N0x0n
@N0x0n@lemmy.ml
- Comment on [Question] Visual feedback of my Linux homelab setup/system? 1 week ago:
This seems cool and is not off topic at all :) It does seem to answer to my “question” and seems a nice thing to have :) However, someone suggested Terraform but after some reading it’s not the tool I was looking for… Ansible seems more the like I guess ! But coolify seems also very interesting ! Different and more similar to my current setup.
I think Terraform, Ansible, Tofu are the next generation tool to solve my current issue… They are declarative tools ! But I don’t want to rush things and have another dead setup lying arround !
Thanks for your reply !
- Comment on issues setting up nginx as an https proxy 1 week ago:
This is indeed similar ! And looks like a working certificate :) (You even use as .csr file).
The book adds something (Not very useful but kinda neat to have): a certificate revocation setup and an IntermediateCA signed by your rootCA. So you can keep your rootCA out of your system :)
- Comment on issues setting up nginx as an https proxy 1 week ago:
(Thanks to darkan15 for explaining that).
I have to look at his answer to have a better understanding :P
The diagram would be useful. Considering that rn I’m losing my mind between man pages.
I’m working on it right now :) I’m a bit overwhelmed with my own LAN setup, and trying to get some feedback from other users :P
As for the book… I can’t accept. Just give me the name/ISBN and I’ll provide myself. Still. Thanks for the offer.
Good. If you have the money to spare please pay for it otherwise you know the drill :) (Myself I’m not able to pay the author so it’s kinda hypocrite on my end… But doing some publicity is also some kind of help I guess?)
Demystifying Cryptography with OpenSSL 3 . 0 by Alexei Khlebnikov <packt>
ISBN: 978-1-80056-034-5
It’s very well written, even as a non-native it was easy to follow :). However, let me give you something along the road, something that will save you hours of looking around the web :) !
Part 5, Chapter 12: Running a mini-CA is the part you’re interested in and that’s the part I used to create my server certificates.
HOWEVER: When he generates the private keys, he uses the
ED448 algorithm
, which is not going to work for SSL certificates because not a single browser accepts them right now (same thing goes for Curve25519). Long story short, If you don’t want to depend on NIST curves (NSA) fall back to RSA in your homelab ! If you are interested in that story go top123
:Brainpool curves are proposed by the Brainpool workgroup, a group of cryptographers that were dissatisfied with NIST curves because **NIST curves were not verifiably randomly generated, so they may have intentionally or accidentally weak security. **
Here is a working example for your certificates:
Book:
$ mkdir private $ chmod 0700 private $ openssl genpkey \ -algorithm ED448 \ -out private/root_keypair.pem
But should be:
$ mkdir private $ chmod 0700 private $ openssl genpkey \ -algorithm RSA \ -out private/root_keypair.pem
You have to use RSA or whatever curve you prefer but accepted by your browser for EVERY key you generate !
Other than that, it’s a great reading book :) And good study material for cryptography introduction !
- Comment on [Question] Visual feedback of my Linux homelab setup/system? 1 week ago:
Sorry, what do you mean by physical/logical diagrams :S! You mean something like Excalidraw ?
I did It for sometimes, but If I do some changes in my setup I always have to keep that update also… So I have to think about it… I do like drawing those diagrams, but keeping those updated is sometimes not directly possible and I can get forgetful !
- Comment on [Question] Visual feedback of my Linux homelab setup/system? 1 week ago:
Thanks for the pointer :). I’m more into open source, so TrueNAS is maybe more fitting, however I’m not sure I do understand it right… Those are OSes? Not some application I can host in a container right? More like Proxmox ?
- Submitted 1 week ago to selfhosted@lemmy.world | 10 comments
- Comment on issues setting up nginx as an https proxy 1 week ago:
Sorry I didn’t respond earlier :S !
To let me access the services both from the desktop and the laptop. I’d need to have two DNS resolvers, since for the laptop it needs to resolve to the 192.168.0.* address of the homelab router. While for the desktop it needs to resolve directly to the 10.0.0.* address of the server.
I’m not entirely sure if I get what you mean here. If you have a central DNS resolver like pihole In your LAN it can resolve to whatever is there. I have a pihole which resolve to itself (can access it as pihole.home.lab) and resolves to my server’s reverse proxy, which handles all the port shenanigan and services hosted on my server. I think I can try to make a diagram to show how it works in my LAN right now, not sure if this can be helpful by any mean, but this would allow me to have a more visual feedback of my own LAN setup :P. However, I do use Traefik as my reverse proxy for my docker containers, so I won’t apply to nginx and I’m not sure if this is possible (It probably is, but nginx is a mystery for me xD)
Also, little question. If I do manage to set it up with subdomains. Will all the traffic still go through port 1403? Since the main reason I wanted to setup a proxy was to not turn the homelab’s router into Swiss cheese.
