Rsync or SCP?

That would be my exit sign

Reminds me of project Silica. Media historically was more durable (stone/ ink and cloth paper, etc) but had a low data density. As density increased, so did fragility

So sad, I remember seeing his YT vid announcing his health updates and mentioning he was getting things in order to make his network more manageable for his family :(

He seemed like a great dude.

Is keeping everything inside of a local “walled garden”, then exposing the minimum amount of services needed to a WireGuard VPN not sufficient?

There would be be no attack surface from WAN other than the port opened to WireGuard

I have a somewhat dated (but decently specd) NUC running Proxmox, and it’s the backbone of my home lab. No issues to date.

I was using a WD PR4100, but I upgraded to a Synology RS1221+ and it’s been fantastic :)

I have a beefed up Intel NUC running Proxmox (and my self hosted services within those VMs) and a stand alone NAS that I mount on the necessary VMs via fstab.

I really like this approach, as it decouples my storage and compute servers.

Join us; It’s fantastic.

I have a (beefy specd) Intel NUC that’s running Proxmox. A few of the VMs mount to my RS1221+ for things like media (Jellyfin), etc.

On Proxmox I run

• Jellyfin (media server)
• Home Assistant (home automation)
• PiHole (DNS)
• Ansible (For keeping everything up to date and applying bulk actions)
• NGINX Proxy Manager (so I can access things locally with a nice URL)
• VM to host my Discord bots
• Whoogle (Search engine)
• AMP game server

Probably missing a few, but that’s the jist

The safest (but not as convenient) way is to run a VPN, so that the services are only exposed to the VPN interface and not the whole world.

In pfsense I specify which services my OpenVPN connections can access (just an internal facing NGINX for the most part) and then I can just go to jellyfin.homelab, etc when connected.

Not as smooth as just having NGINX outward facing, but gives me piece of mind knowing my network is locked down

Yeah, I think I will end up creating a new ACL on NGINX to only allow those mgmt_allowed IPs. I tested it, and it seems to work fine. Not ideal, as I’d like to manage everything from pfsense, but I guess it’s expected by the nature of proxies :P

Thanks for the reply! Yeah, I just tried the ACL in NGINX, and it seems to work fine. I can still ping the proxied services, but cannot connect to them. I guess I will maintain a seperate mgmt_allowed list there like so

Ooo, very nice! If I use that script, can I generate certificates for a made up domain within my network (eg *.homelab), or do I need to use a domain I actually own?

I have heard of this, but I think if you self-host a CA, you have to add the cert to every device that wants access to the service right? For example, I’d have to add it to my TV if my TV connects to Jellyfin, to my laptop if my laptop needs access to Home Assistant, etc. I’m not sure my family would like that XD

That was my concern too. NGINX would need access to the internet in order to renew the certs.

Then I don’t understand the need for neither domain names nor third party signed certs. Can’t you use PiHole as a configurable DNS server, just make any domain name go to any of your local devices?

Yes, that is how it is currently setup, and how I may end up leaving it. Right now, I can go to jellyfin.home, and that request gets routed to my pihole which has custom DNS entries, which then points to NGINX and NGINX forwards it to the correct IP/ port. All works as expected, except it is not https (which is not that big of a deal since all my stuff is restricted from the outside world). Just an OCD itch I’m trying to scratch.

Gotcha. Yeah I read about doing a self-hosted CA, but then I have to add the cert to every device that needs access to the service, which I don’t think the family would be thrilled about. I was going to use the cert generator in NGINX and use the key from my actual domain. This way I don’t need to add the certs manually.

My only worry is exposing something accidentally, but if my firewall rules prevent any outside access from my services (Jellyfin, Nginx, Homelab, etc) and the only thing with internet is the device accessing it (a laptop or TV), then I think I should be ok…

Very nice! And you don’t have to worry about adding the cert to each device that wants to use the service, right? Since this isn’t a self hosted CA.

Happy to be here with you :)