Homelabs!

What is a homelab

  • A collection of servers* that you run at home


* often not actual servers, see /r/homelab

Why you would want a homelab

  • Hosting your own services
    • Privacy
    • Customization
    • Cost
  • Learning
    • Learn how to deploy things
    • Get real world experience managing software
    • Experiment without as much worry
  • Flexing on other homelabbers

Hardware

  • It does not need to be powerful
  • You can run big servers
  • Start small and upgrade
  • Electricity is not free (unless it is)
  • A UPS is really nice to have
    • Especially if you have things like HDDs that are sensitive to power loss

Choosing an OS

  • Depends on your needs
  • Any Linux distro if you just want docker
    • Debian, Ubuntu Server, Alma Linux are good choices
  • If you want full VMs, choose a hypervisor
    • Proxmox is great and free
    • You might be able to get free VmWare
    • xcp-ng is interesting
  • If you want to store a lot of files, a NAS focused OS is good
    • TrueNAS SCALE (Core also works, but is being phased out)
    • Unraid
    • Synology / QNAP have propritary OS offerings with their hardware

My Homelab

Diagram of Kai's homelab. Showing network connections between devices

Connecting your homelab to the internet

ISPs tend to have dymanic IPs, making consistent access hard.

Some solutions:

  • Dynamic DNS solutions
    • DynDNS/DuckDNS/NoIP
    • Cloudflare DDNS and/or Cloudflare Tunnel
  • VPNs
  • Some VPN options work without static IPs and without DNS!
    • Tailscale
    • ZeroTierOne
  • Run your own reverse proxy!
    • Needs a static IP, often from a cloud vm

VPNs

  • Easy security!
  • You dont need to do proper secuity if the network is restricted*
  • Allows devices to connect to eachother irregardless of location

* Defense in depth is a good thing, so still secure stuff

VPNs cont.

WireGuard logo with "Fast, Modern, Secure VPN Tunnel" slogan

Pros Cons
Easy to deploy Minimal configuration options for enterprise useage
Secure by default Harder to hide the fact that you are using WireGuard
Fast (runs in the kernel) Needs static IP or DNS

VPNs cont.

OpenVPN Logo

Pros Cons
Many many configuration options More effort to set up securely
Supported on more old systems than WireGuard More effort to connect
Needs static IP or DNS

VPNs cont.

Tailscale logo and Name

Pros Cons
Does not need static IP or DNS Must have a Tailscale client for your device
Peer-to-Peer model Semi-propritary
Nice webui for access Some features gated behind paid tier
Has opensource server option (Headscale) Headscale takes some effort to set up

Run your own reverse proxy

Internet -> reverse proxy -> services
Internet -> reverse proxy -> reverse proxy -> services

  • Needs a static IP/cloud VM
  • Much more control
  • Can cost a bit
  • Not as limited as Cloudflare
  • Can also run your VPN

Reverse proxy options

  • IPTables/NFTables/Firewalld
    • Works for routing packets
    • Sucks to configure
  • NGINX
    • The most common in the wild
    • Defualt config sucks
  • Traefik
    • Docs kinda suck imo
    • Works really well with Docker
      • Can automatically build routes
    • Automatic HTTPS

Reverse proxy options cont.

  • Caddy
    • Very nice config
    • Automatic HTTPS
    • Sometimes must be built from source

Certificates

  • TLS certificates secure connections
  • To get certificates use ACME (Automatic Certificate Management Environment)
  • Free certs from Lets Encrypt!
    • Trusted by devices by default
    • Needs to be connected to internet OR use DNS credentials
    • Can only give certs to domains (can have ip addresses as well now but limited to 6 days)
    • 90 day max (or less)
  • Or run your own CA
    • Very fun*
    • More options

Running your services

Docker logo and name Podman logo and icon

  • Easy to deploy
  • Easy to upgrade
  • No dependency management

Useful services to run

  • Prometheus: Collect metrics & alert on them
  • Grafana: Visualize metrics
  • Vaultwarden: Password manager
  • Adguard / PiHole: DNS server with adblocking
  • Immich: Google Photos replacement
  • Homeassistant: Home automation platform
  • FreshRSS: RSS feed aggregator
  • AudioBookshelf: Podcast, Audiobook, and ebook platform
  • NUT server
  • StepCA
  • Authentik

StepCA

Run your own CA server with ACME support with step-ca

Allows you to:

  • Issue certs to IPs
  • Issue certs with custome lifetimes
  • Issue certs to humans
  • Issue certs that can issue certs
  • Many other cool things

Authentik

Run your own SSO platform with authentik

Allows you to:

  • Have a single sign on for your services
  • Sync users via LDAP/OpenID/SAML
  • Add autentication to arbitrary web services via reverse proxy

Questions?

OSUsed, FreeGeek

xcp-ng is Xen based, and has some cool features associated. Based on Citrix XenServer

Wireguard is great,

Probably dont use unless you have a specific need

I use Headscale/Tailscale in my lab

Brief overview, subject of another talk if interest