I'm looking for a solution for complete HTTPS and DNS experience in my home network. AFAIK all tools are there, but I'm looking for the most user-friendly and maintenance-free solution. I have most of the pieces of this puzzle, but I'm missing some.
First, let me lay some assumptions, so it's easier to comprehend what I mean:
Now the missing parts:
Best would be for both of two services to come from public docker image that's maintained by the community. Did anyone here faced the same issue and has some tips on what nameserver should I use? And is there a service that watches file for changes and executes highly-scriptable actions?
First, let me lay some assumptions, so it's easier to comprehend what I mean:
- home network has mikrotik router on 10.0.0.1 and has an external, public, static IP address of A.B.C.D
- there is an OpenMediaVault (OMV) server running portainer with nginx reverse-proxy (Nginx Proxy Manager) - it's on 10.0.0.2
- there are several other hosts in the network - NAS, printer, nanny-cam, etc - all exposing web UI via HTTPS, e.g. printer on 10.0.0.3
- I own mydomain.com administered by my hosting provider (www, email, etc)
- OMV runs DNS server that is capable of fulfilling the Let's Encrypt DNS challenge, let's call it MYDNS. Extra points if it has DoH (DNS-over-HTTPS)
- router forwards ports 80, 53 and 443 ports to OMV host
- nameserver of mydomain does not have certbot-compatible capabilities to fulfill the DNS challenge
- possibility to connect via HTTPS to selected hosts via FQDM from LAN and internet: hosts can be both on OMV or just regular machines (e.g. nginx.home.mydomain.com on OMV and printer.home.mydomain.com connected to my network)
- in both cases I have valid HTTPS certificate
- from LAN I want to not have my traffic proxied via nginx (except for services that are on OMV host)
- from LAN I want to be able to ping hosts using their FQDM as well (i.e. MYDNS is a default DNS for my LAN devices)
- when I enter printer.home.mydomain.com from the internet, the connection will be made to my public IP, router will forward the connection to nginx reverse-proxy, which will proxy the traffic to the printer - over here I see valid certificate that's installed on nginx
- when I enter printer.home.mydomain.com from LAN, the connection is made directly to it - over here I see valid certificate that's installed on the printer
Now the missing parts:
- My hosting provider does not expose certbot-compatible DNS API, but I can set a CNAME delegation for the _acme-challenge record to A.B.C.D, that way let's enrcypt will talk to MYDNS (via port 53 forwarded from A.B.C.D), which will fulfill the DNS challenge and set proper TXT entries. So I'm looking for a dockerized nameserver for this MYDNS - something that is certbot-compatible, so nginx proxy manager can handle all the magic by itself. That covers all services that are running on OMV. But also - this nameserver will be broadcasted via DHCP from router to all LAN devices, and on it I would like to set that printer.home.mydomain.com is 10.0.0.3, and *.home.mydomain.com is 10.0.0.2
- Some dockerized service that will check if nginx pulled fresh certificate for non-OMV hosts and upload certificates to them. It will use several ways to achieve that - for printer it would be a curl call, as described here
Best would be for both of two services to come from public docker image that's maintained by the community. Did anyone here faced the same issue and has some tips on what nameserver should I use? And is there a service that watches file for changes and executes highly-scriptable actions?
Last edited: