I had some spare time today, so I wrote it up on my website here

I don’t at the moment, because I don’t have a need for it, but I did for a while run a PoC with Step CA, and that seems like the easiest way to get up and running, even if its features are overkill for a home lab.

if you go down the luks route, an option to look at is Clevis/Tang for automatic unlocking on a trusted network. I have a tang server running in the cloud, firewalled to my home IP, so if my server reboots in my house, it auto unlocks, but if you steal it and try to turn it on anywhere else, it won’t be able to auto unlock, and will require a password.

I should write that config up somewhere as a guide.

Thinkst have also published opencanary which you can run yourself and contains a decent subset of what their hardware canaries run, including SSH and cifs.

A pihole. Given how much I’ve spent over the years on self hosting kit, few ‘cheap’ things have ended up costing me more than that first 30 quid raspberry pi

Every machine is named after what it does (although I do 1337-ify the names, because I’m still a late 90s IRC teen at heart). If you’ve ever been onboarded into a sysadmin role where all the machines are named with whatever whimsical naming scheme each department chose, you’ll fast develop a visceral hatred for non-descriptive naming schemes. The fifth time you get a ticket saying something like ‘Hedwig is down’ and you have to go crawling through three layers of linked files on SharePoint to find what and where ‘Hedwig’ is, you’ll be ready to beat the person who named it to death, and that attitude tends to persist to your home naming scheme :p