So I'm pretty happy with myself: I'm sitting in the airport, well off my home network, and all my stuff is still working. The mail server config I hacked up extensively to work with multiple users (never something I bothered to deal with before), and FreeIPA-based auth for almost all my services.
I had a bit of a scare when I got to the gate, went to twiddle my web server config a bit, and realized I hadn't set up the ssh pubkey for this laptop as an authorized key in FreeIPA. I forgot I'd created a new key for my new laptop (the Dell that's sitting in the depot waiting for my "Windows password...") and set that one as an authorized key. For a minute I thought I was utterly locked out of interactive access.
Then I realized, damnit, there's always a way, and remembered I had trusted my phone, so 'all' I had to do was stick my old laptop's pubkey on that, connect to a system on my local network from the phone, add the laptop's pubkey to its local authorized_keys (which is still read along with the ones from FreeIPA), ssh into that system from my laptop, issue myself a kerberos ticket, and use 'ipa' to enrol the laptop's pubkey in the central store, and I was back in business. Simple, eh? :)
I also have no goddamn idea how I never got around to figuring out ssh tunnels until now. I've been using Linux for...er...15 years. Here is the Dumb Monkey's Simple Guide To Ssh Tunnelling:
ssh -D 9001 (some_system_on_a_network_you_want_to_get_at_something_from)
now configure your browser (or other tool) to use a SOCKS proxy on port 9001, possibly hack up /etc/hosts for things that insist on rewriting the hostname you're trying to access them by (koff koff ipa), and you can get at stuff 'behind the firewall' on the network you ssh'ed into. Specifically, by ssh'ing into one of the systems on my network that I allow external ssh access to, I can access the FreeIPA web interface or my router's web interface, even though both are behind the firewall. That simple. I really ought to have worked that one out earlier.