Home Lab is the Dopest Lab

Sunday, December 3, 2017

I always have some random side project I am working on, whether it is making the world’s most over engineered desktop OS all running in containers or updating all my Makefiles to be the definition of glittering beauty.

This post is going to go over I how I recently redid all my home networking and ultimately how I got to here:

I used Unifi for everything and this is what I got:

It was so good looking when it arrived.

I love fun side projects so obviously I set it all up right away. You need a “controller” to have the nice Unifi UI. You can buy a cloud key but I wanted to run the controller in container just like Dustin Kirkland. So I set about writing a Dockerfile for the controller and it is now at r.j3ss.co/unifi.

You can run it with:

docker run -d --restart always \
    -v /etc/localtime:/etc/localtime:ro \
    --name unifi \
    --volume path/to/where/you/want/your/data:/config \
    -p 3478:3478/udp \
    -p 10001:10001/udp \
    -p 8080:8080 \
    -p 8081:8081 \
    -p 8443:8443 \
    -p 8843:8843 \
    -p 8880:8880 \
    r.j3ss.co/unifi

The web UI is at https://{ip}:8443. To adopt an access point, and get it to show up in the software you will need to ssh into the AP and run:

ssh [email protected]$AP-IP mca-cli set-inform http://$address:8080/inform

Then I went crazy and made sure everything that needed to talk to each other was on the same subnet and everything else was isolated into it’s own subnet. I used VLANs to do this.

Also be careful not to subnet yourself into a hole ;)

The best thing about these APs are they are Power over Ethernet! One cord, one cord!!!

NUCs

I have a bunch of Intel NUCs thanks to Carolyn Van Slyck and Joe Beda for their thought leadership… my wallet is not happy with you two. Also check out Carolyn’s post on her NUC setup.

I hooked them all into my Switch (glorious) and into their own subnet. Then I went about setting up SSH for all of them.

I use Yubikeys for authentication to GitHub and literally everything else where that is possible so I made a bot to sync any new ssh keys added to my GitHub to the authorized keys on my server. It lives at github.com/jessfraz/sshb0t.

I would ONLY recommend doing that if you have two factor auth turned on so you ensure no one else but you can access your account. And honestly if someone gets into my GitHub account I am going to have wayyyy worse issues that them getting into my NUCs.

I have ssh keys on Yubikeys that I set up. There is a really great guide to doing this on GitHub so I am not going to repeat it.

I have dockerfiles for all the Yubikey tools you need to set it up in my dockerfiles repo.

For example you can jump into a container with ykman with:

docker run --rm -it \
    -v /etc/localtime:/etc/localtime:ro \
    --device /dev/usb \
    --device /dev/bus/usb \
    --name ykman \
    r.j3ss.co/ykman bash

This works for all the other docker images like ykpersonalize etc. If you get stuck all the commands are in my dotfile aliases at github.com/jessfraz/dotfiles.

I like to require “touch to authenticate”. You can do this with:

# for every ssh connection
ykman openpgp touch aut on

# for signing
ykman openpgp touch sig on

# for encrypting
ykman openpgp touch enc on

For the Chromebook Pixelbook ssh client authentication you just need the Smart Card reader extension and you are good to go! You can find the guide on that from the Chromium Docs.

Let me just answer the most common question I get… No, I don’t use Crouton on my Chromebooks I just ssh to the cloud or to my home lab. I like things clean and minimal if you have not noticed already.

Okay so that’s all for now. I’ll do another deep dive into the rest of my infrastructure when I’m not overwhelmed with how much there is…