We are still actively working on the spam issue.
Difference between revisions of "Home server v2"
(→Opening to the Wider Internet: add section on reverse proxies) |
(→Security) |
||
(14 intermediate revisions by 2 users not shown) | |||
Line 238: | Line 238: | ||
[[Home_Server/RAID|RAID is an expansive subject so it's gotten it's own page.]] | [[Home_Server/RAID|RAID is an expansive subject so it's gotten it's own page.]] | ||
+ | ===ZFS=== | ||
[[Home_Server/RAID#ZFS|Everyone loves ZFS. Want to know more?]] | [[Home_Server/RAID#ZFS|Everyone loves ZFS. Want to know more?]] | ||
Line 257: | Line 258: | ||
You will see numbers like ''10/100/1000'' on networking hardware. This refers to the data transfer speed of network hardware and is measured in megabits per second (Mbps). Make sure your hardware supports 1000 Mbps (1 Gbps). If you only see ''10/100'' the hardware only supports a maximum of 100 Mbps. Trash it. | You will see numbers like ''10/100/1000'' on networking hardware. This refers to the data transfer speed of network hardware and is measured in megabits per second (Mbps). Make sure your hardware supports 1000 Mbps (1 Gbps). If you only see ''10/100'' the hardware only supports a maximum of 100 Mbps. Trash it. | ||
+ | |||
+ | ===Ethernet=== | ||
+ | Ethernet cables come in different types, each designed for specific networking and data transfer needs. | ||
+ | |||
+ | Cat 5e supports up to 1 Gbps at 100 meters. This is the standard choice for most networks and building wiring. Higher categories such as 6, 6a, and 7 support faster speeds and reject electromagnetic interference better. Even if your LAN (your internal network) only supports 1 Gbps, using higher categories is beneficial. For more info, see the [[Home_Server/Networking/Ethernet#Ethernet CAT Specs|detailed Ethernet CAT Specs page]]. | ||
+ | |||
+ | ''The speed of your LAN is based on the network interfaces of your servers, the capabilities of your switches, and the speed of the communicating network cards.'' | ||
===Switches=== | ===Switches=== | ||
− | Connecting your server to the internet requires a physical ethernet line. But what if you run out of jacks on your router? Get a switch | + | Connecting your server to the internet requires a physical ethernet line. But what if you run out of jacks on your router? Get a switch. |
There are two types of switches: ''managed'' and ''unmanaged''. Managed switches can be configured and support advanced networking concepts while unmanaged switches are plug and play with no configuration capabilities. Unmanaged switches are cheaper than managed ones. | There are two types of switches: ''managed'' and ''unmanaged''. Managed switches can be configured and support advanced networking concepts while unmanaged switches are plug and play with no configuration capabilities. Unmanaged switches are cheaper than managed ones. | ||
Line 266: | Line 274: | ||
[[Home_Server/Networking/Switches|Switch comparison table]] | [[Home_Server/Networking/Switches|Switch comparison table]] | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
===Routers=== | ===Routers=== | ||
Line 281: | Line 282: | ||
'''Prosumer:''' Ubiquity, EnGenius, MikroTik. These should handle whatever you throw at them. | '''Prosumer:''' Ubiquity, EnGenius, MikroTik. These should handle whatever you throw at them. | ||
− | '''Enterprise:''' Usually overpowered for the homelab. [[Home_Server/Used_Servers|All the caveats | + | '''Enterprise:''' Usually overpowered for the homelab. [[Home_Server/Used_Servers|All the caveats of used servers apply.]] |
'''Custom:''' Custom hardware (ie. a thin client or desktop) running [https://opnsense.org/ OPNsense] or [https://www.pfsense.org/ PFsense]. Very powerful machines capable of performing all network tasks. Steep learning curve but ''extremely'' useful in any home network. | '''Custom:''' Custom hardware (ie. a thin client or desktop) running [https://opnsense.org/ OPNsense] or [https://www.pfsense.org/ PFsense]. Very powerful machines capable of performing all network tasks. Steep learning curve but ''extremely'' useful in any home network. | ||
Line 303: | Line 304: | ||
Popular brands are CyberPower and APC. Always by new UPSes, never used. | Popular brands are CyberPower and APC. Always by new UPSes, never used. | ||
