This is indeed similar ! And looks like a working certificate :) (You even use as .csr file).
The book adds something (Not very useful but kinda neat to have): a certificate revocation setup and an IntermediateCA signed by your rootCA. So you can keep your rootCA out of your system :)
Yeah I guess I have made it more complex. But what hard links allow me to achieve is to save disk space while still working on the file without changing the original one. Imagine I have to copy my files to sonarr, have a copy in my torrent directory and also a backup on an external disk… That’s alot of space ! This may be a simpler solution, but only If you have money to spare on disk space. Yes, it’s “cheap” when you have a bank account and money lying around, but that’s not the case for everyone :/. I think the ARR* stack works similarly and works with hard links !
Oh… never heard of Terraform, will have a look, thanks for the pointer !
Hard links are files…
I guess so, but files are just links pointing to inodes ? :) Sorry If I’m wrong here, and please give me the proper knowledge If you are willing to share :)
Edit: After some reading, I think Ansible seems a better fitting. Terraform is more for creating infrastructures while Ansible to manage them and configure them?
(Thanks to darkan15 for explaining that).
I have to look at his answer to have a better understanding :P
The diagram would be useful. Considering that rn I’m losing my mind between man pages.
I’m working on it right now :) I’m a bit overwhelmed with my own LAN setup, and trying to get some feedback from other users :P
As for the book… I can’t accept. Just give me the name/ISBN and I’ll provide myself. Still. Thanks for the offer.
Good. If you have the money to spare please pay for it otherwise you know the drill :) (Myself I’m not able to pay the author so it’s kinda hypocrite on my end… But doing some publicity is also some kind of help I guess?)
Demystifying Cryptography with OpenSSL 3 . 0 by Alexei Khlebnikov <packt>
ISBN: 978-1-80056-034-5
It’s very well written, even as a non-native it was easy to follow :). However, let me give you something along the road, something that will save you hours of looking around the web :) !
Part 5, Chapter 12: Running a mini-CA is the part you’re interested in and that’s the part I used to create my server certificates.
HOWEVER: When he generates the private keys, he uses the ED448 algorithm, which is not going to work for SSL certificates because not a single browser accepts them right now (same thing goes for Curve25519). Long story short, If you don’t want to depend on NIST curves (NSA) fall back to RSA in your homelab ! If you are interested in that story go to p123:
Brainpool curves are proposed by the Brainpool workgroup, a group of cryptographers that were dissatisfied with NIST curves because **NIST curves were not verifiably randomly generated, so they may have intentionally or accidentally weak security. **
Here is a working example for your certificates:
Book:
$ mkdir private
$ chmod 0700 private
$ openssl genpkey \
-algorithm ED448 \
-out private/root_keypair.pem
But should be:
$ mkdir private
$ chmod 0700 private
$ openssl genpkey \
-algorithm RSA \
-out private/root_keypair.pem
You have to use RSA or whatever curve you prefer but accepted by your browser for EVERY key you generate !
Other than that, it’s a great reading book :) And good study material for cryptography introduction !
Oh my… Love changed in a 8-year life span ! I guess nothing stays the same forever 🤷♂️
Sorry, what do you mean by physical/logical diagrams :S! You mean something like Excalidraw ?
I did It for sometimes, but If I do some changes in my setup I always have to keep that update too… So I have to think about it… I do like drawing those diagrams, but keeping those updated is sometimes not directly possible and I can get forgetful !
Thanks for the pointer :). I’m more into open source, so TrueNAS is maybe more fitting, however I’m not sure I do understand it right… Those are OSes? Not some application I can host in a container right? More like Proxmox ?
Sorry I didn’t respond earlier :S !
To let me access the services both from the desktop and the laptop. I’d need to have two DNS resolvers, since for the laptop it needs to resolve to the 192.168.0.* address of the homelab router. While for the desktop it needs to resolve directly to the 10.0.0.* address of the server.
I’m not entirely sure if I get what you mean here. If you have a central DNS resolver like pihole In your LAN it can resolve to whatever is there. I have a pihole which resolve to itself (can access it as pihole.home.lab) and resolves to my server’s reverse proxy, which handles all the port shenanigan and services hosted on my server. I think I can try to make a diagram to show how it works in my LAN right now, not sure if this can be helpful by any mean, but this would allow me to have a more visual feedback of my own LAN setup :P. However, I do use Traefik as my reverse proxy for my docker containers, so I won’t apply to nginx and I’m not sure if this is possible (It probably is, but nginx is a mystery for me xD)
Also, little question. If I do manage to set it up with subdomains. Will all the traffic still go through port 1403? Since the main reason I wanted to setup a proxy was to not turn the homelab’s router into Swiss cheese.
Your proxy should handle all the port things. Your proxy listens to all :80 :443 Incoming traffic and “routes” to the corresponding service and it’s ports.
While I do have my self-learned self-hosted knowledge, I’m not an IT guy, so I may be mistaken here and there. However, I can give you a diagram on How it works on my setup right now and also gift you a nice ebook to help you setup your mini-CA for your lan :)
Subpaths are things of the past (kinda) ! SSL wildcards are going to be a life saver in your homelab !
I have a self-signed rootCA + intermediateCA which are signing all my certificates for my services. But wait… It can get easier just put a wildcard domain for your homelab (*.home.lab) and access all your services in your lan with a DNS provider (pihole will be your friend!).
Here is an very simplified example:
Create a rootCA (certificate authority) and put that on every device (Pc, laptop, android, iphone, tv, box…)
Sign a server certificate with that rootCA for the following wildcard domaine: *.home.lab and put that behind a reverse proxy.
Add pihole as DNS resolver for your local domain name (*.home.lab) or if you like you can manually add the routes on all devices… But that"s also a thing of the past !
Let your proxy handle your services
Access all your services with the following url in your lan
This works flawlessly without the need to pay for any domain name, everything is local and managed by yourself. However, it’s not that easy as stated above… OpenSSL and TLS certificates are a beast to tame and lots of reading ^^ so does Ngnix or any other reverse proxy !
But as soon as you get the hang of it… You can add a new services in seconds :) (specially with docker containers !)
Yeah I feel you… Sorry about that :/ ! At work you probably don’t have a choice, however at home, you are free to choose whatever makes you comfortable.
https://www.amazon.com/Demystifying-Cryptography-OpenSSL-3-0-techniques/dp/1800560346
It’s really a good book :) And the last part is all about a mini-ca for your homelab !
However, don’t use the ED448/ED25519 algorithm based certificates for TLS as mentioned in the example… They are still not supported by any browser !
If you can support the author, please do ! If you’re on a budget, it’s really easy to find in the piracy corner.
Yeah thats correct !
I Wouldn’t say heavy though (maybe I see it that way because I got a bit better with bash and the like :p) because you can make use of CRL to revoke your certificates and renew them very easily with your intermediate and ready to use config files.
But yeah, there isn’t any automated way to manage certificates like Smallstep does :)
Window XP was probably the best and last good Windows version… 10 was kinda okay without all the telemetry shit and bloatware.
Windows 11 feels like macOS with extra steps + spyware on every move, click, clipboard copylpast… Wouldn’t go near that stuff even with full protection and debloat ^^ Just remove that shit and install linux instead.
Or simply create your rootCA, IntermediateCA, keys and certifictes with openSSL.
Neither of those are begginer friendly but openSSL is probably a bit easier to get started. There’s a nice book with openSSL (if you are interested I migh look how it’s called) and the last chapter is all about how to create your mini-CA and everthing else to serve your proxy with valid certificates for your homelab.
Or people who uses it as a mini server and SSH into it while lid is closed 😎
Yeah, I have the same issue with Ironfox… I thought that was related to my ublock origine rules… But I guess it’s not ^^’
Them probably uses a special plugin device in the outlet.
I have this bash script you can use and have a general overview but I’m not totally sure if I fully understand it and if it’s the whole system’s wattage or only the CPU 🤷♂️
#! bash
time=5
sum_1=$(cat /sys/class/powercap/*/energy_uj | awk 'BEGIN { sum = 0; } { sum += $1; } END { print sum; }' "$@");
echo "before" $sum_1
sleep $time;
sum_2=$(cat /sys/class/powercap/*/energy_uj | awk 'BEGIN { sum = 0; } { sum += $1; } END { print sum; }' "$@");
echo "after" $sum_2
sum_1f=$(printf "%.0f" $sum_1)
sum_2f=$(printf "%.0f" $sum_2)
final_sum=$(echo "(($sum_2f - $sum_1f) / 1000000) / $time" | bc -l)
#echo $final_sum | bc -l | xargs printf "%.2f\n"
formated=$(echo $final_sum | bc -l | xargs printf "%.2f\n")
echo $formated "w"
Humm, Alaska air groupe? Are they selling something like pur air at the grocery shops for the whole US or something like that?
STAY IN THE BIKE LANE !!
Depending the format… .ass files can be edited by aegisub mostly used by fansubbers in the anime world.
This seems cool and is not off topic at all :) It does seem to answer to my “question” and seems a nice thing to have :) However, someone suggested Terraform but after some reading it’s not the tool I was looking for… Ansible seems more the like I guess ! But coolify seems also very interesting ! Different and more similar to my current setup.
I think Terraform, Ansible, Tofu are the next generation tool to solve my current issue… They are declarative tools ! But I don’t want to rush things and have another dead setup lying arround !
Thanks for your reply !
Edit: There’s also an alternative https://github.com/Dokploy/dokploy in case you didn’t know :) If you know, can you tell me why you choose on over the other?