plateee

it’s not security, just obscurity

IIRC for my setup it’s a bit of both. My DNS API key is scoped to only handle the specific subdomain updates instead of my entire DNS account.

I still use a wildcard for that subdomain for non-kubernetes systems, but the cert plugins for kubes is excellent at handling a LE cert per lan fqdn.

You don’t need to register a local CA

This was my biggest reason to move to Let’s Encrypt. I have a Hashicorp Vault instance in my homelab for secrets and I tried using it for an internal CA (like how the lab at work is set up), but trying to get on every device and add the full Vault chain to each individual system’s trust store was massive pain in the ass.

I do DNS challenges with let’s encrypt for either host fqnds (for my kubes cluster) or wildcard for the few other services.

The trick is to do a subdomain off of a domain that you own (e.g. thing.lan.mydomain.com) this way, you can scope the DNS to only *.lan.mydomain.com if you’re conscious about scoped api security.

Using let’s encrypt is nice because you can have a valid ssl chain that android, iOS, windows, and Linux all trust with their default trusts without having to do something with a custom CA (ask me how awful that process can be).

Yeah, in that case, I’d probably split my DNS duties. I started with internal resolution by having Pihole do hard coded DNS entries for internal systems, but my current setup seems to be much more resilient.

I have two PowerDNS servers (main and replica) with recursors to Open DNS internet servers and resolvers for my lab network. It plays very nicely with Terraform or (crucially lately) Kubernetes.

Could you do a subdomain for internal? Using Nginx host base routing to get to the same port would let you have a valid cert for both service.lan.your.fqdn and service.your.fqdn.

Let’s Encrypt wildcard certs for the *.lan.your.fqdn would simplify things.

Your DNA server could then resolve the lan fqdns to your internal network and the non-lan to your Internet exposed?

Yup, shared storage is a requirement. I’m using a combination of Ceph and NFS at the moment, but I wouldn’t recommend Ceph unless you’ve got a 10gb connection between nodes.

Here’s a guide to set up high availability with Proxmox: https://kiwicloud.ninja/2024/02/improved-high-availability-ha-for-vms-on-proxmox-ve-pve/

For me, I have three proxmox nodes that are configured to restart VMs and LXC containers if a host goes offline. There’s a Palo Alto pa-440 for my fw/router and a brocade switch (they were something work gave me for practicing for a network exam).

The nodes, Palo, brocade, and AT&T modem are all on two UPS 1500va systems along with my wifi ap. Run time in case of power loss is around an hour.

I’m this close to getting a comprehensive shutdown script working from a raspberry pi that is triggered if there’s power loss (most UPS systems have some capability to trigger scripts on a host that’s connected to the UPS’s console port).

If I can get that script working, the battery backup will run a PI for several days.

Back on the redundancy side, I host two PowerDNS systems in the proxmox cluster along with a 3 node/LXC container Vault.

I tried terraform for my three node proxmox cluster and all the providers were shit (and one was written by a for-profit prison company).

I ended up just deploying manually, but I do heavily use ansible for things like let’s encrypt wild card cert renewal/installation and patch management.

I love terraform when the providers are good - my #dayjob is predominantly spinning up hybrid cloud/global AWS environments and we could not do what we do without tools like Cruft, Terraform, and Ansible.

My homelab runs off three Lenovo M920q systems - they have an optional PCIe riser in which I’ve installed a 10Gbe fibre card to handle storage. I grabbed them from an electronics recycling/reseller company - EpcGlobal.

If you’re in the States, I highly recommend them, although their stock changes frequently - https://epcglobal.shop/

Maybe a controversial take, but I like pihole for blocking only - I have a pair of powerDNS servers set up for my internal name resolution. They recurse to Pihole, but can fall back to internet DNS servers if Pihole isn’t responsive.

I tried pihole for local resolution and found it to be a fairly large pain to automate. Plus kubes has PDNS hooks for auto-updating DNS entries.

I have dyndns. I don’t recommend them, unless a coworker just gave you their lifetime pro account for free.

Thanks Roody, wherever you are!

Unifi Protect is what runs on the CloudKey/NVR physical device - you don’t need to have it go through to the Internet.

Remember, for better or worse Ubiquiti is positioning themselves as SMB Enterprise security - some companies won’t want their footage to be accessible outside their network.

This is maybe controversial, but I love the Ubiquiti security stuff. Cameras (interior and exterior) doorbells, etc, it’s all great. Pricey, but you get what you pay for.

And the data can stay local or be accessible via their services.

I chose to go local only, grabbed their UNVR and populated it with 4x 2TB drives and it has enough space to handle 7 cameras HD history for about a month.