I worte a guide last year on how I do network bound encryption - that is the disk will automatically decrypt at boot if it's connected to my home network, but not if the disk or machine is removed from my house. The advantage over the dropbear method is that you can set unattended upgrades to auto reboot your server whenever it installs security updates, and it'll come back up with no manual intervention from you.
iMeddles
joined 2 years ago
I don't at the moment, because I don't have a need for it, but I did for a while run a PoC with Step CA, and that seems like the easiest way to get up and running, even if its features are overkill for a home lab.
if you go down the luks route, an option to look at is Clevis/Tang for automatic unlocking on a trusted network. I have a tang server running in the cloud, firewalled to my home IP, so if my server reboots in my house, it auto unlocks, but if you steal it and try to turn it on anywhere else, it won't be able to auto unlock, and will require a password.
I should write that config up somewhere as a guide.
Thinkst have also published opencanary which you can run yourself and contains a decent subset of what their hardware canaries run, including SSH and cifs.
Every machine is named after what it does (although I do 1337-ify the names, because I'm still a late 90s IRC teen at heart). If you've ever been onboarded into a sysadmin role where all the machines are named with whatever whimsical naming scheme each department chose, you'll fast develop a visceral hatred for non-descriptive naming schemes. The fifth time you get a ticket saying something like 'Hedwig is down' and you have to go crawling through three layers of linked files on SharePoint to find what and where 'Hedwig' is, you'll be ready to beat the person who named it to death, and that attitude tends to persist to your home naming scheme :p
The ultimate bad bot blocker (https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker) does the heavy lifting for me, it updates multiple times per day to add and remove IP addreses and bot referers. It does need some monitoring though, some of the rules wildcard a bit hard and will catch mastadon servers with unusual names for example.