# work-in-progress. (technical details & plans are likely to change soon as I continue working on this)

Note: Currently working on a post that details the history of this homelab project and a lot of my thinking/decision making during it

Current Network Topology

homelab network topology diagram

Photos

# coming soon!

Currently working on

I’m currently configuring a “secure hypervisor” host that I plan to introduce a new “trusted infra” zone for, which I’m planning to host more SIEM services on. I’ve started by using the Dell 9020 SFF I’d previously flashed with libreboot and was using as my OPNSense host as I’ve now changed that to a 9010 SFF due to needing to downgrade it from 4th-gen to 3rd-gen for one of my future projects. I’m trying to do a lot of this in stages so flashing these systems with libreboot once and leaving the write protections disabled ensures I can more easily try other coreboot flavours/configurations when I want to via internal flashing, avoiding the need to ever take the machines apart again to externally flash them. When I’m finally happy with my configurations I’ll do a final write with the write protections enabled. My thinking for having this separate to my existing Proxmox cluster is that a vuln-scanner with its necessary fw rules shouldn’t be on the same VLAN or even host as a media services VM with sketchy supply chains and 24/7 internet access. I could just make it a second proxmox cluster for simplicity since I’m already used to it but I think I can handle managing a few qemu VM’s so I’m going with a minimal debian install that I’ll have a go at hardening as much as I can. Once I do that I’m going to expand my SIEM tooling more, starting with OpenVAS and OpenEDR and plan to look into setting up an ELK stack or similar to aggregate all the information I’m getting already (i.e Suricata) with all that and give me a good base for practicising SIEM analysis more.

Future plans

  • Continue researching heads/coreboot and hardware keys to setup boot verification/auditing and hardware attestation for the t430p and 9010 SFF (I ideally want something that mirrors what my GrapheneOS phone does on my linux hosts as best I can and so far it’s looking relatively possible with my hardware).

  • After that I also want to have a go at redoing my current OPNsense configuration on OpenBSD with the goal being to reduce overall attack surface by removing the components I don’t need.

  • Do more host hardening stuff on the T440p

  • Write more documentation and recovery procedures.

  • Add more redundancy where possible (mostly too poor for this stuff atm)

  • More screens. I’m being serious.