I've been setting up my self hosted servers lately. I recently bought an old corporate machine off EBay (HP EliteDesk 800 G3) and have been setting it up as my home server. Along with my VPS in on the internet (runs my online presence with the exception of this blog which is on Cloudflare), it sets up a pretty good self hosted network.
So what do I have and how is it all set up?
For starters, even before I bought the PC, I knew I wanted to run Proxmox on it. For the quick summary (without going to the link above), Proxmox is a service built on top of Debian Linux, which helps in running Virtual Machines and Containers (LXC not Docker).
As I have mentioned previously, I'm running Tailscale as my VPN in to my home. So I set that up on my Proxmox machine as well, so it could be accessed from anywhere.
Firstly, I wanted to update my Home Assistant instance from the BTT CB2 I was previously running it on. On the Home Assistant website, they provide a VM image to run, as well as Docker containers. The VM (running HAOS), has a bit more functionality over the Docker container version, so I set that up.
Realising that the VM chews up a bit of RAM (the PC came with only 8Gb), I remembered I had some spare RAM sticks from an unused computer, which happened to be the perfect type for this HP machine! Throwing that in (love how easy corporate PC's are to open and change out hardware), we're up to 24Gb of RAM.
With 6Gb now allocated to Home Assistant, that leaves me with 18Gb for everything else. Shiny!
A bit later on, I decided to add a 4Tb internal spinning rust disk to the system. Trying to keep costs down here, otherwise I would have either gone larger, or gone with SSD's beyond the one that came with the machine.
Proxmox uses LXC containers, not Docker containers, which are a sort of middle-ground between a VM and Docker. I hadn't worked with LXC's before, so it was a slight learning process for me.
In the end, a few services I wanted to run, were only designed to run inside a Docker container, but it's easy enough to install Docker in an LXC. Unfortunately it means I'm running a container in a container. I could run Docker on the host (or in its own VM), and have any docker specific things in there, but I like having the separation of service groups, plus the ease of use of having everything in one spot (the Proxmox WebUI) - so this works for me.
I came across the amazing Community Scripts page which has lots of setup scripts for a number of services. That was a good starting place. I ended up not using community scripts once I had a handle on LXC's and the various services I wanted to run.
So a few containers later (Jellyfin, Sonarr, Radarr, etc), I was up and running. A handful of these I ended up running some other minor services on as well (related to each, so it makes sense as to where they are).
Now that I had all of these services running, I needed a way to manage connecting to them. Thats where Technitium DNS comes in to play. While I was running a PiHole in my setup, I wanted a server I could configure in my router that didn't have Ad Blocking also, for spouse reasons!
As an interesting side note, I have a bit of a weird DNS setup going on here. Tailscale's Magic DNS, which first looks at PiHole, and PiHole uses Technitium DNS as it's upstream server. Technitium uses 1.1.1.1 as it's upstream.
Originally I was just using DNSMasq based DNS mapping, I quickly found this very limiting, so Technitium was where I landed. It's a very nice DNS server with a nice WebUI for configuring it, adding entries, etc.
So in combination of fixed IP addresses (reserved in my router) and DNS entries, everything was nicely accessible.
To avoid browser warnings, HTTPS is nice, but the problem is these are all internal DNS entries so it's no longer trivial to get LetsEncrypt going. However, LetsEncrypt lets you generate wildcard certificates with adding entries to a public DNS provider.
So adding a job to run Certbot on a schedule, along with the Cloudflare plugin (my public DNS host) got me up and running nice and easily. The trick, how do I share the certificates around everywhere? Not in the Proxmox UI, but in config files, you can add mount points that can be shared with multiple containers. Another scheduled job later, it now copies the certificates into this share, and also generates all the different forms I require (Certbot gives PEM files, but some things I needed P12 for).
Is this the perfect setup? No. I'll need to restart my various services to pick up certificate updates. So a reverse proxy probably would be better. But in that case I'd have to handle multiple DNS entries in different locations. But perfect is the enemy of good, and this setup is good enough for me.
I use 1Password for handling all my various password requirements, but it'd be nice to have a single sign-on for all my services. I had a look at Authelia, but I didn't like having to edit config files whenever adding new users, so I ended up going with Authentik, which is a really polished SSO service.
But where would I host it? I have a few services on my VPS also, and why not integrated them into this solution? I ended up installing Authentik on my VPS which then redirects in to my LAN as required.
Some services don't support OpenID Connect (OIDC) but Authentik has a solution for that. Outposts. They do the OIDC part for you, then forward on Basic HTTP Authentication where needed.
I've been meaning to set up NextCloud again since moving away from my old VPS, but never got around to it, now as a good time to do it. I was having trouble with the AIO (All In One) container for it, and it had WAY more than I needed, I stumbled across the community container for it. A lot more lightweight.
I am thinking of adding an externally visible proxy to my Nextcloud however. It'd be nice to be able to get to my files without having to be on my Tailscale VPN (for example if I'm on a corporate laptop).
One of the trickiest ones to set up was FreshRSS. It doesn't support OIDC natively, but it defers it to Apache. Getting the right combination of settings there was a bit of trial and error.
The only major service I don't have behind Authentik now is just Technitium DNS, as it's authentication is all custom. The second most voted issue on their Github is to add OAuth2/OIDC support to it.
Totally unnecessary, but I added Prometheus and Grafana for monitoring. Still playing around with dashboards for that. But I have some for my public webserver, as well as Proxmox data.
For now, I think I have everything installed that I want, but I can see myself expanding it with more services. Give me ALL the things!!!