 |
My homelab |
|
2024-06-06 |
|
Last edit: 2024-06-06 |
|
--------------------- |
|
|
|
I've got an old laptop that I don't use anymore, so I thought I'd turn it into … |
|
|
|
The aim is to create a private homelab, i.e. the machine should only be accessi… |
|
|
|
The aim of this post is to present the main steps I've taken and explain how th… |
|
|
|
My laptop is an |
 |
ASUS ROG G750 |
|
with 8GB of memory and 2 HDDs of around 600GB each. It hasn't been used for ab… |
|
|
|
## First steps |
|
|
|
First, I decided to make an old USB key bootable. I install |
|
Ventoy |
|
on it to be able to load different image disks (ISO) without having to rewrite… |
|
|
|
I put |
|
Memtest86+](https://www.memtest.org/) to test the memory, [shredos.x86_64](http… |
|
which will be the main OS. |
|
|
|
So when I boot on the USB key, it loads the "multiboot" boot-loader (Ventoy) an… |
|
|
|
## Pre configuration |
|
|
|
To be able to deploy the system configuration and reproduce it later, I'm writi… |
|
|
|
The entire configuration is available at the bottom of the page. |
|
|
|
## TLS certificates |
|
|
|
I want communication with web applications to be encrypted and secure, so I nee… |
|
|
|
For the domain name I used |
|
Duck DNS](https://www.duckdns.org/) and reserved the sub-domain [theobori.duckd… |
|
which for the moment corresponds to the IPv4 of my virtual machine accessible … |
|
|
|
In fact, I only need to manage one certificate with two SANs: |
|
- `theobori.duckdns.org` |
|
- `*.theobori.duckdns.org` |
|
|
|
## Services |
|
|
|
Every application is deployed with the Ansible playbook are conteuneurized and … |
|
|
|
They are accessible only through port 443 managed by |
|
Traefik](https://traefik.io/). Each sub-domain of [theobori.duckdns.org |
|
corresponds to a service, with the exception of the homepage, which is associa… |
|
|
|
## Firewall |
|
|
|
To filter incoming network traffic, I manipulate iptables with the ufw tool. Th… |
|
|
|
```yaml |
|
- role: weareinteractive.ufw |
|
tags: ufw |
|
ufw_enabled: true |
|
ufw_packages: ["ufw"] |
|
ufw_rules: |
|
- logging: "full" |
|
- rule: allow |
|
to_port: "443" |
|
- rule: allow |
|
to_port: "80" |
|
- rule: allow |
|
{% raw %} to_port: "{{ ssh_port }}" {% endraw %} |
|
# Wireguard |
|
- rule: allow |
|
to_port: "51820" |
|
proto: udp |
|
# Delete default rule |
|
- rule: allow |
|
name: Anywhere |
|
delete: true |
|
ufw_manage_config: true |
|
ufw_config: |
|
IPV6: "yes" |
|
DEFAULT_INPUT_POLICY: DROP |
|
DEFAULT_OUTPUT_POLICY: ACCEPT |
|
DEFAULT_FORWARD_POLICY: DROP |
|
DEFAULT_APPLICATION_POLICY: SKIP |
|
MANAGE_BUILTINS: "no" |
|
IPT_SYSCTL: /etc/ufw/sysctl.conf |
|
IPT_MODULES: "" |
|
``` |
|
|
|
## Identity provider |
|
|
|
Services with integration for protocols to verify user identity or determine pe… |
|
Authentik |
|
user directory. |
|
|
|
I needed OAuth2 for |
|
Portainer](https://www.portainer.io/) and LDAP for several other services such … |
|
. |
|
|
|
If I remember correctly, the OAuth2 Outpost is embedded in the application by d… |
|
|
|
Here's a diagram of several services trying to retrieve the identity of an |
|
Authentik |
|
user. |
|
|
|
## Access management |
|
|
|
With |
|
Authentik |
|
, group policies have been created to authorize only certain groups of users to… |
|
|
|
For example, for |
|
Jellyfin |
|
, only users in the `Jellyfin` group are authorized to connect. |
|
|
|
In this way, I was able to secure all administration services by authorizing on… |
|
|
|
I also used [Traefik](https://traefik.io/) and |
|
Authentik |
|
to secure access to services not protected by authentication. |
|
|
|
I added middleware to the reverse proxy to enable HTTP ForwardAuth with |
|
Authentik |
|
. In practical terms, this places a connection portal in front of the targeted … |
|
|
|
Let's say I want to access |
|
duplicati.theobori.duckdns.org |
|
, it could be schematized as follows. |
|
|
|
## Media stack |
|
|
|
One of the main objectives was to be able to manage movies and series and watch… |
|
|
|
So I set up a stack for managing and downloading media, which would then be str… |
|
Jellyfin |
|
. |
|
|
|
Here's what the media stack looks like. |
|
|
|
## Backup and restore |
|
|
|
To back up container data, I use |
|
Duplicati |
|
. It lets you encrypt data and manage retention very easily via a web interface. |
|
|
|
These backups can then be restored on my old computer. |
|
|
|
## Monitoring |
|
|
|
To keep abreast of service status, I've opted for |
|
Uptime Kuma |
|
, which will alert me via Discord when a service is down for n seconds. |
|
|
|
I also have a [Prometheus](https://prometheus.io/) and [Grafana](https://grafan… |
|
Uptime Kuma |
|
, I'm alerted by Discord according to limits defined for RAM and available stor… |
|
|
|
This is how the monitoring stack looks. |
|
|
|
## Final home page |
|
|
|
Here's an overview of the dashboard, featuring all the services exposed to the … |
|
|
|
## Links |
|
|
|
https://github.com/theobori/homelab |
|
