Cross-posted (hopefully properly) from !selfhosting@slrpnk.net
Looking for some advice on what to do with my selfhosting setup. I currently have 2 Vostro 430’s (salvaged from work), and have retrieved 5(!) newer computers from work:
-
1 ThinkStation P330 (1x16gb ram),
-
2 ThinkCentre M720 SFF’s (4x4gb ram each), and
-
2 ThinkCentre M73’s (mixed ram amounts/brands, may salvage from the Vostro’s depending)
The Vostro’s are currently setup with 1 of them being baremetal Debian with a Pihole, and a Debian VM with a Headscale server, and the other being baremetal Debian with… just a few containers, and baremetal tailscale as an exit node (I don’t like this, need to do better). Using Authelia with a password to block incoming connections, and Traefik as my reverse proxy. It also has 2x10TB and 1x7TB HDD’s in Raid1.
My current plan is to see if the M73’s are good enough for light emulation (PS1 for sure, PS2 maybe) and Jellyfin, hook 1 up to my TV (to replace the 25’ HDMI that is slowly killing itself under it’s own weight), and 1 for a relative, connected to my server via Headscale/Tailscale.
I currently have 1 of the M720’s hosting a small webserver to learn HTML so I can replace my workplace’s website (I did do a temporary replacement already, but it’s not great). Trying to decide if it is staying completely separate, or if I am utilizing it in the overall setup.
Now, what I am looking for advice on, is how best to utilize what I have, and any recommendations on better software to use.
-
Do I dedicate each computer to different tasks, or learn how to do a docker swarm/kubernetes cluster/something else?
-
Should I set up one device as a dedicated NAS, using a NAS focused OS, or continue to use SSHFS mounts?
-
Should the file storage be on the best hardware I have available, mid ranged, or should I save one of the Vostros specifically for being a NAS with nothing else running on it?
-
Should I learn how to do SSO with Authelia, or is there a better program for SSO (I want to do better with security, and SSO feels like the best place to start)
-
What do you recommend as a reverse proxy? I have my Traefik configs working great for automatic service discovery, but the way it stores the certs feels impossible to extract for other services that ask for them, and I have no idea what I am doing wrong with that - hasn’t been a problem, but I feel like I should be doing better with this.
I had other thoughts, but they swam away while writing this. If you ask a question/make a comment and I don’t answer right away, it means I fell asleep and will answer tomorrow. I am open to any and all suggestions, and am happy to answer any clarifying questions!
honestly too poor for backup storage atm, I have a manual backup of my important shit, but definitely not a robust setup.
A few people have recommended kanidm, definitely going to look at it - not the biggest fan of Authelia at this point. No real defaults, a ton of configuration steps you need to follow, and SSO was a pain to setup last time I looked.
I have been considering caddy, as traefik has a few weird issues - for example, returning ‘I’m a teapot’ instead of its web frontend for no reason sometimes. Also, its near impossible to get useable certs to share with other services - it stores them in its own format, and the conversion tools dont really work.
I found Authentik was the one that stuck for me, Authelia was always a bit brittle. Using Caddy due to a mix of Docker and LXC containers making Traefik seem like a bit too much trouble. I used to use NPM but that was a bit of a pain to get working at one stage and Caddy was the interim solution that hung on. I miss being able to manage reverse proxy via GUI. But for how often I need to map new services 5 lines in a config file to use the wildcard I already have is really no stress.
I haven’t dug any deeper but Proxmox keeps killing my router VM due to OOM at the moment which is a bit of a pain and every time I think I have it sorted it crops back up, only been doing it since the update from V8 to V9. I’m almost at the point where I just scrap Proxmox and run OPNSense bare metal, but it always seems like such a waste to have an N300 box with 16GB of ram and 1 tb SSD driving a small network, 20ish devices and a dozen or so VMs and containerised services doesn’t really stress that hardware.
I initially started virtualising to get around periodic resets of the i226 network cards on my router box. Was kinda wild that virtualising and using Virtio was so much more stable and consequently faster than running on bare metal. Wonder if that’s changed since then.
Yeah, I agree with Authelia feeling brittle. I have seen a lot of people switch from traefik to caddy, and I am definitely considering it at this point - I am a bit worried about the lack of GUI as it is definitely easier to see if something is wrong by opening that up (when it actually works) than reading logs, but i also heard caddy has a plugin for a GUI?
I have considered looking at proxmox, but i don’t think i do enough vm’s to justify it, and I dont have any dedicated WAP’s so OPNSense just isnt worth it for me, though if that ever changes I would definitely consider it.
Huh, Authentik was what I used before Kanidm. Wasn’t anything wrong with it per se, but there where a lot of moving parts and complexity rhat didn’t really serve a purpose for me.
I thought about kubernetes or proxmox, but I don’t really see any reason to. All my containers are controlled via podman quadlets, and either run on a single machine locally, or on a VPS.
A lot of moving parts and unnecessary complexity is why I want to drop Authelia, that and the user management being a text file that I have to modify as root/change permissions on just to change is annoying.