@selfhosted@lemmy.world

Mid 2022, a friend of mine helped me set up a selfhosted Vaultwarden instance. Since then, my “infrastructure” has not stopped growing, and I’ve been learning each and every day about how services work, how they communicate and how I can move data from one place to another. It’s truly incredible, and my favorite hobby by a long shot.

Here’s a map of what I’ve built so far. Right now, I’m mostly done, but surely time will bring more ideas. I’ve also left out a bunch of “technically revelant” connections like DNS resolution through the AdGuard instance, firewalls and CrowdSec on the main VPS.

Looking at the setups that others have posted, I don’t think this is super incredible - but if you have input or questions about the setup, I’ll do my best to explain it all. None of my peers really understand what it takes to construct something like this, so I am in need of people who understand my excitement and proudness :)

Edit: the image was compressed a bit too much, so here’s the full res image for the curious: https://files.catbox.moe/iyq5vx.png And a dark version for the night owls: https://files.catbox.moe/hy713z.png

  • empireOfLove2@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    50
    ·
    edit-2
    9 months ago

    me after 15 years of intermittent learning self hosting:

    i have the one random office PC that runs minecraft

    …yeah that’s it

  • ReallyActuallyFrankenstein@lemmynsfw.com
    link
    fedilink
    English
    arrow-up
    31
    ·
    9 months ago

    I’ve saved this. I set up unraid and docker, have the home media server going, but I’m absolutely overwhelmed trying to understand reverse proxy, Caddy, NGINX and the security framework. I guess that’s my next goal.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      25
      ·
      9 months ago

      Hey! I’m also running my homelab on unraid! :D

      The reverse proxy basically allows you to open only one port on your machine for generic web traffic, instead of opening (and exposing) a port for each app individually. You then address each app by a certain hostname / Domain path, so either something like movies.myhomelab.com or myhomelab.com/movies.

      The issue is that you’ll have to point your domain directly at your home IP. Which then means that whenever you share a link to an app on your homelab, you also indirectly leak your home location (to the degree that IP location allows). Which I simply do not feel comfortable with. The easy solution is running the traffic through Cloudflare (this can be set up in 15 minutes), but they impose traffic restrictions on free plans, so it’s out of the question for media or cloud apps.

      That’s what my proxy VPS is for. Basically cloudflare tunnels rebuilt. An encrypted, direct tunnel between my homelab and a remote server in a datacenter, meaning I expose no port at home, and visitors connect to that datacenter IP instead of my home one. There is also no one in between my two servers, so I don’t give up any privacy. Comes with near zero bandwith loss in both directions too! And it requires near zero computational power, so it’s all running on a machine costing me 3,50 a month.

      • ReallyActuallyFrankenstein@lemmynsfw.com
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        9 months ago

        I appreciate this thoughtful reply. I read it a few times, I think I understand the goal. Basically you’re systematically closing off points that leak private information or constitute a security weakness. The IP address and the ports.

        For the VPS, in order for that to have no bandwidth loss, does that mean it’s only used for domain resolution but clients actually connect directly to your own server? If not and if all data has to pass through a data center, I’d assume that makes service more unreliable?

        • 7Sea_Sailor@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          9 months ago

          Your first paragraph hits the nail on the head. From what I’ve read, bots all over the net will find any openly exposed ports in no time and start attacking it blindly, putting strain on your router and a general risk into your home network.

          Regarding bandwith: 100% of the traffic via the domain name (not local network) runs through the proxy server. But these datacenters have 1 to 10 gigabit uplinks, so the slowest link in the chain is usually your home internet connection. Which, in my case, is 500mbit down and 50mbit up. And that’s easily saturated on both directions by the tunnel and VPS. plus, streaming a 4K BluRay remux usually only requires between 35 and 40 mbit of upload speed, so speed is rarely a worry.

          • atzanteol@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            bots all over the net will find any openly exposed ports in no time and start attacking it blindly,

            True.

            putting strain on your router

            I guess? Not more than it can handle mind. But sure there will be a bit of traffic. But this is also kinda true whether you expose ports or not. The scanning is relentless.

            and a general risk into your home network.

            Well…If your proxy forwards traffic to your home network you’re still effectively exposing your home network to the internt. There’s just a hop in between. Scans that attack the web applications mostly don’t know or care about your proxy. If I hacked a service through the proxy I still gain access to your home network.

            That said, having crowdstrike add a layer of protection here is a good thing to potentially catch something you didn’t know about (eg a forgotten default admin password). But having it on a different network over a vpn doesn’t seem to add any value here?

            • 7Sea_Sailor@lemmy.dbzer0.comOP
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 months ago

              You make a good point. But I still find that directly exposing a port on my home network feels more dangerous than doing so on a remote server. I want to prevent attackers sidestepping the proxy and directly accessing the server itself, which feels more likely to allow circumventing the isolations provided by docker in case of a breach.

              Judging from a couple articles I read online, if i wanted to publicly expose a port on my home network, I should also isolate the public server from the rest of the local LAN with a VLAN. For which I’d need to first replace my router, and learn a whole lot more about networking. Doing it this way, which is basically a homemade cloudflare tunnel, lets me rest easier at night.

              • atzanteol@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                3
                ·
                9 months ago

                You make a good point. But I still find that directly exposing a port on my home network feels more dangerous than doing so on a remote server.

                You do what makes you feel comfortable, but understand that it’s not a lot safer. It’s not useless though so I wouldn’t say don’t do it. It just feels a bit too much effort for too little gain to me. And maybe isn’t providing the security you think it is.

                It’s not “where the port is opened” that matters - it’s “what is exposed to the internet” that matter. When you direct traffic to your home network then your home network is exposed to the internet. Whether though VPN or not.

                The proxy server is likely the least vulnerable part of your stack, though I don’t know if “caddy” has a good security reputation. I prefer to use Apache and nginx as they’re tried and true and used by large corporations in production environments for that reason. Your applications are the primary target. Default passwords, vulnerable plugins, known application server vulnerabilities, SQL injections, etc. are what bots are looking for. And your proxy will send those requests whether it’s in a different network or not. That’s where I do like that you have something that will block such “suspect” requests to slow such scanning down.

                Your VPS only really makes any sense if you have a firewall in ‘homelab’ that restricts traffic to and from the VPN and specific servers on specific ports. I’m not sure if this is what is indicated by the arrows in and out of the “tailscale” box? Otherwise an attacker with local root on that box will just use your VPN like the proxy does.

                So you’re already exposing your applications to the internet. If I compromise your Jellyfin server (through the VPS proxy and VPN) what good is your VPS doing? The first thing an attacker would want to do is setup a bot that reaches out to the internet establishing a back-channel communication direct to your server anyway.

                Judging from a couple articles I read online, if i wanted to publicly expose a port on my home network, I should also isolate the public server from the rest of the local LAN with a VLAN.

                It’s not “exposing a port that matters” - it’s “providing access to a server.” Which you’ve done. In this case you’re exposing servers on your home network - they’re the targets. So if you want to follow that advice then you should have your servers in a VLAN now.

                The reason for separating servers on their own VLAN is to limit the reach an attacker would have should they compromise your server. e.g. so they can’t connect to your other home computers. You would create 2 different networks (e.g. 10.0.10.0/24 and 10.0.20.0/24) and route data between them with a firewall that restricts access. For example 10.0.20.0 can’t connect to 10.0.10.0 but you can connect the other way 'round. That firewall would then stop a compromised server from connecting to systems on the other network (like your laptop, your chromecast, etc.).

                I don’t do that because it’s kinda a big bother. It’s certainly better that way, but I think acceptable not to. I wouldn’t die on that hill though.

                I want to be careful to say that I’m not saying that anything you’re doing is necessarily wrong or bad. I just don’t want you to misunderstand your security posture.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        it’s all running on a machine costing me 3,50 a month.

        You could use a cheaper VPS (like a $15/year one) and it should be fine with this use case :)

        • 7Sea_Sailor@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Very true! For me, that specific server was a chance to try out arm based servers. Also, I initially wanted to spin up something billed on the hour for testing, and then it was so quick to work that I just left it running.

          But I’ll keep my eye out for some low spec yearly billed servers, and move sooner or later.

    • Specal@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Caddy makes it so you don’t have to understand reverse proxies to use them, the config is literally just "reverse_proxy " and then gives it a let’s encrypt SSL certificate. It’s beautiful for self hosting.

  • dan@upvote.au
    link
    fedilink
    English
    arrow-up
    19
    ·
    9 months ago

    I’d recommend using Borgbackup over SSH, instead of just using rclone for backups. As far as I know, rclone is like rsync in that you only have one copy of the data. If it gets corrupted at the source, and that gets synced across, your backup will be corrupted too. Borgbackup and Borgmatic are a great way to do backups, and since it’s deduplicated you can usually store months of daily backups without issue. I do daily backups and retain 7 daily backups, 4 weekly backups, and ‘infinite’ monthly backups (until my backup server runs out of space, then I’ll start pruning old monthly backups).

    Borgbackup also has an append-only mode, which prevents deleting backups. This protects the backup in case the client system is hacked. Right now, someone that has unauthorized access to your main VPS could in theory delete both the system and the backup (by connecting via rclone and deleting it). Borg’s append-only mode can be enabled per SSH key, so for example you could have one SSH key on the main VPS that is in append-only mode, and a separate key on your home PC that has full access to delete and prune backups. It’s a really nice system overall.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      You’re right, that’s one of the remaining pain points of the setup. The rclone connections are all established from the homelab, so potential attackers wouldn’t have any traces of the other servers. But I’m not 100% sure if I’ve protected the local backup copy from a full deletion.

      The homelab is currently using Kopia to push some of the most important data to OneDrive. From what I’ve read it works very similarly to Borg (deduplicate, chunk based, compression and encryption) so it would probably also be able to do this task? Or maybe I’ll just move all backups to Borg.

      Do you happen to have a helpful opinion on Kopia vs Borg?

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        I haven’t tried Kopia, so unfortunately I can’t compare the two. A lot of the other backup solutions don’t have an equivalent to Borg’s append-only mode though.

        • fine_sandy_bottom@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          I’m a borg guy. I’d never heard of kopia. This is from their docs though:

          Each snapshot is always incremental. This means that all data is uploaded once to the repository based on file content, and a file is only re-uploaded to the repository if the file is modified. Kopia uses file splitting based on rolling hash, which allows efficient handling of changes to very large files: any file that gets modified is efficiently snapshotted by only uploading the changed parts and not the entire file.

          So looks like they do append only.

  • thantik@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    9 months ago

    Very nice setup imho. Quite a bit more complicated than mine - mine is basically just the left box without being behind a VPS or anything. I don’t expose anything through Caddy except Jellyfin. I’m also running fail2ban in front of my services, so that if it gets hit with too many 404s because someone is poking around, they get IP banned for 30d

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      I’m still on the fence if I want to expose Jellyfin publicly or not. On the one hand, I never really want to stream movies or shows from abroad, so there’s no real need. And in desperate times I can always connect to Tailscale and watch that way. But on the other, it’s really cool to simply have a web accessible Netflix. Idk.

      • thantik@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        9 months ago

        Honestly, I installed Ombi, so friends can request movies - and gave them all jellyfin logins as well. I’m not running any kind of pay-for service, I’m just giving them access to my library. Additionally, my kids will sometimes spend the night at friends, etc - and their friend won’t have an anime, or a crunchyroll subscription, so they’ll pull it up on jellyfin. It’s easy to remember for them because it’s just jellyfin.mydomain.com

        They don’t know anything about how the backend gets the movies/tv shows, just that they go to ombi, and it shows up on jellyfin if they want something ;)

        • 7Sea_Sailor@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Gosh, that’s cute. Probably how I’ll end up too. Right now I’m not ready to let friends use my services. I already have friends and family on adguard and vaultwarden, that’s enough responsibility for now.

  • ginko@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    9 months ago

    Architecture looks dope

    Hope you’ve safeguarded your setup by writing a provisoning script in case anything goes south.

    I had to reinstall my server from scratch twice and can’t fathom having to reconfigure everything manually anymore

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      11
      ·
      9 months ago

      Nope, don’t have that yet. But since all my compose and config files are neatly organized on the file system, by domain and then by service, I tar up that entire docker dir once a week and pull it to the homelab, just in case.

      How have you setup your provisioning script? Any special services or just some clever batch scripting?

      • ginko@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        Old school ansible at first, then I ditched it for Cloudbox (an OSS provisioning script for media server)

        Works wonders for me but I believe it’s currently stuck on a deprecated Ubuntu release

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    9 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    Plex Brand of media server package
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    TCP Transmission Control Protocol, most often over IP
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    k8s Kubernetes container management package
    nginx Popular HTTP server

    11 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

    [Thread #473 for this sub, first seen 2nd Feb 2024, 05:25] [FAQ] [Full list] [Contact] [Source code]

  • callcc@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    9 months ago

    Remeber, the more boxes you have, the more advanced you are as an admin! Once you do his job for money, the challenge is the exact opposite. The less parts you have, the better. The more vanilla they are, the better.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      Absolutely! To be honest, I don’t even want to have countless machines under my umbrella, and constantly have consodilation in mind - but right now, each machine fulfills a separate purpose and feels justified in itself (homelab for large data, main VPS for anything thats operation critical and cant afford power/network outages and so on). So unless I find another purpose that none of the current machines can serve, I’ll probably scale vertically instead of horizontally (is that even how you use that expression?)

