9

Home Lab is the Dopest Lab

 3 years ago
source link: https://blog.jessfraz.com/post/home-lab-is-the-dopest-lab/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Home Lab is the Dopest Lab

Sunday, December 3, 2017 · 4 min read

Table of Contents

I always have some random side project I am working on, whether it is making the world’s most over engineered desktop OS all running in containers or updating all my Makefiles to be the definition of glittering beauty.

This post is going to go over I how I recently redid all my home networking and ultimately how I got to here:

ssh-ed into my dev NUC from a Pixelbook 39,000 feet, authenticated from an ssh key on a yubikey, the future is dope AF

— jessie frazelle (@jessfraz) November 22, 2017

I used Unifi for everything and this is what I got:

It was so good looking when it arrived.

My network is about to get real… fast!!!

This switch is (dare I say it) sexy as hell. pic.twitter.com/fmaLkW2AFB

— jessie frazelle (@jessfraz) November 16, 2017

I love fun side projects so obviously I set it all up right away. You need a “controller” to have the nice Unifi UI. You can buy a cloud key but I wanted to run the controller in container just like Dustin Kirkland. So I set about writing a Dockerfile for the controller and it is now at r.j3ss.co/unifi.

You can run it with:

docker run -d --restart always \
    -v /etc/localtime:/etc/localtime:ro \
    --name unifi \
    --volume path/to/where/you/want/your/data:/config \
    -p 3478:3478/udp \
    -p 10001:10001/udp \
    -p 8080:8080 \
    -p 8081:8081 \
    -p 8443:8443 \
    -p 8843:8843 \
    -p 8880:8880 \
    r.j3ss.co/unifi

The web UI is at https://{ip}:8443. To adopt an access point, and get it to show up in the software you will need to ssh into the AP and run:

ssh ubnt@$AP-IP mca-cli set-inform http://$address:8080/inform

Then I went crazy and made sure everything that needed to talk to each other was on the same subnet and everything else was isolated into it’s own subnet. I used VLANs to do this.

Also be careful not to subnet yourself into a hole ;)

me just now: "this was my fear! sub-netting myself into a hole!"

— jessie frazelle (@jessfraz) November 30, 2017

The best thing about these APs are they are Power over Ethernet! One cord, one cord!!!

<naughty-by-nature>You down wit' PoE?</naughty-by-nature>

— Dan McDonald (@kebesays) November 16, 2017

I have a bunch of Intel NUCs thanks to Carolyn Van Slyck and Joe Beda for their thought leadership… my wallet is not happy with you two. Also check out Carolyn’s post on her NUC setup.

They have LEDs on the front that change color. There is a kernel driver for them.

— Joe Beda (@jbeda) October 18, 2017

I hooked them all into my Switch (glorious) and into their own subnet. Then I went about setting up SSH for all of them.

I use Yubikeys for authentication to GitHub and literally everything else where that is possible so I made a bot to sync any new ssh keys added to my GitHub to the authorized keys on my server. It lives at github.com/jessfraz/sshb0t.

I would ONLY recommend doing that if you have two factor auth turned on so you ensure no one else but you can access your account. And honestly if someone gets into my GitHub account I am going to have wayyyy worse issues that them getting into my NUCs.

I have ssh keys on Yubikeys that I set up. There is a really great guide to doing this on GitHub so I am not going to repeat it.

I have dockerfiles for all the Yubikey tools you need to set it up in my dockerfiles repo.

For example you can jump into a container with ykman with:

docker run --rm -it \
    -v /etc/localtime:/etc/localtime:ro \
    --device /dev/usb \
    --device /dev/bus/usb \
    --name ykman \
    r.j3ss.co/ykman bash

This works for all the other docker images like ykpersonalize etc. If you get stuck all the commands are in my dotfile aliases at github.com/jessfraz/dotfiles.

I like to require “touch to authenticate”. You can do this with:

# for every ssh connection
ykman openpgp touch aut on

# for signing
ykman openpgp touch sig on

# for encrypting
ykman openpgp touch enc on

For the Chromebook Pixelbook ssh client authentication you just need the Smart Card reader extension and you are good to go! You can find the guide on that from the Chromium Docs.

Let me just answer the most common question I get… No, I don’t use Crouton on my Chromebooks I just ssh to the cloud or to my home lab. I like things clean and minimal if you have not noticed already.

Okay so that’s all for now. I’ll do another deep dive into the rest of my infrastructure when I’m not overwhelmed with how much there is…

There’s so much:
- scripts for setting up ssh on yubikeys
- unifi setup
- nuc provisioning
- auto updates & maintenance
- build infrastructure for all my images etc
- security of all the things
- cameras
- keeping all laptops up to date

— jessie frazelle (@jessfraz) November 29, 2017


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK