/home-service

My home service stack

Primary LanguageShell

home-service

Archived as I cannot be assed to fix my IPv6 routing issues from the Fedora IoT vm on my Firewall.

Core components

  • direnv: Update environment per working directory.
  • podman: A tool for managing OCI containers and pods with native systemd integration.
  • renovate: Universal dependency automation tool.
  • sops: Manage secrets which are commited to Git using Age for encryption.
  • task: A task runner / simpler Make alternative written in Go.

Setup

System configuration

  1. Install required system deps and reboot

    sudo rpm-ostree install --idempotent --assumeyes git go-task
    sudo systemctl reboot
  2. Make a new SSH key, add it to GitHub and clone your repo

    export GITHUB_USER="onedr0p"
    curl https://github.com/$GITHUB_USER.keys > ~/.ssh/authorized_keys
    sudo install -d -o $(logname) -g $(logname) -m 755 /var/opt/home-service
    git clone git@github.com:$GITHUB_USER/home-service.git /var/opt/home-service/.
  3. Install additional system deps and reboot

    cd /var/opt/home-service
    go-task deps
    sudo systemctl reboot
  4. Create an Age public/private key pair for use with sops

    age-keygen -o /var/opt/home-service/age.key

Network configuration

Note

I am using ipvlan to expose most containers on their own IP addresses on the same network as this here device, the available addresses are mentioned in the --ip-range flag below. Beware of IP addressing and interface names.

  1. Create the podman containernet network

    sudo podman network create \
        --driver=ipvlan \
        --ipam-driver=host-local \
        --subnet=192.168.1.0/24 \
        --gateway=192.168.1.1 \
        --ip-range=192.168.1.121-192.168.1.149 \
        containernet
  2. Setup the currently used interface with systemd-networkd

    📍 Setting the DNS server to a container used on this system might make dragons appear 🐉.

    sudo bash -c 'cat << EOF > /etc/systemd/network/enp1s0.network
    [Match]
    Name = enp1s0
    [Network]
    DHCP = yes
    DNS = 1.1.1.1
    DNS = 1.0.0.1
    IPVLAN = containernet
    [DHCPv4]
    UseDNS = false'
  3. Setup containernet with systemd-networkd

    sudo bash -c 'cat << EOF > /etc/systemd/network/containernet.netdev
    [NetDev]
    Name = containernet
    Kind = ipvlan'
    sudo bash -c 'cat << EOF > /etc/systemd/network/containernet.network
    [Match]
    Name = containernet
    [Network]
    IPForward = yes
    Address = 192.168.1.120/24'
  4. Disable networkmanager, the enable and start systemd-networkd

    sudo systemctl disable --now NetworkManager
    sudo systemctl enable systemd-networkd
    sudo systemctl start systemd-networkd

Container configuration

Tip

To encrypt files with sops replace the public key in the .sops.yaml file with your Age public key. The format should look similar to the one already present.

View the apps directory for documentation on configuring an app container used here, or setup your own by reviewing the structure of this repository.

Using the included Taskfile there are helper commands to start, stop, restart containers and more. Run the command below to view all available tasks.

go-task --list

Optional configuration

Fish shell

Tip

🐟 fish is awesome, you should try fish!

chsh -s /usr/bin/fish
# IMPORTANT: Log out and log back in
go-task dotfiles

Enable Chrony as a NTP server

Tip

⌚ You can also update /etc/chrony.conf with custom NTP servers.

sudo sed -i 's/^#allow .*/allow all/g' /etc/chrony.conf
sudo systemctl restart chronyd

Tune selinux

sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
sudo systemctl reboot

Disable firewalld

sudo systemctl disable --now firewalld.service

Network topology

Name Subnet DHCP range ARP reserved
LAN 192.168.1.0/24 150-254 120-149
TRUSTED 192.168.10.0/24 150-254 -
SERVERS 192.168.42.0/24 150-254 120-149
GUESTS 192.168.50.0/24 150-254 -
IOT 192.168.70.0/24 150-254 -
WIREGUARD 192.168.80.0/28 - -

Related Projects