Your proxy should handle all the port things. Your proxy listens to all :80 :443 Incoming traffic and “routes” to the corresponding service and it’s ports.
While I do have my self-learned self-hosted knowledge, I’m not an IT guy, so I may be mistaken here and there. However, I can give you a diagram on How it works on my setup right now and also gift you a nice ebook to help you setup your mini-CA for your lan :)
- Comment on issues setting up nginx as an https proxy 1 week ago:
Subpaths are things of the past (kinda) ! SSL wildcards are going to be a life saver in your homelab !
I have a self-signed rootCA + intermediateCA which are signing all my certificates for my services. But wait… It can get easier just put a wildcard domain for your homelab (*.home.lab) and access all your services in your lan with a DNS provider (pihole will be your friend!).
Here is an very simplified example:
-
Create a rootCA (certificate authority) and put that on every device (Pc, laptop, android, iphone, tv, box…)
-
Sign a server certificate with that rootCA for the following wildcard domaine: *.home.lab and put that behind a reverse proxy.
-
Add pihole as DNS resolver for your local domain name (*.home.lab) or if you like you can manually add the routes on all devices… But that"s also a thing of the past !
-
Let your proxy handle your services
Access all your services with the following url in your lan
This works flawlessly without the need to pay for any domain name, everything is local and managed by yourself. However, it’s not that easy as stated above… OpenSSL and TLS certificates are a beast to tame and lots of reading ^^ so does Ngnix or any other reverse proxy !
But as soon as you get the hang of it… You can add a new services in seconds :) (specially with docker containers !)
-
- Comment on If I use Caddy for reverse-proxying into another local machine... is my local connection not HTTPS? 2 weeks ago:
It’s really a good book :) And the last part is all about a mini-ca for your homelab !
However, don’t use the ED448/ED25519 algorithm based certificates for TLS as mentioned in the example… They are still not supported by any browser !
If you can support the author, please do ! If you’re on a budget, it’s really easy to find in the piracy corner.
- Comment on If I use Caddy for reverse-proxying into another local machine... is my local connection not HTTPS? 2 weeks ago:
Yeah thats correct !
I Wouldn’t say heavy though (maybe I see it that way because I got a bit better with bash and the like :p) because you can make use of CLR to revoke your certificates and renew them very easily with your intermediate and ready to use config files.
But yeah, there isn’t any automated way to manage certificates like Smallstep does :)
- Comment on If I use Caddy for reverse-proxying into another local machine... is my local connection not HTTPS? 2 weeks ago:
Or simply create your rootCA, IntermediateCA, keys and certifictes with openSSL.
Neither of those are begginer friendly but openSSL is probably a bit easier to get started. There’s a nice book with openSSL (if you are interested I migh look how it’s called) and the last chapter is all about how to create your mini-CA and everthing else to serve your proxy with valid certificates for your homelab.
- Comment on retiring the pigeon homelab 3 weeks ago:
Them probably uses a special plugin device in the outlet.
I have this bash script you can use and have a general overview but I’m not totally sure if I fully understand it and if it’s the whole system’s wattage or only the CPU 🤷♂️
#! bash time=5 sum_1=$(cat /sys/class/powercap/*/energy_uj | awk 'BEGIN { sum = 0; } { sum += $1; } END { print sum; }' "$@"); echo "before" $sum_1 sleep $time; sum_2=$(cat /sys/class/powercap/*/energy_uj | awk 'BEGIN { sum = 0; } { sum += $1; } END { print sum; }' "$@"); echo "after" $sum_2 sum_1f=$(printf "%.0f" $sum_1) sum_2f=$(printf "%.0f" $sum_2) final_sum=$(echo "(($sum_2f - $sum_1f) / 1000000) / $time" | bc -l) #echo $final_sum | bc -l | xargs printf "%.2f\n" formated=$(echo $final_sum | bc -l | xargs printf "%.2f\n") echo $formated "w"
- Comment on mkdocs for recipe catalogue 4 weeks ago:
Haha ! Good to keep your brain cells functioning 👍
- Comment on mkdocs for recipe catalogue 4 weeks ago:
Wow ! I will still try mealie /Tandoor for family purpose and ease of use. If it doesn’t work as expected, I will totally try this out !!
One question if you don’t mind,
servings Indicates how many people the recipe is for. Used for scaling quantities. Leading number is used for scaling, anything else is ignored but shown as units.
Does this function work well? I didn’t saw any examples so maybe you could tell me :)
Thanks !
- Comment on How to selfhost with a VPN 4 weeks ago:
Fair point ! Yeah sure if you host a blog online it doesn’t make sense… But if you only self-host your services for family and some friends and access them over VPN, a local CA is actually a privacy respecting choice.
