48 comments

[ 3.3 ms ] story [ 66.2 ms ] thread
Hey y'all, I know getting a setup that feels "right" can be a process. We all have different goals, tech preferences, etc.

I wanted to a share my blog post walking through how I finally built a setup that I can just be happy with and use. It goes over my goals, requirements, tech choices, layout, and some specific problems I've resolved.

Where I've landed of course isn't where everyone else will, but I hope it can serve as a good reference. I’ve really benefited from the content and software folks have freely shared, and hope I can continue that and help others.

Read the first paragraph and knew you were gonna talk about Nix.
I am curious what are some good enough cheapskate self-hosting setups?

I want to self-host one of those floss Pocket replacements but I don't want to pay more than what these projects charge for hosting the software themselves (~$5). I am also considering self-hosting n8n. I don't have any sophisticated requirements. If it was possible I would host it from my phone with a backup to Google Drive.

You can use any ~2010 or newer laptop and install Proxmox on it. Voila, you have a server with low energy consumption.
How are you securing taris? Where is your local network firewall? Which one are you using?

Why did you go with Nextcloud instead of using something more barebones, for example a restic server?

(comment deleted)
It's nice to see a home lab on HN. Hardware has become a lost art for many.

If you dont have a home lab, start one. Grab a 1l pc off of ebay. Think center m720q or m920q with an i5 is a great place to start. It will cost you less than 200 bucks and if you want to turn it into a NAS or an Opnsense box later you can.

When it arrives toss Proxmox on it and get your toys from the community scripts section... it will let you get set up on 'easy mode'. Fair warning, having a home lab is an addiction, and will change how you look at development if you get into it deeply.

im using proxmox but struggling to setup subnets and vms

should I be using terraform and ansible?

im using cursor to ssh and it constantly needs to run commands to get "state" of the setup.

basically im trying to do what I used to do on AWS: setup VMs on private network talking to each other with one gateway dedicated to internet connection but this is proving to be extremely difficult with the bash scripts generated by cursor

if anyone can help me continue my journey with self hosting instead of relying on AWS that would be great

> Relatively easy for family and friends to use

> This means keep one login per person, ideally with SSO, for as many services as I can

Truly S-tier target. Incredible hard, incredible awesome.

I've said for a long time that Linux & open source is kind of a paradox. It goes everywhere, it speaks every protocol. But as a client, as an end. The whole task of coordinating, of groupwareing, of bringing together networks: that's all much harder, much more to be defined.

Making the many systems work together, having directory infrastructure: that stuff is amazing. For years I assumed that someday I'd be running FreeIPA or some Windows compatible directory service, but it sort of feels like maybe some OpenID type world might possibly be gel'ing into place.

Sometimes when I think about my home network, I think about it in terms of what will happen when I die and what I will be inflicting on my family as the ridiculous setups stop working. Or like, how much it would cost a police forensics team to try to make any sense of it.

I think "home labbing" fulfils much the same urge / need as the old guys (I hate to say it but very much mostly guys) met by creating hugely detailed scale model railways in their basement. I don't mean that in a particularly derogatory way, I just think some people have a deep need for pocket worlds they can control absolutely.

Setup your own WireGuard rather than Tailscale.. this is too much like Authy delegating AAA to a third-party.

- Store your SSH public keys and host keys in LDAP.

- Use real Solaris ZFS that works well or stick with mdraid10+XFS, and/or use Ceph. ZoL bit me by creating unmountable volumes and offering zero support when their stuff borked.

- Application-notified, quiesced backups to some other nearline box.

- Do not give all things internet access.

- Have a pair (or a few) bastion jumpboxes, preferably one of the BSDs like OpenBSD. WG and SSH+Yubikey as the only ways inside, both protected by SPA port knocking.

- Divy up hardware with a type 1 hypervisor and run kubernetes inside guests in those.

- Standardize as much as possible.

- Use configuration and infrastructure management tools checked into git. If it ain't automated, it's just a big ball of mud no one know how to recreate.

- Have extra infrastructure capacity for testing and failure hot replacements.

Why people need these overly complicated setups and why do they need to have an access point to reach their "den" from anywhere is beyond me. People and their digital gadget delusion.

Security paranoia, but here are the details of my home lab. WHY? If god forbid someone gets in they could in an instant identify the target...

IMO this is too complicated. I think products like the Synology Disk Station strike a better balance between ownership of data and maintenance over time. Tailscale even publishes a client for Synology products.
Is there home lab for isolated LAN and "self-sufficient" devices?

