My Homelab Setup - Hacker News

Posted by photon_collider 18 hours ago

233 points | 152 commentspage 2

polairscience 16 hours ago|

A lot of people are talking about their backup storage solutions in here, but it's mostly about corporate cloud providers. I'm curious if anyone is going more rogue with their solution and using off-prem storage at a friend's house.

Which is to say, hardware is cheap, software is open, and privacy is very hard to come by. Thus I've been thinking I'd like to not use cloud providers and just keep a duplicate system at a friends, and then of course return the favor. This adds a lot of privacy and quite a bit of redundancy. With the rise of wireguard (and tailscale I suppose), keeping things connected and private has never been easier.

I know that leaning on social relationships is never a hot trend in tech circles but is anyone else considering doing this? Anyone done it? I've never seen it talked about around here.

nsbk 15 hours ago||

My off-prem backups are in a Tailscale connected NAS at my parent's house. I'm in the process of talking a friend into having Tailscale configured to host more off-prem backups at his place as well. I'm moving out of iCloud for photo library management and into Immich. I really don't want to lose my photos and videos hence the off-prem backups. Tailscale has been a blessing for this kind of use case

polairscience 15 hours ago||

Oooo. That's the other thing I need to figure out, because it's 90% for my photography. How have you liked immich? Have you tried any other options?

Root_Denied 9 hours ago|||

I'm in the process of moving all my backups to Immich - honestly it's best in class software.

I'm able to set it up so that my SO and I can view all the pictures taken by the other (mostly cute photos of our dog and kid, but makes it easier to share them with others when we don't have to worry about what device they're on), have it set to auto-backup, and routed through my VPS so it's available effectively worldwide.

The only issue that I run into is a recent one, which is hard drive space - I've got it on a NAS/RAID setup with backups sent to another NAS at my parents' place, but it's an expensive drive replacement in current market conditions.

michelsedgh 4 hours ago|||

I recommend Ente photos, harder to setup but feels much more robust and its end to end encrypted, which I prefer.

nine_k 16 hours ago|||

> hardware is cheap

Hardware was cheap a year ago. Whoever managed to build their boxes full of cheap RAM and HDDs, great, they did the right thing. It will be some time until such an opportunity presents itself again.

Evan-Purkhiser 13 hours ago|||

I do something like this! I’m based in NY but my dad’s in LA. I put together an rpi5 + 5xSATA hat with 3 10TB WD red drives using zraid1 (managed to pick these up over the holidays before prices started going up, $160 per drive!). 3D printed the case and got it running a diskless alpine image with tailscale and zrepl for ZFS snapshot replication. Just left it running in a corner at his place and told him not to touch it heh

Whole thing cost around $500. Before that I was paying ~$35 a month for a Google workspace with 5TB of drive space. At one point in the past it was “unlimited” space for $15 a month. Figure the whole thing will pay for itself in the next couple of years.

Actually just finished the initial replication of my 10TB pool. I ran into a gnarly situation where zrepl blew away the initial snapshot on the source pool just after it finished syncing, and I ended up having to patch in a new fake “matching” snapshot. I had claude write up a post here, if you’ll excuse the completely AI generated “blog post”, it came up with a pretty good solution https://gist.github.com/evanpurkhiser/7663b7cabf82e6483d2d29...

Jedd 11 hours ago|||

Yes, absolutely. I move between two sites, and also run some gear at my sibling's home, so I have the 3 separate sites thing sorted. ECC + RAID1 + borg at each site gives archival capability on top of standard backup.

Syncthing has the 'untrusted peer' feature, which I've only used once, accidentally, but I believe provides an elegant way of providing some disk for a friend while maintaining privacy of the content.

mtsolitary 15 hours ago||

I get 3-2-1 backups with no "big cloud" dependency using - My Mac - My NAS (RAID1) using Syncthing - Incremental borg backups to rsync.net (geo-redundant plan) with a cron job.

kleebeesh 18 hours ago||

Neat!

> Right now, accessing my apps requires typing in the IP address of my machine (or Tailscale address) together with the app’s port number.

