2025-10-16
TL;DR: I deliberately didn’t work on any projects this week and instead made some improvements to my home network. I’m going to make this a few-times-a-year habit that I call “Improvement Week”. It won’t always be about system administration and networking, just whatever area I think would benefit from some improvement to help future projects. The net result of the effort this time around is that I have a more reliable NAS, a more secure VPS, a new media server, and a new personal VPN.
I’ve been running a NAS for some time now on an old HP tower that my
grandfather gave me when he upgraded to an iMac. He called it a “boat
anchor”, so that’s its host name. Until this week,
boatanchor was just running some recent iteration of
Debian, which was fine, but I saw no reason why it shouldn’t
run NixOS and fall in line with the rest of my machines. This turned out
to be a good decision and a delightful experience. I temporarily hooked
up a monitor and keyboard to the tower and booted a minimal NixOS live
image, pulled in my git repo from a different partition on
the same USB, set up ZFS,1 and ran nixos-install
with the right options. A few minutes later, I had a nice new system
with nothing in it except for the exact tools and configurations that I
would want in a headless system.
By the way, I’ve been enjoying this implementation of USB multiboot. It’s more of a guide than anything else, and after some fighting with GRUB it’s actually quite reliable. I’d previously used Ventoy, but apparently there are some questionable binary blobs (see here, here, here, and elsewhere) in the mix that make me uneasy about using it. This alternative approach solves a minor problem I’ve been grating against for a few years now.
With boatanchor in good shape,2 I
moved on to my Linode VPS. I’ve had this VPS since 2017, at which time I
didn’t know much about Linux and just installed Ubuntu 16.04 for lack of
a better idea. Later I upgraded to 20.04, but over the years I’d
experimented with various services and not done a good job of keeping
the system secure. The standard layer of cruft had also accumulated in
my home directory and elsewhere, so I decided it was time to start over
and do things in a way that’s at least closer to “right”. This meant
pulling down important data to boatanchor, nuking the disk
from the Linode web interface, setting up a new Debian install, and then
running my
StackScript for a minimal VPS with Docker.
My goal with this system is to keep all services in Docker containers
and not leave a bunch of processes listening on ports if I’m not using
them regularly. My rationale is that even if someone finds a
vulnerability in a given service, they’ll still have a harder time
taking control over the entire node (or other services) from inside a
container. It’s not impossible, but it’s harder. I’ve also configured
the firewall to drop everything except for a list of exceptions, which
as I understand it is a good way to go. I also have deliberately
disabled the SSH server on the VPS because I can do most administration
through Linode’s LISH
interface on the web. I can turn it on and open the firewall briefly
when I need to rsync something for this blog, but then I
tear it all down again when I’m done. There’s no reason for that port to
be hanging open all the time when I’m not using it.3
Anyway, one docker-compose.yml later and I was done.
Caddy was easy to learn and configure, and the automatic HTTPS
is a refreshing change from configuring TLS cert renewals under
nginx. I wasn’t able to get my RustDesk relay server going
again (or rather, I couldn’t get my clients to connect), but I suspect
that may be a skill issue. I decided to drop it for now since I only
ever use it to provide tech support for my grandmother, and I have other
solutions to that problem.
I’ve run VPNs before, but never WireGuard. Practically every opinion I’ve heard or read about WireGuard is positive, and I’d been meaning to get a VPN going again anyway, so off I went. Network configuration is never easy (for me), and WireGuard isn’t so good that it can escape that completely, but I found the setup much less painful than my smoothest day with OpenVPN. The linuxserver.io image was easy to set up on my VPS, and after some minor troubleshooting I was able to get clients to ping the server and each other. I went with a split tunnel arrangement since I don’t need all traffic to go through the server, just traffic between peers. There’s still more tweaking to do here, and I haven’t even rolled out to all of my hosts yet, but it seems like it’s going to easily solve my primary problem of accessing my home network while I’m away.
I did struggle with NixOS a little on this, but ultimately I was able to get it working by just pointing it to the config file directly:
networking.wg-quick.interfaces.wg0.configFile = "/home/bradley/.config/wireguard.conf";and including openresolv in my package list. I also
threw in wireguard-tools just to have them on hand. I’ll
add that path to my list of persisted files for my impermanence config,
and that’ll be that.
The first (but perhaps most boring) thing I handled was a divergence
in my NixOS configurations between machines. Over the months since I
switched over, I’ve been using local clones of the same git
repository on all machines to provide the Nix code, which is a mixture
of generic modules and host-specific configuration values. This works
well and leans on git’s “true” use case as a decentralized
version control system, but it’s mildly annoying to keep the
configurations in sync all the time, so they drift. This was pretty easy
to fix once I took the time to handle conflicts and run
git pull everywhere. Maybe in the future it would be nice
to introduce some periodic fetching, but I imagine that may cause more
problems than it solves.
I also set up a Jellyfin server on boatanchor (in
Docker, of course) to provide a management and viewing frontend for some
physical media that I’d previously ripped and put on the NAS. It remains
to be seen how this will integrate into my media habits, but I like it
so far.
I did try the latest kernel version first, but it turns
out that the ZFS kernel module is broken for that version right now (at
least in nixpkgs), so I had to roll back to the latest LTS
version of the kernel.↩︎
I also moved the box and the external USB drive enclosure to a new part of the lab on a different outlet, which seems to have resolved the periodic disconnections I’d been seeing between the main host and the drives. I guess the previous outlet or power strip may be faulty.↩︎
In my early days with this VPS, I had been running the SSH server on the default port, and one day I looked through the authentication logs to find tons of login attempts. I learned that this is common and decided to move my server to a random high port to achieve some security through obscurity. I know public key authentication is pretty good in OpenSSH, but it made me uncomfortable to think about all those bots at the gates. Of course, keeping the service off completely except when I need it is more or less the optimal solution for my situation.↩︎