Isolation - Docker isolates process from one another through defined compute, memory, and networking interfaces, which adds an additional layer of security and predictability.With Docker, I’m essentially outsourcing dependency and configuration management (through standardized build processes and pre-compiled images) to the projects’ maintainers who know infinitely more about the ecosystem than I ever will. Install without drama - The standard install process for most projects is to follow the documentation until the instructions inevitably fail and then to paste random commands from the internet in to console until it inexplicably works.Rather than running applications on “bare metal” as I described in my original post, I now run the various software bits that support my home network as distinct services managed as Docker containers.įor those unfamiliar, Docker uses OS-level virtualization to automate the deployment of applications as portable, self-sufficient containers and Docker Compose is a tool for defining and running multiple Docker containers alongside one another.Īt first, the added complexity might feel counter intuitive for what seems like a straightforward service management problem, but there are a number of notable advantages to using Docker here: With that, let’s get on to the setup (which continues to work for both): Docker Compose Pi-Hole has been around for longer and has a more established community, so again, you could be happy with either, but I’ve updated this post to reflect that since originally written, I now personally prefer and generally recommend AdGuard Home. Config as code - Settings are contained in a single YAML file that I could version and more easily deploy with Ansible.One less point of failure - Native DoH support meant I could eliminate cloudflared, while still using Cloudflare Teams as my upstream resolver.Admin experience - a sleeker web interface with fewer knobs and dials to endlessly tinker with.A more modern stack - PHP + dnsmasq vs.While the functionality is largely comperable at this point, and ultimately you could be happy with either, I ended up preferring AdGuard Home for a number of reasons: Using Caddy to secure the management interface with HTTPSĮdit (2021–11–04): Since originally publishing this post, I’ve swapped out Pi-Hole + Cloudflared in favor of AdGuard Home, and haven’t looked back.Using Ansible to setup the underlying “bare metal” hardware.Using Docker-Compose to maintain distinct services.With that, here’s how I re-over-engineered my home network with a few improvements to how I setup, maintain, and manage things: To head down this route, beyond having read the original post along with some basic familiarity with home networking (understanding how things like DNS and IPs work), it would help to have some conceptual familiarity with containerization and provisioning tools to adapt the setup to your own needs. Ideally, systems would update themselves regularly, and upgrades would be predictable and boring. I wanted to get out of the bespoke sysadmin business, provisioning and then immediately walking away from “set it and forget it” systems wherever possible. It (still) needs to “just work” - A dependency update shouldn’t be able to steal hours of my weekend due to an unexpected conflict or config change.Instead, rely on the open source community’s established, vetted, and maintained builds, configurations, and defaults through known and trusted distribution channels. “Copy and paste these random commands from StockOverflow” isn’t the best way to run a security-conscious home network. Outsource to the experts - The less I can trust to me “getting it right”, the better.While config as code may come more naturally when managing a cluster of servers, even when managing only a single Raspberry Pi, prefer defined and well-understood changes over guess-and-check server administration. Config (and infrastructure) as code - This is by far from a new concept to the industry, but I was somewhat-recently introduced to the idea of treating servers like cattle, not pets.What I wrote then remains true, but after having relied on, optimized, and upgraded what I described in my previous post for about eighteen months now, I’ve decided to build on what’s there by revisiting re-over-engineering how I setup, maintain, and manage the software and services that power and protected the network with a number of specific goals in mind: If you haven’t already checked that post out, it walks through how I used a UniFi Dream Machine (although most routers would work), a Pi-Hole to block ads and tracking, cloudflared for DNS over HTTPS, and Cloudflare Gateway to block malware/phishing to (over) optimize my home network for privacy and security. A little less than a year ago, I wrote a now-popular post about how I over-engineered my home network for privacy and security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |