A little less than a year ago, I wrote a now-popular post about how I over-engineered my home network for privacy and security. If you haven’t already checked that post out, it walks through how I used a UniFi Dream Machine (although most routers would work), a Pi-Hole to block ads and tracking, cloudflared for DNS over HTTPS, and Cloudflare Gateway to block malware/phishing to (over) optimize my home network for privacy and security.
What I wrote then remains true, but after having relied on, optimized, and upgraded what I described in my previous post for about eighteen months now, I’ve decided to build on what’s there by revisiting re-over-engineering how I setup, maintain, and manage the software and services that power and protected the network with a number of specific goals in mind:
Config (and infrastructure) as code - This is by far from a new concept to the industry, but I was somewhat-recently introduced to the idea of treating servers like cattle, not pets. While config as code may come more naturally when managing a cluster of servers, even when managing only a single Raspberry Pi, prefer defined and well-understood changes over guess-and-check server administration.
Outsource to the experts - The less I can trust to me “getting it right”, the better. “Copy and paste these random commands from StockOverflow” isn’t the best way to run a security-conscious home network. Instead, rely on the open source community’s established, vetted, and maintained builds, configurations, and defaults through known and trusted distribution channels.
It (still) needs to “just work” - A dependency update shouldn’t be able to steal hours of my weekend due to an unexpected conflict or config change. I wanted to get out of the bespoke sysadmin business, provisioning and then immediately walking away from “set it and forget it” systems wherever possible. Ideally, systems would update themselves regularly, and upgrades would be predictable and boring.