Hosting something on the web (specially self-hosted) without the propre software and hardware is a bad idea in the first place anyway !
- Comment on How to selfhost with a VPN 5 weeks ago:
I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.
Just create your own rootCA and IntermediateCA and sign your certificate with those, put the CA in your trust store of your system and get rid of this self-signed warning on every device and happily access all your service via: *.home.lab or whater ever local domain pleases you.
- Comment on How to selfhost with a VPN 5 weeks ago:
In addition to that, without a secure connection you’re stuck with HTTP/1.1
That’s not entirely true. A lot of requests, even with https, are send over HTTP/1.1. And this is kinda mind blowing that in 2025 we still rely on something so old and insecure…
Same goes with SMS and the old SS7 protocol from 1970… 2FA SMS is probably the most insecure way to get access to your bank account or what ever service promotes 2FA sms login.
- Comment on [deleted] 1 month ago:
What application do you use on your phone to mount samba shares (Android)? I know Amaze can mount those but they are not easily accessible by other applications.
- Comment on [deleted] 1 month ago:
Not sure this is what you are looking for but navidrome has smart playlists, which is a small configuration file you can add to your navidrome and will automagically create a playlist in your navidrome based on your config.
- Comment on Best Practice Ideas 1 month ago:
Was going to say the same ! Such a cutsy nice little mini-rack/server setup !
Still fighting my spaghetti setup with cables sprouting everywhere.
- Comment on Jellyswarrm - reverse proxy all your Jellyfin servers from a single interface, presenting as a standard Jellyfin server, clients should work out of the box. 1 month ago:
You can already do that (somehow) with tags and libraries. There’s a plugin for that.
But yeah this looks less complicated to setup and maintain !
- Comment on Do I need the ISPs home router? 1 month ago:
Actually, there are ways for home customers to replace their XGS-PON to use your own hardware (Orange, Free, SFR…) And some other cool stuff and very helpful info at lafibre.info forum !
- Comment on What game sequel ruined a beloved franchise or character for you? 1 month ago:
I know the atmospheric design is doom like (aliens, weapons, paltforms…etc.) but gameplay mechanics were totally inovative and original (wall walking, portals, spirit walk) and chracter focus was also cool (native american).
I’m not saying Prey 2016 is a Bad game, I just found it sad that they totally changed the franchise spirit 😄
- Comment on What game sequel ruined a beloved franchise or character for you? 1 month ago:
Probably unpopular opinion but Prey is clearly on that list ! Not because the new game was bad, but they just took everything that was interesting and original in the first game, throw it away and just made it another doom-like game :/…
The original Prey wasn’t a GOTY or whatever, it just felt different and something new and original… Something I liked and they just made a total reboot with nothing in common on what made prey original/interesting !
- Comment on twitter 2 months ago:
You forgot the repeatedly, overused and brain wrecking sound FX ! Horrible… How can an human support those uncanny sound effects again and again… And again !!!
Yes those are not new and were already present in movies YEARS ago ! But the same sound effect every second on every tiktok? Ugh… Horrible.
- Comment on Can no longer access my old instance (lemmings.world) because I'm from the UK. I made several communities there. Is there any way I can mod them again or do I move them to this instance? 2 months ago:
To give you a concrete exemple, while it isn’t directly relates to EU laws, France enforced age verification for pornsite to protect the children !
So it seems to me they are slowly, bit by bit, enforcing those stupid laws not EU wise, but country by country ^^!
- Comment on Can no longer access my old instance (lemmings.world) because I'm from the UK. I made several communities there. Is there any way I can mod them again or do I move them to this instance? 2 months ago:
I think they are talking about age verification for something like porn ^^'!
For the chatcontrol thing, it’s only a matter of when and not if.
- Comment on romm v4.0.0 (self-hosted ROM manager/player) has been released 2 months ago:
Looks cool, bookmarket for later use !
However, the GUI looks very Discordish and is probably inspired by it. I hope it only stays at that and won’t put some shady privacy nightmare code into it !
- Comment on Anubis is awesome! Stopping (AI)crawlbots 2 months ago:
Wow, what a combo ! I guess this would reduce the tarpit’s overall power consumption?
I haven’t looked at your link yet and maybe it already contains my answer, but I wish to customize for how long they are traped into the tarpit before fail2ban kicks in so I can still poison teir AI while saving alot of ressources !!
- Comment on Outgrown my Synology NAS, time for a proper dedicated machine 2 months ago:
Thanks for sharing your experience ! I was kinda interested for my new N300 if I should install promox+LXC-docker or promox+VM-docker !
Hearing you had a lot of issues and caveats makes my choice easier wihout even giving it a try ! So thanks !