[nickspacek]

I don't want to open my home network to just anybody, so I have a "jumpbox" that is the lowest-end shared VM at Hetzner. It runs nginx, dnsmasq, and Wireguard; my home servers connect to it, I add other peers as I need to, and dnsmasq resolves the hostnames using Zeroguard IPs for the home network.

I have 3 sets of DNS entries for the home lab servers:

1. "internal"/home network addresses (e.g. your 192.168.x.x) 2. Wireguard addresses (e.g. 10.0.x.x) 3. public DNS entries that all resolve to the jumpbox

The purpose of #3 is to support simple Letsencrypt setup: nginx on jumpbox forwards Letsencrypt requests to the internal servers over the Wireguard connection.

Internally, I use a https://github.com/nginx-proxy/nginx-proxy setup, so that any time I want a new service running inside the home lab I just have to:

1. Pick a hostname and add it to public DNS 2. Configure its Docker container to add the environment variables that nginx-proxy looks for 3. Add the hostname to the jumpbox /etc/hosts 4. Add the hostname to internal LAN DNS

It's a little much but I like how it works. It's not so bad to get setup.