− | + | ==Opening to the Wider Internet== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Just like how your home address is visible to anyone who walks by, your IP address is visible to anyone who knows how to look for it. This includes IP scanners, which are tools that can scan the internet. Don't expect anything you host to be secret if you let it out of your firewall. | Just like how your home address is visible to anyone who walks by, your IP address is visible to anyone who knows how to look for it. This includes IP scanners, which are tools that can scan the internet. Don't expect anything you host to be secret if you let it out of your firewall. | ||
Line 322: | Line 312: | ||
The SSH port (port 22) is a very popular scanning target. If you allow SSH out of your firewall then you should disable password authentication and only use certificate-based authentication. Using fail2ban to block repeated authentication failures is also a good idea. Don't try changing the SSH port, that's a false sense of security. You should avoid exposing your SSH server and only have it accessible on your local network which you will use a VPN to connect to. | The SSH port (port 22) is a very popular scanning target. If you allow SSH out of your firewall then you should disable password authentication and only use certificate-based authentication. Using fail2ban to block repeated authentication failures is also a good idea. Don't try changing the SSH port, that's a false sense of security. You should avoid exposing your SSH server and only have it accessible on your local network which you will use a VPN to connect to. | ||
+ | |||
+ | ====Cloudflare and Hiding Your IP==== | ||
+ | DNS records can expose your home IP address because when you register a domain name, you need to provide DNS records that map your domain name to your IP address. This is how the internet knows where to send traffic for your domain. | ||
+ | |||
+ | '''This is a problem because your IP address can reveal information about your location and your internet service provider. It can even be used to launch targeted attacks against your network.''' | ||
+ | |||
+ | To hide your home IP, you need to proxy your traffic from a middleman. Most of the internet runs on Cloudflare, who provide DNS and DDOS protection for free. | ||
+ | |||
+ | ====Dynamic IPs==== | ||
+ | A dynamic IP address is an IP address that changes from time to time, unlike a static IP address. Most home networks are likely to have a dynamic IP address. You can use [https://ddclient.net/ ddclient] to update your DNS records to the correct IP when it changes. | ||
+ | |||
+ | ddclient supports Cloudflare: https://www.davidschlachter.com/misc/cloudflare-ddclient | ||
+ | |||
+ | ====CGNAT==== | ||
+ | Carrier-Grade Network Address Translation (CGNAT) is a technology used by Internet Service Providers (ISP) to share a single IP address among multiple customers. It is a response to the shortage of public IPv4 addresses. | ||
+ | |||
+ | When it comes to hosting a server on your home network, CGNAT can cause problems. If you're behind a CGNAT, you don't have a unique public IP address that the wider internet can use to reach your server. | ||
+ | |||
+ | You can use [https://www.cloudflare.com/products/tunnel/ Cloudflare Tunnel] to proxy your traffic through the CGNAT setup and directly to Cloudflare. The DIY way is to run a cloud VPS and use a VPN to connect back to your home network. | ||
====Reverse Proxy==== | ====Reverse Proxy==== | ||
− | Nginx is a powerful web server and reverse proxy server. When used as a reverse proxy, it can handle requests on behalf of backend servers | + | Nginx is a powerful web server and reverse proxy server. When used as a reverse proxy, it can handle requests on behalf of backend servers. |
− | For each internal service, you would host them on a | + | '''A reverse proxy allows you to serve multiple applications on different servers from a single forwarded port.''' |
+ | |||
+ | For each internal service, you would host them on a separate subdomain (like <kbd>plex.example.com</kbd>, <kbd>nextcloud.example.com</kbd>). | ||
More info at [[Home_Server/Reverse_proxy]] | More info at [[Home_Server/Reverse_proxy]] | ||
− | + | ==VPNs== | |
As you probably already know, a Virtual Private Network (VPN) is a service that allows you to connect to the internet in a secure way by providing an encrypted connection. | As you probably already know, a Virtual Private Network (VPN) is a service that allows you to connect to the internet in a secure way by providing an encrypted connection. | ||
