menu

Security & Infrastructure

2023.09.14 [Updated: 2024.01.25] :: #selfhosting #nix #privacy #security #networks

Note: This post is out of date, but I am leaving it here for its historical value.

Everything on this domain is self-hosted, from DNS to email and all web services. I currently manage two servers:

  • amsterdam: A VM running on a physical server I own and control the physical security of.
  • edinburgh: A Contabo VPS.

amsterdam acts as the primary nameserver, controlling DNSSEC signing and is thus the root of trust for the domain. It also runs the primary mail server and most web services.

Finally, edinburgh acts as a router for amsterdam. It has secondary static IPv4 and IPv6 addresses that are routed over a tunnel to bypass NAT and hosting restrictions on my physical server. Additionally, this VPS also acts as secondary nameserver in case my home network is down.

The goal with all of this is to have some basic redundancy, while keeping sensitive keys and all personal data safely on my physical server.

DNSSEC§

amsterdam holds a combined signing key for the zone. Dynamic updates are allowed using a TSIG key to allow ACME DNS-01 challenges for issuing TLS certificates.

TLS/HTTPS§

amsterdam holds a Let's Encrypt wildcard TLS certificate for the domain, which is used to protect web services. The DNS zone contains a CAA record specifying that only Let's Encrypt may issue certificates for the domain, and only using ACME DNS-01 challenges. All TLS-capable services have TLSA records associated with them for DANE-EE support. Finally, all web services use HTTPS records and HSTS preload headers to advertise support for HTTPS.

Email§

amsterdam holds DKIM keys for the domain, which is published in DNS alongside SPF and DMARC records together protect against spoofing the domain. MTA-STS and DANE-EE are used to advertise TLS support for incoming mail. Outgoing mail requires that the receiving server support TLS.

WireGuard§

Both servers hold WireGuard keys for their end of the tunnels. The tunnel being encrypted and authenticated isn't actually important for my purposes. This could just as easily use another tunneling protocol like GRE, but I find WireGuard trivial to setup even if it adds some keys to manage.