What if you could buy off the shelf a box based on #opensource software and hardware that you could plug into your internet connection. You could connect to via Wifi and it would allow an average person to fairly easily configure, via a guided setup, a self hosted Cloud Drive, Social Media server, home automation service, VPN end point, email server and other commonly useful software?
What if that box allowed that person’s friends to authenticate and to that box and link a box they own, either close by or remotely. It could extend connectivity and estabilish a chain of trus, provide a level of encrypted backup of content from that box and make assertions about the users on that box such as - This user account is owned by this person, this user account is over 18?
This is a dream. I know I’m rambling. #openwrt, #yunohost, #seflhost, #chainoftrust, #fediverse
@mspencer712 On your point regarding a single device - I don’t think that separate hardware necessarily provides security - Though I take your point - perhaps it could be about a compatible - modular architecture - a home server, a router, a home automation hub - that are linked together easily and well.
Agree on the issue with Open source be of the “let a thousand flowers bloom” ( i just saw someone post they have a new “templated based home server” lemmy.world/post/38362941 ) - but I think thats a strength - people try stuff out - things are more loosely coupled and rely on open standards - perhaps that’s a whole philispophical discussion but I think open source and open standards would attract hardware vendors - (I’m seeing plently more Openwrt based routers on chinese marketplaces than I used to - they just don’t want the overhead of having to provide their own fully featured software.
I also get the - at the moment doing it yourself requires knitting together alot of stuff - that’s my point - the components are all there - its more about bringing them together and smoothing the surfaces - something that I think #Homeassistant seem to be quite good at - Perhaps what is required is that kind of organisation - where there is the prospect of picking up some funding and selling some hardware that comes with all the branding.
To add to Onomatopoeia’s excellent post, separate devices also limit the blast radius of any compromise. Attackers pivot when they compromise a system. They use one system to talk to others and attack them from inside your network. So you don’t want everything on the same OS kernel.
Unfortunately I don’t feel like I’m qualified to say what works well yet, not until I have the pieces of my site put together and working, and vetted by whatever security professionals I can get to look at it and tell me what I did wrong.
But right now I think that looks like every service VM on its own VLAN on a /30 net, and ideally the service VM and firewall/router VM serving it on different physical hardware joined by a managed switch. That managed switch shouldn’t let either VM host touch its management VLAN, and (I think, I don’t do this yet) should send monitor traffic to yet another physical host for analysis.
(“I can see why you’re not done yet” - yeah I know.)
@mspencer712 Yeah … though I suspect that perfect could be the enemy of the good enough. I can’t really comment - but whether its a single pyhsical device or modular - for me an integrated solution available to regular people is the key.
Separate devices provide reliability and supportability.
If your all-in-one device has issues, you can’t remote in to maintain it.
Take a look at what enterprises do: redundant external interfaces, redundant services internally. You don’t necessarily need all this, but it’s worth considering "how do I ensure uptime and enable supportability and reliability? ".
Also, we always ask “what happens if the lone SME (Subject Matter Expert) is hit by a bus?” (You are that Lone SME).
@Onomatopoeia I think in this case redundancy could be better delivered through a degree of distribution / modularity - perhaps through keeping compontents separate (I have an issue with an application but that doesn’t knock out router features) but also through chain of trust with friends and family - you can’t access your device (network, power, application ) then you could access backups stored with others - But I do take the point - and discused it in another comment - that perhaps modularity is the answer (e.g. Having a battery backup component that cound support a router component and an app server component ) but perhaps I’m over thinking this anyway - I have no practical way of implementing such a solution / framework myself - perhaps I’m just provocatively discussing it so that people like #Netbox and @bananapi see the discussion and think - hmm perhaps we should have closer relationships with Openwrt or Yunohost - or encourage them to come together somehow…
Exactly, keeping components separated, especially the router.
Hardware routers “cost money because they save money” (Sorry, couldn’t resist that movie quote). A purpose-built router will just run and run. I have 20 year old consumer routers that still “just work”. Granted, they don’t have much in the way of capability, but they do provide a stable gateway.
I then use two separate mesh network tools, on multiple systems. The likelihood of both of those failing simultaneously is low. But I still have a single failure point in the router, which I accept - I’ve only had a couple outright fail over 25 years, so I figure it’s a low risk.
Regarding the Lone SME thing, my wife has already told me if something happens to me, all my server stuff is getting donated. I should not expect her to maintain it after I’m gone. And I don’t. That’s entirely reasonable. If it lives on after I’m gone it’ll be because the recipe thing was useful enough for others to maintain. My specific server and domain kinda don’t matter.