Line 337: | Line 348: | ||
Make sure you check out overlay networks, they're really cool. | Make sure you check out overlay networks, they're really cool. | ||
− | + | ===WireGuard=== | |
− | |||
{{Quote|WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.|WireGuard|WireGuard homepage}} | {{Quote|WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.|WireGuard|WireGuard homepage}} | ||
WireGuard also has Linux kernel modules, making it a very performant VPN. It's also designed to not respond if a peer fails to connect which keeps IP scanners from detecting what is running on that port. | WireGuard also has Linux kernel modules, making it a very performant VPN. It's also designed to not respond if a peer fails to connect which keeps IP scanners from detecting what is running on that port. | ||
− | + | ===OpenVPN=== | |
An older, classic, VPN server. Stick with WireGuard unless you need OpenVPN specifically. | An older, classic, VPN server. Stick with WireGuard unless you need OpenVPN specifically. | ||
Line 351: | Line 361: | ||
Mesh VPNs use a peer-to-peer model to create a secure shared environment for their users. They consist of nodes that send traffic between themselves rather than through a central server. | Mesh VPNs use a peer-to-peer model to create a secure shared environment for their users. They consist of nodes that send traffic between themselves rather than through a central server. | ||
− | How do these two technologies connect you to your home servers? It eliminates the need for a central server and allows your servers to communicate across any network boundary and without opening any ports. Traffic is encrypted between nodes which is a | + | How do these two technologies connect you to your home servers? It eliminates the need for a central server and allows your servers to communicate across any network boundary and without opening any ports. Traffic is encrypted between nodes which is a convenient layer of extra security. |
Despite their distributed nature, overlay networks and mesh VPNs always require some sort of cloud server with a static IP to help nodes cross NAT boundaries and discover each other. Running multiple of these cloud discovery servers reduces the single point of failure. | Despite their distributed nature, overlay networks and mesh VPNs always require some sort of cloud server with a static IP to help nodes cross NAT boundaries and discover each other. Running multiple of these cloud discovery servers reduces the single point of failure. | ||
Line 362: | Line 372: | ||
[https://github.com/slackhq/nebula Nebula] is an open source overlay network developed by Slack to connect their many datacenters. It has a "focus on performance, simplicity and security". Simplicity is Nebula's main selling point and it is extremely easy to get a Nebula network up and running. Just generate certs and set up a "lighthouse" (what Nebula calls the discovery cloud server). | [https://github.com/slackhq/nebula Nebula] is an open source overlay network developed by Slack to connect their many datacenters. It has a "focus on performance, simplicity and security". Simplicity is Nebula's main selling point and it is extremely easy to get a Nebula network up and running. Just generate certs and set up a "lighthouse" (what Nebula calls the discovery cloud server). | ||
− | A lighthouse requires very few compute | + | A lighthouse requires very few compute resources and you can easily run a very large network off of the cheapest cloud VPS you can find (they suggest the $5/mo DigitalOcean server). |
Nebula also features a per-node stateful firewall that enables network segmentation, something other overlay networks lack. | Nebula also features a per-node stateful firewall that enables network segmentation, something other overlay networks lack. | ||
Line 385: | Line 395: | ||
Tired of trying to remember what IP address is what? Run an internal DNS server only accessible through your overlay network and assign your hosts easy to remember domain names! Use .nb if you are on Nebula or maybe .ts if you use Tailscale. Then run [https://nginxproxymanager.com/ Nginx Proxy Manager] on your lighthouse or coordination server and enjoy free, unique domains only you can access! | Tired of trying to remember what IP address is what? Run an internal DNS server only accessible through your overlay network and assign your hosts easy to remember domain names! Use .nb if you are on Nebula or maybe .ts if you use Tailscale. Then run [https://nginxproxymanager.com/ Nginx Proxy Manager] on your lighthouse or coordination server and enjoy free, unique domains only you can access! | ||
