208 lines
15 KiB
HTML
208 lines
15 KiB
HTML
<!DOCTYPE html>
|
||
<html lang="en" dir="auto">
|
||
|
||
<head><meta charset="utf-8">
|
||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|
||
<meta name="robots" content="index, follow">
|
||
<title>My Homelab | homelab0ne</title>
|
||
<meta name="keywords" content="">
|
||
<meta name="description" content="Hardware: Some old PC my uni computer lab was going to throw away otherwise along with my previous router (TL-WR841N), configured to function in AP mode.
|
||
It also has a 128 GB SSD as well as a 1 TB HDD.
|
||
Tech Stack: Proxmox is used as the hypervisor. Networking is handled by virtualized OPNSense, both for VMs and for my various devices, which is why the TL-WR841N is in AP mode.">
|
||
<meta name="author" content="">
|
||
<link rel="canonical" href="https://homelab0ne.xyz/posts/portfolio/">
|
||
<link crossorigin="anonymous" href="/assets/css/stylesheet.5d45b8bd1a3cf526e72959d51f1bdc688d8e97fa0df2a697a93df6bdc746feb4.css" integrity="sha256-XUW4vRo89SbnKVnVHxvcaI2Ol/oN8qaXqT32vcdG/rQ=" rel="preload stylesheet" as="style">
|
||
<noscript>
|
||
<link crossorigin="anonymous" href="/css/includes/noscript.30127fa68e36d08f5dd7f9d4e717dac42e729b844672afd0fbcacb0d9e508595.css" integrity="sha256-MBJ/po420I9d1/nU5xfaxC5ym4RGcq/Q+8rLDZ5QhZU=" rel="preload stylesheet" as="style">
|
||
</noscript>
|
||
<link rel="icon" href="https://homelab0ne.xyz/favicon.ico">
|
||
<link rel="icon" type="image/png" sizes="16x16" href="https://homelab0ne.xyz/favicon-16x16.png">
|
||
<link rel="icon" type="image/png" sizes="32x32" href="https://homelab0ne.xyz/favicon-32x32.png">
|
||
<link rel="apple-touch-icon" href="https://homelab0ne.xyz/apple-touch-icon.png">
|
||
<link rel="mask-icon" href="https://homelab0ne.xyz/safari-pinned-tab.svg">
|
||
<meta name="theme-color" content="#2e2e33">
|
||
<meta name="msapplication-TileColor" content="#2e2e33">
|
||
<meta property="og:title" content="My Homelab" />
|
||
<meta property="og:description" content="Hardware: Some old PC my uni computer lab was going to throw away otherwise along with my previous router (TL-WR841N), configured to function in AP mode.
|
||
It also has a 128 GB SSD as well as a 1 TB HDD.
|
||
Tech Stack: Proxmox is used as the hypervisor. Networking is handled by virtualized OPNSense, both for VMs and for my various devices, which is why the TL-WR841N is in AP mode." />
|
||
<meta property="og:type" content="article" />
|
||
<meta property="og:url" content="https://homelab0ne.xyz/posts/portfolio/" /><meta property="article:section" content="posts" />
|
||
<meta property="article:published_time" content="2024-08-30T13:39:47+02:00" />
|
||
<meta property="article:modified_time" content="2024-08-30T13:39:47+02:00" />
|
||
|
||
<meta name="twitter:card" content="summary"/>
|
||
<meta name="twitter:title" content="My Homelab"/>
|
||
<meta name="twitter:description" content="Hardware: Some old PC my uni computer lab was going to throw away otherwise along with my previous router (TL-WR841N), configured to function in AP mode.
|
||
It also has a 128 GB SSD as well as a 1 TB HDD.
