il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a7365da43101b7abd734499cbe16c5e0b7b31ecb
ilnmors-homelab/docs/archives/2025-12/01_plans/01_02_milestone.md
il a7365da431 1.0.0 Release IaaS
2026-03-15 04:41:02 +09:00

4.7 KiB
Raw Blame History

Tags: #plan, #milestone, #common

Homelab Project

Plans

  • Build plans

Organize theory

  • Organize DNS
  • Organize DHCP
  • Organize PKI
  • Organize TLS
  • Organize SSO
  • Organize Email service

Organize configuration

  • Organize Debian installation
  • Organize Debian common configuration
  • Organize iptables
  • Organize podman
  • Organize CrowdSec
  • Organize BTRFS

Hypervisor

  • Install Debian13
  • Set common configuration
  • Set network interfaces
  • Set QEMU/KVM and Libvirt environment

opnsense vm

  • Generate opnsense template
  • Install opnsense
  • Set interface configuration
  • Set CrowdSec LAPI configuration (without TLS)
  • Set KEA DHCPv4 configuration

net vm

  • Generate net vm template
  • Install Debian13
  • Set common configuration
  • Set network interfaces
  • Set DDNS script
  • Set BIND container
  • Set AdGuard Home container
    • Fix DHCP and Static IP server's resolv.conf, and opnsense dns

auth vm

  • Generate auth vm template
  • Install Debian13
  • Set common configuration
  • Set Step-CA container

opnsense vm

  • Set ACME client in OPNsense
  • Set TLS on OPNsense with ACME client
  • Set TLS on CrowdSec LAPI with ACME client
  • Set ACME automation

net vm

  • Set TLS on AdGuard Home container with ACME client

dev vm

  • Generate dev vm template
  • Install Debian13
  • Set common configuration

app vm

  • Generate app vm template
  • Install Debian13
  • Set common configuration
  • Set BTRFS on $HOME/hdd

auth vm

  • Set Caddy - auth container (Main caddy)
    • Caddy TLS certificates
    • Caddy bouncer
    • Caddy log agent
  • Set crowdsec bouncer
    • Set collection in LAPI (parser + scenario)
    • Set collection in auth vm
    • Set acquis.d/caddy-auth.yaml
  • Set LLDAP container
  • Set Authelia container
    • Forward_Auth setting

dev vm

  • Set Postgresql container
    • Set TLS on Postgresql with ACME client
  • Set Caddy - dev container (sidecar caddy)
    • Verify TLS re-encryption
    • Veryfiy Forward_Auth from Caddy - auth
  • Set code-server container
    • Generate container file (with Git and Ansible)
    • Apply SSO with Authelia and Forward_Auth
    • SSH setting
    • Upload opnsense backup file via SFTP
    • Get all server's configuration file via from terminal

app vm

  • Gitea container
    • DB setting
    • OIDC apply with Authelia
    • Code and configuration file Git
  • Vaultwarden container (User secret management)
    • DB setting
    • OIDC apply with Authelia
    • TOTP setting (recovery code will be saved in .secret.yaml)

dev container

  • Set Diun container
  • Set Prometheus and grafana container
  • Set Loki and promtail container
  • Set Postfix
  • Set Dovecot
  • Set Fetchmail
  • Set Mariadb conatiner (when it needs)
    • Set TLS on Mariadb with ACME client

app vm

  • Set Caddy - app container (sidecar caddy)
  • Set app service containers
  • Set all server's Kopia and Gitea (with code-server)
    • Conduct backup verification
    • Git all code on Gitea

Following goals

  • Ansible

To manage and automate this project, the tool of automation is necessary. In modern architecture, Ansible is one of most powerful tools to automate configuration. After the project will be finished, Ansible will be adopted to manage server's configurations. It supports idempotency powerfully, so from the basic configuration the dev-ops system will be applied on this project. Idempotence is very important.

  • self inspection or mock audit

Every architecture has their own vulnerability. It is because always the administrator itself is the weakest chain in the security. So, it is necessary to inspect the system based on external criteria. There's the list of criteria below.

  • ISMS-P - Korean standard
  • ISO/IEC 27001 - International standard/Annex A
  • NIST SP 800-53 - NIST CSF
  • CIS Benchmark - checklist of Debian/OPNsense/RDBMS/etc
  • OWASP Top 10
  • documentation deeper

The system itself can't prove anything. When the document that everyone can understand what it is supports the system, then the system become the most powerful weapon.

  • The code and configuration files, and Ansible playbook based on Git (private Gitea)
  • Architecture Report based on bookstack (As-Is)
  • Policy and Norms Report based on bookstack (To-Be)
  • Audit Report based on bookstack (Proof of Compliance)
  • hacking simulation for public licence

Use podman network and podman volume, create kali and alpin container to train and study about hacking in dev server. These containers won't combined with systemd via Quadlet

Reference in New Issue View Git Blame Copy Permalink