| ## Data: I have a Synology for data accessible via NFS, SMB, and a couple iSCSI mounts. ## Compute: I have an off the shelf Thinkserve running Ubuntu + Cockpit for VM management via the Web. I
I have 3 VMs running on the Thinkserve. 1) A single node microk8s instance. (This is mostly so I can stay familiar with k8s. Most of it could also be in a docker-compose file). This runs most stuff: portainer, Immich (photos), Jellyfin, Plex, Kavita (ebooks), Nextcloud, owntracks (location tracking), paperless-ngx, NodeRED, and Fasten (health tracking). Most apps are deployed in portainer from a GitHub file, so a git commit is all it takes to update an app. 2) A VM for downloading things from YouTube and other places, categorizing/renaming them, and putting them on the NAS. 3) A VM dedicated to Home Assistant, with a pass-through USB to their SkyConnect device to control ZigBee/Thread home IoT stuff. Each VM runs a cronjob to regularly put my Github pubkeys in my authorized_keys file for break glass SSH access. I detail my normal access below. ## Network/Security: I use a Unifi Dream Router (UDR) with VLANs for most devices, one for IoT that's locked down, and one for my personal laptop with certain SMB traffic allowed for backups. I don't allow incoming traffic (well one exception for Plex). I leverage Cloudflare pretty heavily for DNS, ingress, and access control. I have 4 cloudflare tunnel pods on the k8s node. And a tunnel agent on each of the VMs, the Synology, the hypervisor, and the UDR. I use Cloudflare's ephemeral certs for SSH in tandem with cloudflared on my clients so I can SSH in a normal terminal (as opposed to the web SSH client). Ingress traffic comes in via the tunnels which takes care of dynamic DNS. HTTP traffic runs through Cloudflare Access connected to my Google account which requires FIDO2 to log in. Non HTTP traffic (or non-browser traffic) are authorized via Cloudflare WARP + Gateway (mostly applicable to native Android apps). ## Internal DNS: I have the cloudflared agent running in the UDR to allow incoming traffic for management, but it also creates a local DNS proxy that sends encrypted DNS requests to my Cloudflare Gateway allowing me to collect metrics and do filtering for any DNS on my home network. ## Backups: I use rclone to backup an encrypted blob to Hetnzner storage. |