|
||
Tech Stack: Proxmox is used as the hypervisor. Networking is handled by virtualized OPNSense, both for VMs and for my various devices, which is why the TL-WR841N is in AP mode."/>
|
||
|
||
|
||
<script type="application/ld+json">
|
||
{
|
||
"@context": "https://schema.org",
|
||
"@type": "BreadcrumbList",
|
||
"itemListElement": [
|
||
{
|
||
"@type": "ListItem",
|
||
"position": 1 ,
|
||
"name": "Posts",
|
||
"item": "https://homelab0ne.xyz/posts/"
|
||
},
|
||
{
|
||
"@type": "ListItem",
|
||
"position": 2 ,
|
||
"name": "My Homelab",
|
||
"item": "https://homelab0ne.xyz/posts/portfolio/"
|
||
}
|
||
]
|
||
}
|
||
</script>
|
||
<script type="application/ld+json">
|
||
{
|
||
"@context": "https://schema.org",
|
||
"@type": "BlogPosting",
|
||
"headline": "My Homelab",
|
||
"name": "My Homelab",
|
||
"description": "Hardware: Some old PC my uni computer lab was going to throw away otherwise along with my previous router (TL-WR841N), configured to function in AP mode.\nIt also has a 128 GB SSD as well as a 1 TB HDD.\nTech Stack: Proxmox is used as the hypervisor. Networking is handled by virtualized OPNSense, both for VMs and for my various devices, which is why the TL-WR841N is in AP mode.",
|
||
"keywords": [
|
||
|
||
],
|
||
"articleBody": " Hardware: Some old PC my uni computer lab was going to throw away otherwise along with my previous router (TL-WR841N), configured to function in AP mode.\nIt also has a 128 GB SSD as well as a 1 TB HDD.\nTech Stack: Proxmox is used as the hypervisor. Networking is handled by virtualized OPNSense, both for VMs and for my various devices, which is why the TL-WR841N is in AP mode. I did consider flashing it with OpenWRT, but it is not supported by the latest version, and I did not want to risk bricking it as it’s my only such device. I don’t run a pi-hole as it’s made redundant by the unbound DNS blocklist feature in OPNSense. As my home network is behind CG-NAT, a VM keeps a constant wireguard connection up to a hosthatch VPS. This allows port forwarding for a remote proxy as well as connecting into my LAN via wireguard. Services are run using docker compose in their own individual Fedora VMs Presently running services: Synapse server for matrix. In addition, it has sliding sync (to allow usage with ElementX) and is bridged with mautrix-meta so it can also receive messages from instagram. Forgejo git instance. Seafile for file syncing and backups of important documents. Nextcloud was considered, but seafile was apparently simpler to setup and less buggier. Security: The LAN is not treated as a security boundary, all services have restrictive firewall rules, and TLS is used for everything, including the proxmox and OPNSense web UIs. Certs are acquired using acme.sh and auto renewed using scoped deSEC tokens. No wildcard certs are used. Just because the deSEC DNS token for one service is compromised doesn’t mean it can be used to issue TLS certificates for another subdomain (or for the base domain). Where possible, Chainguard images are used in order to be as up to date as possible. gVisor is also used on all containers. dnf packages and docker images are auto updated daily. gvisor is auto updated every boot. The hardware is too old to have a TPM 2.0, but I currently use a LUKS2 keyfile to encrypt the SSD where proxmox is installed. The HDD (where the VM disks are stored) is encrypted using ZFS native encryption to maintain performance. This doesn’t really protect against someone breaking into my home and disassembling the PC, but it does save me from having to worry about leaking sensitive data when I dispose of the drives in the distant future. SSH is configured based off of GrapheneOS infrastructure’s config, only public key auth and modern ciphers with key exchange methods are allowed. Miscellaneous config files can be found here.\nFuture plans: Learn ansible. Right now, I simply clone a VM which I keep as a base template, but that can get cumbersome when I want to make a change to it. Document my current configs better so I’m not completely lost when I come back to it six months from now. Self host more services such as Xanity or morss Have a better backup strategy. Right now there is no redundancy or backup if the hardware gets damaged. ",
