Setup local CA for your lab
Published on Sunday, 31 December, 2023In modern times, not having https is not only dangerous, but inconvenient as well. Browsers will complain, some thing will just refuse to work without jumping through hoops.
So having a home lab or local setup almost dictates having a custom certificate. Which is a pain. You can create the whole thing in terminal with openssl, then you have to store it somewhere, keep track of it, renew it after a year (and probably figure it out again and deal with all the stuff that changed in last year). And the root certificate (or rather key) is one of the few things that are truly bad to have leaked, since someone with your root CA can forge almost anything.
To somewhat sort this, I'll show how to deploy HashiCorp Vault. It's not my favourite piece of software but it does help with keeping the whole Certificate Authority thing reasonable.
continue reading...
Add additional TLD to firefox
Published on Saturday, 30 December, 2023This is a simple one. The issue i was having is that i have custom domain for my home lab setup with .lan
tld. Now if you write an address like example.lan
into firefox address bar, it'll just go straight to your default search engine and search for the term.
Fixing it was surprisingly simple, you just need to add an option to about:config
in firefox.
So all you need to do is:
- go to firefox config by typing
about:config
in address bar - enter
browser.fixup.domainsuffixwhitelist.lan
(where the last part is your desired tld,.lan
in my case) - click the
plus
icon on the right side of the screen
And that's it, you should now no longer have to explicitly state http://
or https://
in front of your local address.
continue reading...
Simple DNS for your basic needs
Published on Wednesday, 03 February, 2021Sometimes you don't need (or want) some complex solution to simple problem like DNS. Therefore this one will be the simplified version of previous guide with bind as only element.
For this one you will again need podman
. If you are (like me in this case) doing this on centOS
or similar machine, getting podman
is as simple as:
# dnf install podman
If you are on some other distro, it shouldn't be that complicated.
continue reading...
Infrastructure monitoring with grafana and friends
Published on Tuesday, 02 February, 2021In this guide we will look into how to configure infrastructure monitoring using the Grafana. Besides grafana itself, we'll use prometheus for metrics aggregation, node_exporter for log collection, loki for log agregation and promtail for log collection.
For this one you will obviously need podman
. If you are (like me in this case) doing this on centOS
or similar machine, getting podman
is as simple as:
# dnf install podman
If you are on some other distro, it shouldn't be that complicated.
Now that we have podman
let's talk about what exactly we are doing. We want to achieve following:
- collect metrics from local and remote machines
- collect logs from local and remote machines
- display everything in pretty dashboards
For those who are not familiar, let's go through each component.
grafana
is a web dashboard for visualizing data. It's most commonly used to visualize different metrics.
prometheus
is a monitoring system with time series database and alerting capabilities.
node_exporter
is one of many metrics exporters for prometheus, in this case exporting the metrics of node it's running on.
loki
is a log aggregation system inspired by prometheus.
promtail
is an agent to collect logs and send them to loki
.
With all this out of our way, let's get started.
continue reading...
Overcomplicated homelab DNS configuration
Published on Monday, 01 February, 2021In this guide we will look into how to configure an overcomplicated DNS setup using pihole
, bind
and cloudflared
, running inside a podman
pod
.
For this one you will obviously need podman
. If you are (like me in this case) doing this on centOS
or Red Hat
machine, getting podman
is as simple as:
# dnf install podman
If you are on some other distro, it shouldn't be that complicated.
Now that we have podman
let's talk about what exactly we are doing. We want to achieve following:
- custom domain(s) for home lab
- DNS over HTTPS to cloudflare
- DNS blackhole with
pihole
For those who are not familiar, let's go through each component.
pihole
is a dns blackhole, it has lists of malicious and/or unwanted addresses and discards them. You can find it at pihole.net and consider it a network wide AD blocker. It also has a web interface that you can use for configuration and tracking of dns queries.
bind
is a nameserver. It's probably most common nameserver in the world, it has many features and it's able to run ISP sized DNS servers. In this case we will just use it to provide a local domain. Speaking of domain, you need to decide what you will use, in this example i'll just use domain.tld
.
Cloudflare is a company that provides internet services related to security and performance. Similar to googles 8.8.8.8 dns, cloudflare provides their own dns server at 1.1.1.1. Since cloudflare is not an AD revenue driven corporation, I prefer them over google. cloudflared
is a daemon
that forwards UDP dns requests over HTTPS to cloudflare.
So the path of request will be as follows:
origin -> bind -> pihole -> cloudflared -> cloudflare
continue reading...