  • kadotux@lemmings.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    9 months ago

    I saved this! Yeah, it seems like a lot of work, but I got inspired again (I had a slight self-hosting burnout and nuked my raspberry setup ~year ago) so I appreciate it. :) Can I ask what hardware you run this on? edit: I just wanted to ramble some more: I just fired up my rPI4 again just last week, setup it with just as barebone VPS with wireguard, samba, jellyfin and pi-hole+unbound (as to not burn myself again :D )

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      Glad to have gotten you back into the grind!

      My homelab runs on an N100 board I ordered on Aliexpress for ~150€, plus some 16GB Corsair DDR5 SODIMM RAM. The Main VPS is a 2 vCPU 4GB RAM machine, and the LabProxy is a 4 vCPU 4GB RAM ARM machine.

        • 7Sea_Sailor@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          I use Hetzner, mainly because of their good uptime, dependable service and being geographically close to me. Its a “safe bet” if you will. Monthly cost, if we’re not counting power usage by the homelab, is about 15 bucks for all three servers.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      9
      ·
      9 months ago

      Thank you! It’s done in excalidraw.com. Not the most straightforward for flowcharts, took me some time to figure out the best way to sort it all. But very powerful once you get into the flow.

      If you’re feeling funny, you can download the original image from the catbox link and plug it right back into the site like a save file!

  • Fedegenerate@lemmynsfw.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    I am sorry, I am but a worm just starting Docker and I have two questions.

    Say I set up pihole in a container. Then say I use Pihole’s web UI to change a setting, like setting the web UI to the midnight theme.

    Do changes persist when the container updates?

    I am under the impression that a container updating is the old one being deleted and a fresh install taking its place. So all the changes in settings vanish.

    I understand that I am supposed to write files to define parameters of the install. How am I supposed to know what to write to define the changes I want?

    Sorry to hijack, the question doesn’t seem big enough for its own post.

    • Limit@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      With containers, most will have a persistent volume that is mapped to the host filesystem. This is where your config data is. When you update a container, just the image is updated(pihole binaries) but it leaves the config files there. Things like your block lists and custom dns settings, theme settings, all of that will remain.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      9 months ago

      If you’re referring to the “LabProxy VPS”: So that I don’t have to point a public domain that I (plan to) use more and more in online spaces to my personal IP address, allowing anyone and everyone to pinpoint my location. Also, I really don’t want to mess with the intricacies of DynDNS. This solution is safer and more reliable than DynDNS and open ports on my router thats not at all equipped to fend off cyberspace attacks.

      If you’re referring to the caddy reverse proxy on the LabProxy VPS: I’m pointing domains that I want to funnel into my homelab at the external IP of the proxy VPS. The caddy server on that VPS reads these requests and reverse-proxies them onto the caddy-port from the homelab, using the hostname of my homelab inside my tailscale network. That’s how I make use of the tunnel. This also allows me to send the crowdsec ban decisions from the homelab to the Proxy VPS, which then denies all incoming requests from that source IP before they ever hit my homelab. Clean and Safe!

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        “pinpoint” is a bit hyperbolic. Country, state and maybe city can be pretty good, at least in the US.

        It’s fine if that’s important to you to hide, but entirely unnecessary for most people.

        • 7Sea_Sailor@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Maybe. But I’ve read some crazy stories on the web. Some nutcases go very far to ruin an online strangers day. I want to be able to share links to my infrastructure (think photos or download links), without having to worry that the underlying IP will be abused by someone who doesn’t like me for whatever reason. Maybe that’s just me, but it makes me sleep more sound at night.

        • 7Sea_Sailor@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Oh, that! That app proxies the docker socket connections over a TCP channel. Which provides a more granular control over what app gets what access to specific functionalities of the docker socket. Directly mounting the socket into an app technically grants full root access to the host system in case of a breach, so this is the advised way to do it.