Readit News logoReadit News
mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
ctkhn · 5 months ago
Curious what the driver for nixos and packages over docker was. Docker was the huge step up for me in making the homelab easy to run, update, and recover when things failed. It also made managing services endpoints and ports remote easier than when they all lived on the operating system. Wish this was delved into a little more in the post.
mirdaki · 5 months ago
I can touch on it more. Docker and compose files are great for getting things going, contained, and keeping everything declarative

But I found the more services I used with Docker, the more time it took to update. I didn't want to just update to latest, I wanted to update to specific version, for better rollback. That meant manually checking and updating every single service, bringing each file down, and then back up. It's not entirely unmanageable, but it became enough friction I wasn't updating things consistently. And yes, I could have automated some of that, but never got around to it

NixOS, in addition to the things I mention in the post, is just a two step process to update everything (`nix flake update` and `nixos-rebuild`). That makes updating my OS and every package/service super easy. And provides built in rollback if it fails. Plus I can configure things like my firewall and other security things in NixOS with the same config I do everything else

Also, Nix packages/services provides a lot of the "containerization" benefits. It's reproducible. It doesn't have dependency problems (see this for morehttps://nixos.org/guides/how-nix-works/). And most services use separate users with distinct permissions, giving pretty good security.

It's not that Docker can't do those things. It's that Nix does those things in a way that work really well with how I think

mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
xyst · 5 months ago
It’s a shame he doesn’t self host an internal mail server at least with restricted outbound/smtp.

Something like this is very easy to setup with projects such as stalwart which also offers CardDAV and CardDAV (think easy synchronization of calendar and contacts without relying on "cloud").

He already has tailscale + headscale, adding in an internal only mail/collaboration server would be a win.

mirdaki · 5 months ago
Hey, I ruled out a mail server for external, since I've heard many people have issues with other providers (Gmail, Outlook, etc) randomly blocking email. Didn't feel I could rely on it

Having an internal only mail server for notifications is an interesting idea. I've been using ntfy and Matrix to achieve something like that, but not all services support those notification methods. I'll keep that in mind!

mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
colordrops · 5 months ago
Hi! Really excited by your work! I'm working on a similar project built on NixOS and curious what you thing.

My goal is to have a small nearly zero-conf apple-device-like box that anyone can install by just plugging it into their modem then going through a web-based installation. It's still very nascent but I'm already running it at home. It is a hybrid router (think OPNSense/PFSense) + app server (nextcloud, synology, yunohost etc). All config is handled through a single Nix module. It automatically configures dynamic DNS, Letsencrypt TLS certs, and subdomains for each app. It's got built in ad blocking and headscale.

I'm working on SSO at the moment. I'll take a look at your work and maybe steal some ideas.

The project is currently self-hosted in my closet:

https://homefree.host

mirdaki · 5 months ago
Oh that sounds really rad! Certainly could have it's use cases. I really appreciate how NixOS enables projects like this. Best of luck with it!
mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
ultra2d · 5 months ago
Do you use encrypted ZFS?

I have dabbled before with FreeIPA and other VMs on a Debian host with ZFS. For simplicity, I switched to running Seafile with encrypted libraries on a VPS and back that up to a local server via ZFS send/receive. That local server switches itself on every night, updates, syncs and then goes into sleep again. For additional resiliency, I'm thinking of switching to ZFS on Linux desktop (currently Fedora), fully encrypted except for Steam. Then sync that every hour or so to another drive in the same machine, and sync less frequently to a local server. Since the dataset is already encrypted, I can either sync to an external drive or some cloud service. Another reason to do it like this is that storing a full photo archive within Seafile on a VPS is too costly.

mirdaki · 5 months ago
Yes! On top of the data safety features of ZFS, the fact you can encrypt a dataset and incremental send/receive is a fantastic ability
mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
A4ET8a8uTh0_v2 · 5 months ago
I appreciated the in depth look and while some ideas from your setup will take more time to implement, I just added flame for the dashboard and see how it fares with family.
mirdaki · 5 months ago
Thank you! It's all a journey, hope flame works well for you!
mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
codethief · 5 months ago
> Here is a diagram of where I’ve ended up:

In case the author is around: On mobile (Chrome on Android) the screenshot is not readable at all and there is also no way to open an enlarged version, let alone zoom into the page.

mirdaki · 5 months ago
Oh thanks for pointing it out! I've updated it so clicking on the diagram opens it up directly
mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
noncoml · 5 months ago
What’s the power consumption?
mirdaki · 5 months ago
That is a great question I don't actually know the answer to. I need to grab something to track it
mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
piyuv · 5 months ago
Excellent write up. Can I ask why did you choose headscale instead of WireGuard?
mirdaki · 5 months ago
I found the Tailscale client experience is quite nice and headscale had built in OIDC support (so easy auth for my users)

If I started this setup later I might have also used pangolin, which also provides a nice management interface on top of WireGuard https://github.com/fosrl/pangolin

mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
denkmoon · 5 months ago
I woke up today with a plan of making my DNS at a separate site work properly with ipv6, over my wireguard. I use ULAs for the point to point wireguard link, and GUAs don't like routing to ULAs. I figured the choice was between routing my two sites GUAs over the wireguard when talking to each other, or deploy ULAs in my networks. 4hrs later I had everything set up with ULAs. Had lunch. Decided that was awful. 3hrs after that I've got my GUAs going over the wireguard.

Homelabbing is fun :')

mirdaki · 5 months ago
Yes it is, rock on!
mirdaki commented on My Self-Hosting Setup   codecaptured.com/blog/my-... · Posted by u/mirdaki
nitnelave · 5 months ago
LDAP author here. I'm happy that LLDAP is mentioned and yet that it is not highlighted. The goal of the project was to have a simple LDAP server that is easy to install/manage for self-hosters without knowledge of LDAP required. Cheers and congrats on your setup!
mirdaki · 5 months ago
Thank you for the work and the kind words! I've had a great experience with LLDAP. Really appreciate it
m

u/mirdaki

KarmaCake day259October 20, 2020View Original