Just got back from a US trip. Got to see my Dad and my sister and the niece and nephews. This was a work trip, but due to weather, I got stranded in PA and had to attend the conference via zoom. That’s all the work talk I’ll get into. Since I had some time, I made Dad drive me over to BestBuy and I got a Bambu Labs A1 Combo for the niece and nephews. (Employer, if you are reading this I solemnly swear this was done after work hours… mostly. 🤞)
Dad had an old PC with an 8th Gen i5, so I put Ubuntu server and Dockhand on it. I found Bambuddy and hooked that in. So now, in theory the kids can use Bambuddy as a print server… but this means either the kids have to get onto Dad’s computer every time they want to print or it needs to be remotely accessible… which can lead to lots of security issues. So of course my first thought is Tailscale. But I did some additional research and thought this might be a good time to try out Headscale, which is selfhosted Tailscale - which is insanely simple Wireguard.
My sister has a term for her family adventures, much like my cacophony of failure, so I spun up a new AWS account for her and registered the domain using Route53. (No, I am not announcing her domain on here, obscurity is a valid security technique as long as it’s part of a more robust defense in depth.) I put a t3 micro up in the AWS account and popped headscale server on it. I am using google as the OIDC since the kids all have or can easily get a gmail account. Some things just aren’t worth the hassle of trying to build on your own. (At least not yet.)
So basically this loops back to the post about Traefik where I ended up not using Traefik. Well, now I am implementing what I spelled out there, plus headscale, so it wasn’t a waste of time, just delayed usefulness.
I learned enough about headscale’s ACL’s to make it so anyone on the tailnet (headnet?) can connect to the server, but not to any other computer on the tailnet. This should prevent anything on Dad’s computer being seen by the kids and vice versa, reduce the ability for Malware to spread etc. I’m sure this will evolve over time, along with some UI enhancements to headscale eventually.
Well, now that there is a server sitting here anyway… may as well put some other services on it. So Dad got Karakeep with a local ollama for summarization and tagging, and the kids also got Spoolman (which is looking like the wrong choice in this use case - I love it at home, but with Bambuddy and non BambuLabs Filament it doesn’t seem to be the right choice. I may revisit this in the future. Or, maybe the kids will - more on that later.)
So, yeah Traefik + custom domain + wildcard DNS pointed at a tailnet IP (100.64.x.x address) is a pretty well documented process on the internet. Not quite as neato as tsdproxy, but I was unable to get tsdproxy working with Headscale (pretty sure this is a me skill issue, not a tsdproxy issue.). Traefik is using ACME and some AWS creds to setup and maintain the wildcard certificate. This is a long and lacking detail way of saying https://<service_name>.<domainname>.<tld> works if you are on the tailnet (headnet?), but (hopefully) doesn’t work if you aren’t on the tailnet.
Everything is isolated from my own infrastructure, but I can sign out of my tailnet and join their network so I can do some admin. The long term goal is to start the kids off with read only permissions on all the infrastructure, and then as they show interest/skills grant them additional permissions, until they are running it themselves.
Now for the fun part. I didn’t get a chance to set this up on anyone’s machine aside from Dad before I left. So oldest nephew gets to go through a 9 step process that I sent over email, which may or may not include all the required steps. I did my best to let him know if anything doesn’t work, it’s probably my fault, but hopefully I didn’t forget anything and he doesn’t have any issues. Otherwise, I know when I was that age, I’d have gotten frustrated and just said “Fuck it” which would really suck. Then again, if he just goes and grabs the printer and sets it up at home himself, as long as the whole family can use it -it’s still a win. I may or may not keep you posted on that. More because I’m crap at posting on a regular basis or keeping a thread going long enough to write it down.