What will our Journey be
The journey of setting up a HomeLab I have been creating a set of templates over the past few years for my HomeLab. Designed to be easier for you and me to spin up your HomeLab. They are free and open source.
What shall we build and explor on this Journey I guide you to
The journey of setting up a HomeLab
I have been creating a set of templates over the past few years for my HomeLab. Designed to be easier for you and me to spin up your HomeLab.
They are free and open source.
Sharing is caring: we shall care for each other also in the digital word. Because I got a lot from the comunity I will be sharing my code and best practices to you.
I'm posting the information and code for anyone to use for free.
Thing to come in the future blogs
π» This stack need some skill to set up but I will guide you. Iβm finalizing a set of scripts to set up the
- base (Docker, Docer-compose, Portainer, Fail2ban, Dozzer, Heimdall/Dashy) a more advanced set like the
- interface (NPM, Authelia, Lychee, NextCloud) and
- web (Unbound DNS, Pi-hole - PiVPN, Dozzer, Fail2ban)
Also WP and Ghost setups and some other stuff of my interest. I run a search engina so big G dos't stuff it's adds all over my stuff.
Maybe you should guide me, what do you prefere?
The design
π₯ Privacy and security as a guideline. See my other posts for more details. The design is set up to be able to run in HA-mode but today I move the VM/CT's when needed by hand. A split the docker containers over several VM/CT's:
- interface - open to the web and connects to the apps by NPM
- web - internal net services: Unbound DNS as a front end to PI-hole
- one for internal apps we use in the house
- one for HomeAssistant
- X number for self-hosted services, I can den shut down a service if needed
- one for monitoring server performance
To move a VM/CT between nodes takes some time so the smaller the faster.
A normal user in our house do not see much of this.
My role as DevOp reeds the logs and checks Fail2ban by ssh, Add Blocking by GUI. I use Dozzer as my preferred log reader in the stacks
Security
HTTPS apps are all handled by Clouflare (my DNS privider) in over to a Nginx Reverse Proxy. Authelia passes or blocks the user with two factor authentication (2FA). NPM calls services using internal Docker name resolution (no ports open). All VM/CT's have firewalls and Fail2ban protection. Only needed ports are open on noods and VM/CT's. Services not in use are rot running.
Privacy
Unbound keeps DNS records and speeds up the net by cashing. It's also keeping our web trafic hidden from the ISP. PI-hole is used for blocking adds (One site had 200 blocks on one page - crazy π). And what a good job it does. The list of bad sites is extensive and you can add or remove dns records from the list. No more personal data to google or the ISP!
I self-host whooge - no need to go to google search. Web browser's uses Duck Duck Go or the Whoogle.
VPN
I have GhostVPN on my devices I use outside the house.
Pi-VPN is a very easy install and I will test it. For my use, occasional and small, itβs a good fit. In professional installations we use OpenVPNn, itβs has power to run site to site network connections but itβs also good for sites with just a few road warriors.