You might try running Nginx as an application, and configure it as a reverse proxy to the other apps. In your router config you can setup foo.home and bar.home to point to the Nginx IP address. And then the Nginx config tells it to redirect foo.home to IP:8080 and bar.home to IP:9090. That's not a thorough explanation but I'm sure you can plug this into an LLM and it'll spell it out for you.

c-hendricks 17 hours ago||

Also recommending using a DNS server that points `*.yourdomain` do your reverse proxy's IP. That way requests skip going outside your network and helps for ISPs that don't work with "loopback" DNS (quotes because I don't know the proper term)

You can then set your DNS in Tailscale to that machines tailnet IP and access your servers when away without having to open any ports.

And bonus, if it's pihole for dns you now get network-level Adblock both in and outside the home.

mnahkies 17 hours ago|||

Personally I'm using haproxy for this purpose, with Lego to generate wildcard SSL certs using DNS validation on a public domain, then running coredns configured in the tailnet DNS resolvers to serve A records for internal names on a subdomain of the public one.

I've found this to work quite well, and the SSL whilst somewhat meaningless from a security pov since the traffic was already encrypted by wire guard, makes the web browser happy so still worthwhile.

pajamasam 16 hours ago|||

This worked for me to get subdomains and TLS certificates working on a similar setup: https://blog.mni.li/posts/internal-tls-with-caddy/

Frotag 18 hours ago|||

IME androids dont respect static routes published by the router. I guess self hosting DNS might be more robust but I usually just settle for bookmarking the ip:port

frumiousirc 18 hours ago|||

This (reverse proxy) is essentially what "tailscale serve" does.

anon7000 17 hours ago|||

Or just use Tailscale serve to put the app on a subdomain

verdverm 18 hours ago|||

Caddy is increasingly popular these days too. I use both and cannot decide which I prefer.

victorio 18 hours ago|||

Caddy's configuration is so simple and straightforward, I love it. For sure a more comfortable experience for simple setups

hk1337 17 hours ago|||

I like Caddy's integration with Cloudflare for handling SSL and when I originally saw the idea it was promoted as an easy way to have SSL for a homely but I don't use real domains for my internal apps and that is required with Cloudflare.

cyberpunk 16 hours ago||

caddy has tailscale integration i think too, so your foo.bar.ts.net “just works”

verdverm 17 hours ago|||

The pain I've had with it is distributed configuration, i.e. multiple projects that want to config rules. I've been using the JSON API rather than their DSL.

Do you know how I might approach this better?

windexh8er 17 hours ago|||

I think most homelabbers default to Caddy and/or Traefik these days. Nginx is still around with projects like NPM (the other NPM), but Caddy and Traefik are far more capable.

DevOpsToolbox did a great video on many of the reasons why Caddy is so great (including performance) [0]. I think the only downside with Caddy right now is still how plugins work. Beyond that, however it's either Caddy or Traefik depending on my use case. Traefik is so easy to plug in and forget about and Caddy just has a ton of flexibility and ease of setup for quick solutions.

[0] https://www.youtube.com/watch?v=Inu5VhrO1rE

verdverm 17 hours ago||

far more capable is an exaggeration

I use both, they are by and large substitutable. Nginx has a much larger knowledge base and ecosystem, the main reason I stick with it.

philsnow 17 hours ago||

I agree with you that they're more or less equal. I don't like the idea of my reverse proxy dealing with letsencrypt for me, personally, but that's just a preference.

One tricky thing about nginx though, from the "If is evil" nginx wiki [0]:

> The if directive is part of the rewrite module which evaluates instructions imperatively. On the other hand, NGINX configuration in general is declarative. At some point due to user demand, an attempt was made to enable some non-rewrite directives inside if, and this led to the situation we have now.

I use nginx for homelab things because my use-cases are simple, but I've run into issues at work with nginx in the past because of the above.

[0] https://nginx-wiki.getpagespeed.com/config/if-is-evil

dwedge 14 hours ago||

I'm not sure why Apache is so unpopular, it can also function as a reverse proxy and doesn't have the weird configuration issues nginx has.

