‘If you wish to make an apple pie from scratch, you must first invent the universe’
– Carl Sagan
Since my last post, I’ve completed a major overhaul of my home network and server infrastructure. Fundamentally this began with:
- Purchasing a new single rack unit QNAP, 2.5G switch and 2.5G NICs for my hypervisors;
- Purchasing another HP microserver (for a grand total of 3 hypervisors, and 1 off site server);
- Configuring the QNAP as an NFS server;
- Configuring networking for the QNAP and servers including VLANS and IPv6 (via SLAAC);
- Migrating all my systems from Linux Containers to VMs, using the QNAP as the storage backend.
All of which has given me much needed flexibility – I can now migrate live VMs between hosts. In the process I’ve also mapped out all new IP ranges and VLANS for my infrastructure. This is managed by phpIPAM integrated into PowerDNS. The hypervisors are configured with separate bridges for the guest OSs and their subnets. My EdgeRouter handles DHCP and IPv6 prefix delegation to the VLANS/subnets. Having done all of this, I now feel as though I’ve really unleashed the full power of my infrastructure.
With the above compete, I then finally removed my windows server VMs, and now use Samba as an AD server which is federated into keycloak (more on that below). I had wanted to move away from AD, but the alternative: a pure openLDAP or Apache Directory system was going to be more of a learning curve and provide less out-of-the-box functionality and less windows desktop integration than I needed. That said, I’m very happy to have moved to an entirely open-source setup at home.
With the basics now in place, I was able to configure some new apps and systems including:
- A new Samba file server for my wife and I to store files from our windows desktops. The system is joined to the above domain controller and I created share drives with NTFS permissions. I’ve transferred all the old files to the new directories. Access is controlled by AD security groups.
- A Wireguard VPN Server – using PiVPN. This worked great on my phone/tablet, however I did need to fix the client configuration on my Kubuntu Laptop. Fundamentally resolvconf isn’t compatible with the way wireguard does things. This was fixed with the below in the wireguard configuration:
# DNS = IP_of_DNS_Server1, IP_of_DNS_Server2 PostUp = resolvectl dns %i IP_of_DNS_Server1 IP_of_DNS_Server2; resolvectl domain %i warbel.net \~.
- I’m also happy to note that Wireguard works with IPv6 – and all clients are reporting using the IPv6 address of the VPN server when I poll https://icanhazip.com. PiVPN is a great solution for a small number of clients but does lack any LDAP/AD SSO integrations.
- Keycloak: I’ve been keen to learn how to SSO works and was introduced to the Keycloak project by a former colleague. I’ve since learned a great deal, and have setup SSO functionality across all my web applications, this includes Nextcloud, this blog, gitea, my IPAM and DNS solutions, MediaWiki, and unintelligent applications that sit behind the apache reverse proxy. Keycloak is also federated with AD. I’m particularly proud of setting up apache to not only use keycloak to auth users, but only grant access to users who are a member of specific groups.
- Setup a password self-service web app – https://ltb-project.org/ meaning my users (read: my wife) can reset her (now federated) password.