I have a small homelab centered around a 920+ NAS, Home Assistant running on a Raspberry PI and a few other services running in containers, either on the NAS or one of the Pis. It’s been fun so far, but it’s also becoming more mission-critical, and that leads me to the topic of the headline. I’m the technophile of the family. The other family members are decidedly not.
As much as we tout redundancy and resiliency, I’m the single point of failure. At some point in time there’s a 100% guarantee I will fail. What’s the 3-2-1 strategy for me? What needs to be put in place so the infrastructure can be accessed and maintained if I am unable to do so myself?
Stuff I’ve thought about and maybe implemented to some degree:
The target audience won’t understand much of it. Hopefully, they can hand it to somebody who might understand it. There’s the ongoing challenge of keeping it current.
I’m running Vaultwarden in a docker on the NAS with a contingency account configured. However, most of the passwords require multi-factor authentication and the MFA device may not be accessible or available. Secondary accounts aren’t an option for many third-party applications. I have shared passwords to my MFA authenticator with my spouse but that presupposes the device is accessible. What’s the strategy for reliably handing off MFA?
Services like DNS use a primary provider as the secondary DNS server so if the homelab stops working there’s at least internet access.
Emergency admin account
ChatGPT suggested this one but I’m not sure how to make it work. It should not use MFA and be disabled for security purposes but would require some sort of deadman switch.
Recovery keys and backup codes
If everything is encrypted for security, how does somebody else recover the recovery keys?
Update Kuma is running. I haven’t had spent much time thinking about alarms yet. They can be a handy way to point somebody at the source of a problem, assuming the failure hasn’t made it inaccessible. A future project is investigating implementing a deadman switch on it to update the notification configuration.
My google fu has failed me. It feels like this topic is rarely discussed, and more rarely in sufficient detail to be useful. Has anybody else thought about this?