Security & Infrastructure
Note: This post is out of date, but I am leaving it here for its historical value.
Everything on this domain is self-hosted, from DNS to email and all web services. I currently manage two servers:
amsterdam
: A VM running on a physical server I own and control the physical security of.edinburgh
: A Contabo VPS.
amsterdam
acts as the primary nameserver, controlling DNSSEC signing and is
thus the root of trust for the domain. It also runs the primary mail server and
most web services.
Finally, edinburgh
acts as a router for amsterdam
. It has secondary static
IPv4 and IPv6 addresses that are routed over a tunnel to bypass NAT and hosting
restrictions on my physical server. Additionally, this VPS also acts as secondary
nameserver in case my home network is down.
The goal with all of this is to have some basic redundancy, while keeping sensitive keys and all personal data safely on my physical server.
DNSSEC§
amsterdam
holds a combined signing key for the zone. Dynamic updates
are allowed using a TSIG key to allow ACME DNS-01 challenges for
issuing TLS certificates.
TLS/HTTPS§
amsterdam
holds a Let's Encrypt wildcard TLS certificate for the domain,
which is used to protect web services. The DNS zone contains a CAA record
specifying that only Let's Encrypt may issue certificates for the domain, and
only using ACME DNS-01 challenges. All TLS-capable services have TLSA records
associated with them for DANE-EE support. Finally, all web services use
HTTPS records and HSTS preload headers to advertise support for HTTPS.
Email§
amsterdam
holds DKIM keys for the domain, which is published in DNS
alongside SPF and DMARC records together protect against spoofing
the domain. MTA-STS and DANE-EE are used to advertise TLS support for
incoming mail. Outgoing mail requires that the receiving server support TLS.
WireGuard§
Both servers hold WireGuard keys for their end of the tunnels. The tunnel being encrypted and authenticated isn't actually important for my purposes. This could just as easily use another tunneling protocol like GRE, but I find WireGuard trivial to setup even if it adds some keys to manage.