|
||
"wordCount" : "523",
|
||
"inLanguage": "en",
|
||
"datePublished": "2024-08-30T13:39:47+02:00",
|
||
"dateModified": "2024-08-30T13:39:47+02:00",
|
||
"mainEntityOfPage": {
|
||
"@type": "WebPage",
|
||
"@id": "https://homelab0ne.xyz/posts/portfolio/"
|
||
},
|
||
"publisher": {
|
||
"@type": "Organization",
|
||
"name": "homelab0ne",
|
||
"logo": {
|
||
"@type": "ImageObject",
|
||
"url": "https://homelab0ne.xyz/favicon.ico"
|
||
}
|
||
}
|
||
}
|
||
</script>
|
||
</head>
|
||
|
||
<body class="" id="top">
|
||
<script crossorigin="anonymous" src="/assets/js/theme.b20f95bb4da41ef90a2610a557a7000b2649a3f47282ec571676da6fc0427200.js" integrity="sha256-sg+Vu02kHvkKJhClV6cACyZJo/RyguxXFnbab8BCcgA="></script>
|
||
|
||
<header class="header">
|
||
<div id="progressBar"></div>
|
||
<nav class="nav">
|
||
<div class="logo">
|
||
<a href="https://homelab0ne.xyz/" accesskey="h" title="homelab0ne (Alt + H)">homelab0ne</a>
|
||
<div class="logo-switches">
|
||
<button type="button" id="theme-toggle" accesskey="t" title="(Alt + T)">
|
||
<svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24"
|
||
fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
|
||
stroke-linejoin="round">
|
||
<path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path>
|
||
</svg>
|
||
<svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24"
|
||
fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
|
||
stroke-linejoin="round">
|
||
<circle cx="12" cy="12" r="5"></circle>
|
||
<line x1="12" y1="1" x2="12" y2="3"></line>
|
||
<line x1="12" y1="21" x2="12" y2="23"></line>
|
||
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
|
||
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
|
||
<line x1="1" y1="12" x2="3" y2="12"></line>
|
||
<line x1="21" y1="12" x2="23" y2="12"></line>
|
||
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
|
||
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
|
||
</svg>
|
||
</button>
|
||
</div>
|
||
</div>
|
||
<input name="hamburger-input" id="hamburger-input" type="checkbox" aria-label="Navigation Menu">
|
||
<label id="hamburger-menu" for="hamburger-input"></label>
|
||
<div class="overlay"></div>
|
||
<ul id="menu">
|
||
</ul>
|
||
</nav>
|
||
</header>
|
||
<main class="main">
|
||
|
||
<article class="post-single">
|
||
<header class="post-header">
|
||
|
||
<h1 class="post-title entry-hint-parent">
|
||
My Homelab
|
||
</h1>
|
||
<div class="post-meta"><span title='2024-08-30 13:39:47 +0200 CEST'>August 30, 2024</span>
|
||
|
||
</div>
|
||
<div class="post-meta">
|
||
</div>
|
||
</header>
|
||
<div class="post-content"><p><img loading="lazy" src="/IMG_8531.jpg" alt="Image of a PC under a desk" />
|
||
<img loading="lazy" src="/neofetch.png" alt="Image of a PC under a desk" />
|
||
</p>
|
||
<h2 id="hardware">Hardware:<a hidden class="anchor" aria-hidden="true" href="#hardware">#</a></h2>
|
||
<p>Some old PC my uni computer lab was going to throw away otherwise along with my previous router (TL-WR841N), configured to function in AP mode.</p>
|
||
<p>It also has a 128 GB SSD as well as a 1 TB HDD.</p>
|
||
<h2 id="tech-stack">Tech Stack:<a hidden class="anchor" aria-hidden="true" href="#tech-stack">#</a></h2>
|
||
<ul>
|
||
<li>Proxmox is used as the hypervisor.</li>
|
||
<li>Networking is handled by virtualized OPNSense, both for VMs and for my various devices, which is why the TL-WR841N is in AP mode. I did consider flashing it with OpenWRT, but it is not supported by the latest version, and I did not want to risk bricking it as it’s my only such device. I don’t run a pi-hole as it’s made redundant by the unbound DNS blocklist feature in OPNSense.</li>
|
||
<li>As my home network is behind CG-NAT, a VM keeps a constant wireguard connection up to a hosthatch VPS. This allows port forwarding for a remote proxy as well as connecting into my LAN via wireguard.</li>
|
||
<li>Services are run using docker compose in their own individual Fedora VMs</li>
|
||
</ul>
|
||
