Basically what the title says. Someone I know is building a house and they want all sorts of security and privacy added benefits one could have with no hold backs.
This post basically serves as a place for everyone to come contribute ideas, hardware, and software, even self hosting is possible to increase the safety, security, and privacy of the home. So feel free to contribute thoughts and ideas but please include how to implement your concept if you can!
Plug and play is preferred but a little reasonable amount of self hosting could be done, with a preference on mechanical hardware where possible but not a hard set requirement.
While money isn’t an major issue within reason, be realistic and preferably eco friendly. Thanks everyone ahead of time!
Consider network boxes and structure of net. At a minimum segregate things on different network segments. Guest, IOT, Your Stuff, Wired, Wifi, etc. Your boundary router and everything inside it should be yours and get automatic updates. Ideally two network providers, one fiber, one wireless. Encrypt everything on the net.
Avoid wifi and bluetooth if you can, but probably you do not want to. If you use them, secure them the best you can. Strong keys, SSIDs that tell nothing, etc. You can set your wifi APs to ignore clients outside of a certain range at least. Also hardwire the APs. Airgap things that really matter. For example Airgap at least some of your backup archives, and take some offsite too. A nice way to do that is host mountable SATA draws on your backup server with high capacity real spinning magnetic disks (no SSD or Flash stuff).
On systems that matter at least use volume mirroring, or some level of Raid, and do have an UPS. Maybe consider a whole house UPS if your loaded with money. Your network boxes should be on have UPS support too, and at least one of your network providers (starlink, other sat provider, maybe cell or wimax, old style DSL, etc).
Actual network connectivity, consider how your going to do that. You could route all network traffic though a VPN or Tor, but you may not want to do that. Big downsides too. One could choose to route certain subnets that way though.
Actively keep everything patched, monitored updated. Remember, less is more. Minimize what needs to be patched, monitored, and updated. Put firewalls on everything and minimize the software and services and attack surface. Treat every device on your net as mostly untrusted.
Hardware recommendations such as Model and brands? Software recommendations brands/FLOSS? Thanks for the lengthy insights I will definitely pass it on. Simple is best. I believe everything will be tied into Home Assistant. Amongst other self hosted solutions.
I am a FOSS guy so I’d just configure Debian or Ubuntu to do most of the server, media center, desktop, and laptop stuff. Smart Phones Google Pixel 8a or another a series flashed with GrapheneOS. For network I would look at PfSense, OPNSense, OpenWrt, or DD-WRT devices. I have DD-WRT devices but have they do not get updates sadly, but there are some vendors that base their devices on DD-WRT. Not sure which ones. ASUS? Buffalo? Is there a list somewhere?
The other direction is to go more commercial which is probably what you want. Lot of people like Synology products. In particular they have nice NAS products (which actually can run other services too) which should be fine if you just run them on the LAN. If you want to connect while traveling, setup some sort of VPN. Do not expose any of this stuff to the WAN. For network devices I would consider Netgate, I think they have some PfSense firewalls. Some people seem to like Ubiquiti stuff.
I personally have generally favored Netgear but as I said, I mostly have just re-flashed with DD-WRT but am thinking of doing something different at least with regard to my boundary router. It has gotten so we all need to have our network devices rapidly updated, especially exposed ones like the boundary router.