I want to have a block of gunk on the LAN, and to connect devices to the LAN and be able to seamlessly copy that block to them.

Bonus: any gunk I bring home gets added to the block.

First part works with navidrome: I just connect through the LAN to my phone with amperfy and check the box to cache the songs. Now my song gunk is sync'd to the phone before I leave home.

This obviously would fit a different mindset. Author has a setup optimized for maximum conceivable gunk, whereas mine would need to be limited to the maximum gunk you'd want to have on the smallest device. (But I do like that constraint.)

Nice writeup, thank you. I already thought about having NixOS on my server, but currently I prefer proxmox. There are projects with NixOS + Proxmox, but I did not test it yet.

> My main storage setup is pretty simple. It a ZFS pool with four 10TB hard drives in a RAIDZ2 data vdev with an additional 256GB SDD as a cache vdev. That means two hard drives can die without me loosing that data. That gives me ~19TB of usable storage, which I’m currently using less than 10% of. Leaving plenty of room to grow.

I would question this when buying a new system and not having a bunch of disks laying around... having a RAID-Z2 with four 10GB disks offers the same space as a RAID1 with two 20GB disks. Since you don't need the space NOW, you could even go RAID1 with two 10TB disks and grow it by replacing it with two 20TB as soon as you need more. This in my opinion would be more cost effective, since you only need to replace 2 disks instead of 4 to grow. This would take less time and since prices per TB are probably getting lower over time, it could also save you a ton of money. I would also say that the ability of losing 2 disks won't save you from having a backup somewhere...

Mine is much more barebone:

- one single machine - nginx proxy - many services on the same machine; some are internal, some are supposed to be public, are all accessible via the web! - internal ones have a humongous large password for HTTP basic auth that I store in an external password manager (firefox built in one) - public ones are either public or have google oauth

I coded all of them from scratch as that's the point of what I'm doing with homelabbing. You want images? browsers can read them. Videos? Browsers can play them.

The hard part is the backend for me. The frontend is very much "90s html".

I’ve got to appreciate putting the matrix server on Coruscant if nothing else :)
> Authelia provides authentication and authorization for services in a couple of ways. For services that support OpenID Connect it provides a very simple single sign on experience. If not, Authelia can integrate with my reverse proxy (nginx) and require the user login before the reverse proxy allows access to a service.

Recently I found out Gitea or Forgejo can act as an Oauth provider. And since these support ldap you can for example deploy a Samba AD and set it up as an authentication source for Gitea/Forgejo. If you enable the OAuth feature you can connect stuff like grafana and log in with your Samba AD credentials.

To me this is more convenient than running a dedicated auth service considering Forgejo can also provide git, wiki, docker registry (also authenticated) and other function. It's such an underrated piece of software and uses so few resources.

I woke up today with a plan of making my DNS at a separate site work properly with ipv6, over my wireguard. I use ULAs for the point to point wireguard link, and GUAs don't like routing to ULAs. I figured the choice was between routing my two sites GUAs over the wireguard when talking to each other, or deploy ULAs in my networks. 4hrs later I had everything set up with ULAs. Had lunch. Decided that was awful. 3hrs after that I've got my GUAs going over the wireguard.

Homelabbing is fun :')

What’s the power consumption?
I too use LLDAP and Authelia. I use Caddy (no Traefik) as a reverse proxy to protect my services using 2FA SSO. It's very easy to use and I can access all my services anywhere in the world without bothering with a VPN.
I like it. Why Flame, though? It’s built using node, react, redux… meaning you are bringing dozens (if not hundreds) of third party dependencies to your secure kingdom. I don’t think it’s worth it for the start page (could easily be a single html page with hardcoded links)
Very interesting write-up!

At this rate if I keep seeing good article about NixOS I might actually switch for real haha!

Great blog post, but unfortunately from my experience with my kinda tech-friendly family, i can tell you that not exposing service publicly is an absolute UX killer.

Nobody uses the local nextcloud because they just don't think they can rely on it, it doesn't always work from their perspective, and is too finicky to use, because it needs an external app (Tailscale).

This can be only fixed when the app itself can trigger a vpn connection, and I don't think this is going to happen any time soon.

Let me introduce you and many other people in this thread looking for a "let my app live in my VPN but still expose it family/friends without the need to install tailscale clients" solution to Tailscale Funnel: https://tailscale.com/kb/1223/funnel