<h2 id="presently-running-services">Presently running services:<a hidden class="anchor" aria-hidden="true" href="#presently-running-services">#</a></h2>
|
||
<ul>
|
||
<li><a href="https://experimental-synapse.homelab0ne.xyz/_matrix/static/">Synapse server for matrix.</a> In addition, it has sliding sync (to allow usage with ElementX) and is bridged with <code>mautrix-meta</code> so it can also receive messages from instagram.</li>
|
||
<li><a href="https://forgejoever.homelab0ne.xyz/">Forgejo git instance.</a></li>
|
||
<li><a href="https://seafile.homelab0ne.xyz/">Seafile</a> for file syncing and backups of important documents. Nextcloud was considered, but seafile was apparently simpler to setup and less buggier.</li>
|
||
</ul>
|
||
<h2 id="security">Security:<a hidden class="anchor" aria-hidden="true" href="#security">#</a></h2>
|
||
<ul>
|
||
<li>The LAN is not treated as a security boundary, all services have restrictive firewall rules, and TLS is used for everything, including the proxmox and OPNSense web UIs. Certs are acquired using <code>acme.sh</code> and auto renewed using scoped deSEC tokens.</li>
|
||
<li>No wildcard certs are used. Just because the deSEC DNS token for one service is compromised doesn’t mean it can be used to issue TLS certificates for another subdomain (or for the base domain).</li>
|
||
<li>Where possible, <a href="https://images.chainguard.dev/">Chainguard</a> images are used in order to be as up to date as possible. <a href="https://gvisor.dev/">gVisor</a> is also used on all containers.</li>
|
||
<li><code>dnf</code> packages and docker images are auto updated daily. gvisor is auto updated every boot.</li>
|
||
<li>The hardware is too old to have a TPM 2.0, but I currently use a LUKS2 keyfile to encrypt the SSD where proxmox is installed. The HDD (where the VM disks are stored) is encrypted using ZFS native encryption to maintain performance. This doesn’t really protect against someone breaking into my home and disassembling the PC, but it does save me from having to worry about leaking sensitive data when I dispose of the drives in the distant future.</li>
|
||
<li>SSH is configured based off of <a href="https://github.com/GrapheneOS/infrastructure/blob/main/ssh/sshd_config">GrapheneOS infrastructure’s config</a>, only public key auth and modern ciphers with key exchange methods are allowed.</li>
|
||
</ul>
|
||
<p>Miscellaneous config files can be found <a href="https://forgejoever.homelab0ne.xyz/mustard/fedora-server-config">here</a>.</p>
|
||
<h2 id="future-plans">Future plans:<a hidden class="anchor" aria-hidden="true" href="#future-plans">#</a></h2>
|
||
<ul>
|
||
<li>Learn ansible. Right now, I simply clone a VM which I keep as a base template, but that can get cumbersome when I want to make a change to it.</li>
|
||
<li>Document my current configs better so I’m not completely lost when I come back to it six months from now.</li>
|
||
<li>Self host more services such as <a href="https://github.com/kylrth/xanity?tab=readme-ov-file">Xanity</a> or <a href="https://github.com/pictuga/morss">morss</a></li>
|
||
<li>Have a better backup strategy. Right now there is no redundancy or backup if the hardware gets damaged.</li>
|
||
</ul>
|
||
|
||
|
||
</div>
|
||
|
||
<footer class="post-footer">
|
||
<ul class="post-tags">
|
||
</ul>
|
||
</footer>
|
||
</article>
|
||
</main>
|
||
|
||
<footer class="footer">
|
||
<span>© 2024 <a href="https://homelab0ne.xyz/">homelab0ne</a></span>
|
||
<span>
|
||
- Powered by
|
||
<a href="https://gohugo.io/" rel="noopener noreferrer">Hugo</a> &
|
||
<a href="https://github.com/Wonderfall/hugo-WonderMod/" rel="noopener">WonderMod</a>
|
||
</span>
|
||
</footer>
|
||
<a href="#top" aria-label="go to top" title="Go to Top (Alt + G)" class="top-link" id="top-link" accesskey="g">
|
||
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentColor">
|
||
<path d="M12 6H0l6-6z" />
|
||
</svg>
|
||
</a>
|
||
<script defer crossorigin="anonymous" src="/assets/js/papermod.727d74878dd0d630d592de1483de40c9393b9d59c42ec34eeac2b18635dd8959.js" integrity="sha256-cn10h43Q1jDVkt4Ug95AyTk7nVnELsNO6sKxhjXdiVk="></script>
|
||
</body>
|
||
|
||
</html>
|