This commit is contained in:
@@ -7,7 +7,7 @@ image: "/images/posts/homelab-hp-prodesk.jpeg"
|
||||
|
||||
## Set And Setting
|
||||
|
||||
I just turned 30. My beard's filling in. It's time to make a homelab. I looked online for something a step above a Raspberry Pi but in the same price range. I found it. I went to a protest. I bought a little computer off some middle-aged dude on the steps of the Sofia National Theatre. **The government resigned the next day.**
|
||||
I just turned 30. My beard's filling in. It's time to make a homelab and get into self-hosting. To dip my toes in, I looked online for something a step above a Raspberry Pi but in the same price range. I found it. I went to a protest. I bought a little computer off some middle-aged dude on the steps of the Sofia National Theatre. **The government resigned the next day.**
|
||||
|
||||
## The Machine
|
||||
|
||||
@@ -20,14 +20,13 @@ Self-host everything. Own your data. Control your infrastructure. Give a corpora
|
||||
The requirements:
|
||||
- Photo backup with mobile access and scripted regular backups to an external drive
|
||||
- Git hosting for personal projects and showing off.
|
||||
- A blog platform - you're **here**
|
||||
- A self-deploying blog platform where I just push my posts as source code - you're **here**
|
||||
- Infrastructure monitoring
|
||||
- Accessible anywhere via HTTPS
|
||||
- Automated deployments
|
||||
|
||||
## The Plumbing
|
||||
|
||||
I bought this domain for 2 years at the very likeable price of 5 dollars. I ran it through CloudFlare for the added security tools and better analytics on traffic. I'm behind 2 NATs on any end device of my home network. I have an ISP gateway and a router. I took turns placing my server behind each and now it's stuck right behind the gateway.
|
||||
I bought the domain for 2 years at the very likeable price of 5 dollars. I ran it through CloudFlare for the added security tools and better analytics on traffic. I'm behind 2 NATs on any end device of my home network. I have an ISP gateway and a router. I took turns placing my server behind each and now it's stuck right behind the gateway.
|
||||
|
||||
## The Services - containers all the way
|
||||
|
||||
@@ -41,8 +40,6 @@ Everything runs in Docker containers, each with its own compose file for isolati
|
||||
|
||||
- **Portainer:** Web-based Docker management. Useful for getting quick container info without SSH access. I might keep it, I might not.
|
||||
|
||||
- **Uptime Kuma:** Kind of unnecessary but I was having fun. Monitors all services and tracks uptime statistics. Provides notifications when services become unavailable.
|
||||
|
||||
- **A DIY Simple DDNS Updater:** Synchronizes dynamic IP addresses with Cloudflare DNS records. This proved essential given that I don't have a static IP but ended up causing me a lot of issues when I forgot to make it update the correct place.
|
||||
|
||||
- **Tailscale:** Mesh VPN providing secure access to internal services without port forwarding. Also serves as a workaround for NAT loopback limitations.
|
||||
@@ -56,7 +53,7 @@ I have an old 1TB external HDD in good health (checked) that I decided to use fo
|
||||
## The (Mostly Networking) Problems
|
||||
|
||||
### SSLn't
|
||||
The initial deployment of Immich was smooth sailing all the way until I decided to try accessing it through my phone on 5G. Then started the troubles with NPM (nginx proxy manager, not the node package manager). Either due to improper routing and networking configuration or who knows what, I couldn't get a certificate with the HTTP challenge method. This lead to moving nameservers to Cloudflare and using the API to request certificates with the DNS method.
|
||||
The initial deployment of services was smooth sailing all the way until I decided to try accessing one through my phone's 5G. Then started the troubles with NPM (nginx proxy manager, not the node package manager). Either due to improper routing and networking configuration or who knows what, I couldn't get a certificate with the HTTP challenge method. This lead to moving nameservers to Cloudflare and using the API to request certificates with the DNS method.
|
||||
|
||||
### Two NATs for the price of one
|
||||
The initial "topology" placed the server behind both my ISP gateway and my router, creating double NAT. Port forwarding rules existed on both devices. Services worked from the local network but were unreachable from external.
|
||||
@@ -64,13 +61,16 @@ The initial "topology" placed the server behind both my ISP gateway and my route
|
||||
The solution involved me facepalming when I realized I could eliminate one layer entirely and connecting the server directly to the gateway. This was my first "big" breakthrough.
|
||||
|
||||
### The only constant (IP) is change
|
||||
While troubleshooting why I can't reach anything externally, Claude went throught some logs and saw I had 3 IP changes in the span of a day.
|
||||
While troubleshooting why I can't reach anything externally, Claude went through some logs and saw I had 3 IP changes in the span of a day.
|
||||
The root cause: the DDNS updater was configured for Namecheap (where I bought the domain), but DNS had been migrated to Cloudflare for the free API access. When the public IP changed, the actual DNS records never updated.
|
||||
|
||||
### NAT Loop-de-loop(back)
|
||||
The gateway I have doesn't support NAT hairpinning (or at least I didn't find a weirdly named option for it). This prevemtns accessing my services with their public domains from the internal network. For the time being I've resorted to editing the hosts files on local machines. Tailscale is also an option as mentioned earlier.
|
||||
The gateway I have doesn't support NAT hairpinning (or at least I didn't find a weirdly named option for it). This prevents accessing my services with their public domains from the internal network. For the time being I've resorted to editing the hosts files on local machines. Tailscale is also an option as mentioned earlier.
|
||||
|
||||
### Not killing my old external HDD - only one I haven't solved
|
||||
|
||||
***Sike! I fixed it and it's been running great - [read more](https://blog.jawhng.xyz/posts/usb-hdd-power-management)***
|
||||
|
||||
It spins down when not in use. Or at least that was the idea. While troubleshooting DNS at around 3AM I wend to unplug a LAN cable and heard the little HDD idling. This means the spindown doesn't work quite right so the HDD stays idling at all times which would kill it rather quickly. At the time of writing this I'm still working on it.
|
||||
|
||||
|
||||
@@ -78,17 +78,17 @@ It spins down when not in use. Or at least that was the idea. While troubleshoot
|
||||
|
||||
This entire setup was built with assistance from Claude Code. Every configuration file, troubleshooting session, and architectural decision involved Claude. I don't know how to do many of these things by heart or at all and this whole adventure would have taken a couple weeks at least.
|
||||
|
||||
Claude did all the heavy lifting on favorites such as interpreting errors, handling mismatches in networking and writing documentation and configs. I provided context, made final decisions, and occasionally overruled suggestions with my personal preference or (rarely) where I knew Claude was wrong. **This gives me a fully setup that is both working for me and teaching me about its workings. AKA I am learning about how this works while it works in my own living room.**
|
||||
Claude did all the heavy lifting on favorites such as interpreting errors, handling mismatches in networking and writing documentation and configs. I provided context, made final decisions, and occasionally overruled suggestions with my personal preference or (rarely) where I knew Claude was wrong. **This gives me a full setup that is both working for me and teaching me about its workings. AKA I am learning about how this works while it works in my own living room.**
|
||||
|
||||
## Key Takeaways
|
||||
|
||||
**Network topology matters.** NATs (yes, multiple), forwarding ports, proxying DNS, etc. Crouching over LAN cables in your underwear on a freezing night. I have a lot to learn.
|
||||
**Network topology matters.** NAT, forwarding ports, proxying DNS, etc. Crouching over LAN cables in your underwear on a freezing night. I have a lot to learn.
|
||||
|
||||
**Dynamic DNS is a fact of life** I'm sure ISPs change IP addresses just to mess with you. Automated DDNS definitely saved me a couple times.
|
||||
|
||||
**It's loog! It's loog! It's better than bad - it's good!** It's good to have everything dilligently logging its every step. Even better when you have AI read the logs for you.
|
||||
**[It's loog! It's loog! It's better than bad - it's good!](https://www.youtube.com/watch?v=8-9scNP5KWk)** It's good to have everything diligently logging its every step. Even better when you have AI read the logs for you.
|
||||
|
||||
**Container orchestration simplifies management.** Claude Code says: *"Docker Compose provides clear service definitions, easy updates, and straightforward rollbacks."* I know absolutely nothing about that but I'll learn in time.
|
||||
**Container orchestration simplifies management.** Claude Code says: *"Docker Compose provides clear service definitions, easy updates, and straightforward rollbacks."*
|
||||
|
||||
**VPN access solves edge cases.** Tailscale addresses the NAT loopback issue and the "I'm not home right now" issue. It also simplifies network architecture. Wireguard on its own eliminates the need of a 3rd party service so it's on the table.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user