023-12-09 15:57:38 -08:00			`* setup VLANs`
			`* https://wiki.nftables.org/wiki-nftables/index.php/Main_Page`
			`* https://serverfault.com/questions/858556/transparent-firewall-with-nftables-and-vlans`
			`* https://serverfault.com/questions/1057819/route-untagged-vlan-to-a-tagged-vlan-with-nftables`
			`* setup ipv6`
			`* Make a flake that sets up host machine for dev`
			`* Figure out how to use host id_rsa.pub in build, rather than hard-coded key`
* Added virtual services through caddy * Added Radicale caldav server reverse proxied through caddy 2023-12-10 11:32:48 -08:00			`* maybe share ~/.ssh/ida_rsa.pub into machine? would cause problems if share failed`
Disable DNS for dnsmasq, enabled for Unbound 2023-12-09 15:57:38 -08:00			`* Determine if there are any problems with disabling "wait for network" to get rid of error`
fully self-hosted build 2023-11-27 23:53:54 -08:00			`* Look into microvm instead of qemu, which has been difficult to work with`
			`* https://github.com/astro/microvm.nix`
* Added virtual services through caddy * Added Radicale caldav server reverse proxied through caddy 2023-12-10 11:32:48 -08:00			`* setup DNSSEC for dnsmasq, IPV6`
Disable DNS for dnsmasq, enabled for Unbound 2023-12-09 15:57:38 -08:00			`* https://blog.josefsson.org/2015/10/26/combining-dnsmasq-and-unbound/`

* Added virtual services through caddy * Added Radicale caldav server reverse proxied through caddy 2023-12-10 11:32:48 -08:00			`### Solutions`
started sops config; got ddclient to work 2024-01-14 01:12:45 -08:00			`* Firewall`
			`* https://www.jjpdev.com/posts/home-router-nixos/`
			`* NAS`
			`* https://github.com/reckenrode/nixos-configs/tree/c556206df2611af2f9ea83954aae1b51461e44c5/hosts/x86_64-linux/meteion`
			`* https://www.reddit.com/r/NixOS/comments/yr21p1/offtheshelf_nas_supporting_nixos/`
* Added virtual services through caddy * Added Radicale caldav server reverse proxied through caddy 2023-12-10 11:32:48 -08:00			`* reverse proxy`
			`* Traefik`
			`* HAProxy`
			`* nginx-proxy-manager`
			`* caddy`
			`* ad block`
			`* Unbound`
			`* AdGuard`
			`* PiHole`
			`* intrusion protection`
			`* https://www.redhat.com/sysadmin/security-intrusion-detection`
			`* fail2ban`
			`* Suricata`
			`* OSSEC-HIDS`
			`* Snort`
			`* Zeek`
			`* Tripwire`
			`* certs`
			`* certbot`
			`* caddy`
			`* SSO`
minor tweaks 2023-12-25 00:15:21 -08:00			`* https://github.com/greenpau/caddy-security`
* Added virtual services through caddy * Added Radicale caldav server reverse proxied through caddy 2023-12-10 11:32:48 -08:00			`* authentik`
			`* authelia`
			`* keycloak`
minor tweaks 2023-12-25 00:15:21 -08:00			`* VPN`
			`* Tailscale/Headscale`
			`* https://tailscale.com/kb/1136/tailnet`
			`* https://github.com/tailscale/golink`
			`* https://github.com/tailscale-dev/tclip`
			`* wireguard`
			`* openvpn`
			`* Backup`
			`* bacula`
			`* kopia`
			`* restic`
started sops config; got ddclient to work 2024-01-14 01:12:45 -08:00			`* Hypervisor`
			`* https://vpsadminos.org/`
minor tweaks 2023-12-25 00:15:21 -08:00
			`### VyOS comparison`
* Added virtual services through caddy * Added Radicale caldav server reverse proxied through caddy 2023-12-10 11:32:48 -08:00
minor tweaks 2023-12-25 00:15:21 -08:00			`* Netfiter - does it use nftables? How does its config language map to Netfilter? Can it be extracted?`
			`* FRR - high performance IP routing suite - any use for this in a home router?`
			`* strongSwan - IPsec VPN. IPsec is slower than Wireguard but clients are built into OSes`
			`* Acel-PPP - VPN/tunnel server for PPPoE, PPtP, L2TPv2, SSTP, IPoE`
			`* FastNetMon - DDoS detection`
			`* Squid - caching proxy`
			`* PowerDNS - commercial grade DNS server`
* Added virtual services through caddy * Added Radicale caldav server reverse proxied through caddy 2023-12-10 11:32:48 -08:00
Disable DNS for dnsmasq, enabled for Unbound 2023-12-09 15:57:38 -08:00			`### DONE`

Working self-hosted config rebuild 2023-11-26 14:39:58 -08:00			`* Setup host so default network virbr0 starts at boot`
			`* currently need to us "sudo virsh net-start --network default"`
			`* Does hardware-configuration.nix root disk device need to be updated with each build?`
Disable DNS for dnsmasq, enabled for Unbound 2023-12-09 15:57:38 -08:00			`* Get VM starting from command line`
Working self-hosted config rebuild 2023-11-26 14:39:58 -08:00			`* Figure out way to setup SSH without needing to lookup IP in virt-manager`
updated todos 2023-11-26 14:54:40 -08:00			`* Use user network, map SSH to unused port`
			`* https://unix.stackexchange.com/questions/489891/qemu-access-guest-vm-from-the-host-machine`
			`* better though would be to add hostname, e.g. homefree-vm`
			`* Share folder automatically setup by qemu xml?`
			`* https://www.debugpoint.com/share-folder-virt-manager/`