I worte a guide last year on how I do network bound encryption - that is the disk will automatically decrypt at boot if it’s connected to my home network, but not if the disk or machine is removed from my house. The advantage over the dropbear method is that you can set unattended upgrades to auto reboot your server whenever it installs security updates, and it’ll come back up with no manual intervention from you.

I had some spare time today, so I wrote it up on my website here

I don’t at the moment, because I don’t have a need for it, but I did for a while run a PoC with Step CA, and that seems like the easiest way to get up and running, even if its features are overkill for a home lab.

if you go down the luks route, an option to look at is Clevis/Tang for automatic unlocking on a trusted network. I have a tang server running in the cloud, firewalled to my home IP, so if my server reboots in my house, it auto unlocks, but if you steal it and try to turn it on anywhere else, it won’t be able to auto unlock, and will require a password.

I should write that config up somewhere as a guide.

Thinkst have also published opencanary which you can run yourself and contains a decent subset of what their hardware canaries run, including SSH and cifs.

Yes, if you’ve built the network from scratch that works. Retrofitting it into an existing network however is a massive piece of work when you don’t have that single source of truth to start with however. On networks I’ve built sensibly, I’ll happily give people whatever CNAME they want to refer to their machine, but the machines actual name is descriptive, not the other way round.

My home network is somewhat overkill ;p but so far, about £500 on compute to run VMs, >£1000 on a nas and various other offsite and local stoarage, a couple hundred quid on networking gear, and then the extra premium on smart home devices you pay for non-tracking versions of the hardware (e.g a ring video doorbell would have cost me £40 less than the reolink I ended up buying). I’ve also so far spent over £75 on smart light switches trying to find one that both works with home assistant and fits inside my really narrow back boxes without yet finding one that works, so the number is continuing to go up!

A pihole. Given how much I’ve spent over the years on self hosting kit, few ‘cheap’ things have ended up costing me more than that first 30 quid raspberry pi

Every machine is named after what it does (although I do 1337-ify the names, because I’m still a late 90s IRC teen at heart). If you’ve ever been onboarded into a sysadmin role where all the machines are named with whatever whimsical naming scheme each department chose, you’ll fast develop a visceral hatred for non-descriptive naming schemes. The fifth time you get a ticket saying something like ‘Hedwig is down’ and you have to go crawling through three layers of linked files on SharePoint to find what and where ‘Hedwig’ is, you’ll be ready to beat the person who named it to death, and that attitude tends to persist to your home naming scheme :p

Went to university to study Bioinformatics. There I discovered I don’t really like biology, but I did really like getting paid beer to fix other student’s computers. Especially when they were desperate around submission deadlines cos they hadn’t backed up their work for weeks/months before their computer went kaput.

I’ve been a sysadmin now for 13 years since graduating.

Holy shit… for years archive.org only had fairyland and I’d given up on this one ever appearing. Thanks so so much for spotting this. MY QUEST IS OVER. Time to see just how crap it is :D

Fun School 6: Futureland. Its a shitty edutainment game from the 90s that I played non-stop for like a year, that I want to get my hands on for nostalgia purposes. As far as I can tell its not available (online or physical media) anywhere. I finally found a copy for sale a few years ago, but it turned out to be a mislabelled copy of fun school 6: fairyland.

I will keep searching, eventually a copy will show up somewhere!