3.6 KiB
3.6 KiB
TODOS
- Make a flake that sets up host machine for dev
- hosts file changes (networking.extraHosts) networking.extraHosts = '' 127.0.0.1 homefree.lan 127.0.0.1 radicale.homefree.lan 127.0.0.1 auth.homefree.lan 127.0.0.1 authentik.homefree.lan 127.0.0.1 vaultwarden.homefree.lan 127.0.0.1 homeassistant.homefree.lan 127.0.0.1 ha.homefree.lan '';
- qemu
- OVMF.fd
- virtiofsd
- HA Authentication
- Use local network authentication, then use Authentik proxy auth in front
- LDAP auth is annoying, and presents a different auth page
- Look into auto-initialization for HA: https://github.com/home-assistant/core/issues/16554
- Using auth_manager API to create user, or edit .storage/auth directly / deploy it
- Authentik
- Auto LDAP deploy
- https://docs.goauthentik.io/docs/providers/ldap/generic_setup
- Security
- Wazuh
- setup VLANs
- setup ipv6
- Figure out how to use host id_rsa.pub in build, rather than hard-coded key
- maybe share ~/.ssh/ida_rsa.pub into machine? would cause problems if share failed
- Determine if there are any problems with disabling "wait for network" to get rid of error
- Look into microvm instead of qemu, which has been difficult to work with
- setup DNSSEC for dnsmasq, IPV6
Solutions
- Firewall
- NAS
- reverse proxy
- Traefik
- HAProxy
- nginx-proxy-manager
- caddy
- ad block
- Unbound
- AdGuard
- PiHole
- intrusion protection
- https://www.redhat.com/sysadmin/security-intrusion-detection
- fail2ban
- Suricata
- OSSEC-HIDS
- Snort
- Zeek
- Tripwire
- certs
- certbot
- caddy
- SSO
- https://github.com/greenpau/caddy-security
- authentik
- authelia
- keycloak
- VPN
- Tailscale/Headscale
- wireguard
- openvpn
- Backup
- bacula
- kopia
- restic
- Hypervisor
VyOS comparison
- Netfiter - does it use nftables? How does its config language map to Netfilter? Can it be extracted?
- FRR - high performance IP routing suite - any use for this in a home router?
- strongSwan - IPsec VPN. IPsec is slower than Wireguard but clients are built into OSes
- Acel-PPP - VPN/tunnel server for PPPoE, PPtP, L2TPv2, SSTP, IPoE
- FastNetMon - DDoS detection
- Squid - caching proxy
- PowerDNS - commercial grade DNS server
DONE
- Setup host so default network virbr0 starts at boot
- currently need to us "sudo virsh net-start --network default"
- Does hardware-configuration.nix root disk device need to be updated with each build?
- Get VM starting from command line
- Figure out way to setup SSH without needing to lookup IP in virt-manager
- Use user network, map SSH to unused port
- https://unix.stackexchange.com/questions/489891/qemu-access-guest-vm-from-the-host-machine
- better though would be to add hostname, e.g. homefree-vm
- Share folder automatically setup by qemu xml?