Some people take this way too far, for instance I've send places compiling (end of life) modsec support into nginx instead of using the webserver it was built for

ls612 16 hours ago||

The part you are leaving out is that you also need to set up something like a pihole (which you can just run in a container on the homelab rather than on a pi) to do the local DNS resolution.

mcbuilder 9 hours ago||

I did the exact same thing except a virtualized opensense router and bare metal kubernetes on one host. The kubernetes broke and I downgraded from 32GB of RAM to 16GB . I actually may revisit the setup since opensense FRR and Cilium BGP to peer your cluster and home LAN is actually a really seamless way to self host things in kubernetes. Maybe there are other ways, maybe there is something simpler, but a homelab is about fun more than pure function.

garyfirestorm 13 hours ago||

you can use https://nginxproxymanager.com/ to manage various services on your homelab. it works flawlessly with Tailscale - I can connect to my tailnet and simply type http://service.mylocaldomain to open the service. you will also need adguard -> adguard dns rewrite -> *.mylocaldomain forwards to the NPM instance and NPM instance has all the information of which IP:PORT has which service Also tailscale DNS should be configured to use adguard -> you can turnoff adblock features if it interferes with any of your stuff.

I would also suggest to use two instances of adguards - one as backup two instances of NPM.

buybackoff 12 hours ago||

TrueNAS works perfectly as a VM eg on Proxmox with passing through a SATA controller from the motherboard. It may not work always with bad IOMMU groups, but I have this on an old Xeon Precision Tower 3420 and not so old Asus Z690 motherboard. NVMe passthrough should be straightforward as well. No need for LSIs or cheap PCI-to-SATA cards if the number of existing physical slots is enough. And as far as TrueNAS is concerned, it's baremetal disk access. Even the latest TrueNAS is not in the same league as Proxmox for managing VMs/containers, not even close.

Prabhapa 8 hours ago||

use cloudflare & cloudflare tunnels for exposing your apps over internet via custom domains. Its free of costs. Tailscale only allows 3 devices i suppose. If we have more devices to be able to connect to , then cloudflare is the best .

tgrowazay 6 hours ago||

Tailscale is free for up to 3 users with up to 100 devices

Pooge 3 hours ago||

> use cloudflare

Please don't

hk1337 17 hours ago||

This is a lot of my similar setup in hardware. I just repurposed a PC I was using for windows that I barely used anyways. I would like to move that to a Framework Desktop mounted in my mini rack at some point though.

I ended up making my own dashboard app, not as detailed as Scrutiny because I just wanted a central place that linked to all my internal apps so I didn't have to remember them all and have a simple status check. I made my own in Go though because main ones I found were NodeJS and were huge resource hogs.

gehsty 14 hours ago||

I’m using a refurbed m4 Mac mini, connected to a unifi nas pro 8, super fun and straightforward. Feels like I only have to do the tinkering I want to do.

navigate8310 18 hours ago||

Why are you using restic, when TrueNAS offers native solutions to backup your data elsewhere?

dizhn 27 minutes ago||

Encryption, deduplication, snapshots. Although if the poster has a zfs based system elsewhere zfs based backups would be fantastic.

PunchyHamster 17 hours ago||

exactly because it isn't trueNAS specific I'd imagine

EdNutting 16 hours ago|

Have a look at Headscale to avoid the cost of Tailscale for small home setups.

SauntSolaire 13 hours ago||

I believe Tailscale is free to use for small home setups. It's limited to 3 users and 100 devices which has been plenty for my homelab setup.

drnick1 16 hours ago|||

This, or simply expose a VPN (Wireguard) port on a public IP. I don't see why you need to involve any third parties in such a setup.

EdNutting 14 hours ago||

For a single machine, yeah Wireguard is fine. For my multi-user multi-machine many-service home lab, it’s quite helpful to have the extra small features that Headscale offers (and some it exposes in a more convenient way).

Edit: Tailscale has a fairly frank page on Wireguard vs Tailscale with suggestions on when to use which: https://tailscale.com/compare/wireguard

miloschwartz 11 hours ago||

Pangolin is also a good choice. Can be fully self-hosted. Also based on WireGuard.

Handles both browser-based reverse proxy access and client-based P2P connections like a VPN.

More comments...