− | == | + | ==[[Security]]== |
− | + | {{Stub}} | |
+ | Unlike a desktop, a server is always working, accepts connections from the internet (your desktop is normally firewalled and doesn't have any ports open) and is easy to discover (especially if you send mail from it). It's under a bit more risk, and its worth thinking about what intrusions you will try to prevent and how. Refer to [[Security#Threat_analysis]] to understand how and what threats you can mitigate. | ||
− | + | Basic measures include: | |
+ | * [https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file Privilege separation] | ||
+ | * If you are behind a router, only forward ports you need | ||
+ | * Your firewall should reject all traffic which isn't either in response to an existing connection, or destined for a forwarded port | ||
+ | * Make sure to keep your [[Routers|router]] firmware updated, as vulnerabilities are often patched in newer versions (at least, from the companies which bother even releasing them). If your device doesn't receive support in the form of firmware updates and security fixes, consider running community-maintained firmware such as OpenWRT | ||
+ | * Regularly update software and kernels when they become available for your distro (it is far better to fix what updates break then get owned) | ||
==Monitoring== | ==Monitoring== | ||
Line 403: | Line 419: | ||
<gallery mode=packed heights=300px> | <gallery mode=packed heights=300px> | ||
File:Homelab-showcase-1708860249924031.jpg | File:Homelab-showcase-1708860249924031.jpg | ||
+ | File:Homelab-showcase-1710072127669350.png | ||
</gallery> | </gallery> | ||
− | |||
==External Links== | ==External Links== |
Latest revision as of 18:18, 14 March 2024
Contents
- 1 What Can I do With a Home Server?
- 2 Your First Server
- 3 Building a NAS
- 4 Building a Media Server
- 5 Operating Systems
- 6 Hypervisors
- 7 Storage-Focused (NAS) Operating Systems
- 8 Containers
- 9 Hard Drives & Storage
- 10 RAID
- 11 Backups
- 12 Networking
- 13 Uninterruptible Power Supply
- 14 Opening to the Wider Internet
- 15 VPNs
- 16 Security
- 17 Monitoring
- 18 Miscellaneous
- 19 Showcase
- 20 External Links
Home servers are about learning and expanding your horizons. De-botnet your life. Learn something new. Serving applications to yourself, your family, and your frens feels good. Put your /g/ skills to good use for yourself and those close to you. Store their data with proper availability redundancy and backups and serve it back to them with a /comfy/ easy to use interface.
Most people get started with NAS. It’s nice to have a /comfy/ home for all your data. Streaming your movies/shows around the house and to friends. Know all about NAS? Learn virtualization. Spin up some VMs. Learn networking by setting up a pfSense box and configuring some VLANs. There's always more to learn and chances to grow. Think you’re god tier already? Setup openstack and report back to /hsg/.
Things that are online today might not be online forever. It's good to have a copy of something because you never know when it might get taken down due to copyright strikes.—Anon, Standard /hsg/ OP
Welcome to /g/'s comprehensive guide on home servers! This guide is designed to assist you in setting up and managing your own home server, effortlessly navigating through the complexities that come with running servers in your personal spaces such as your basement or closet.
"Homelab" is a term you may have encountered, but what does it signify? Essentially, it refers to a personal data center located within your own home. It serves as a platform for acquiring new skills and solving technical problems in your own life. Many are drawn to this hobby by the promises of freedom from the winds of the larger internet. Within this homelab are your home servers. There can be as many, or as few, as you want.
Contrary to what some may suggest, there are no hard and fast rules in this hobby. However, there are certainly less effective ways of doing things. This guide aims to help you steer clear of common pitfalls that beginners often encounter.
All pages in the home server topic are categorized here: Category:Home_Server
What Can I do With a Home Server?
There are two reasons a man will run a home server:
- Solve a problem. Maybe he was fed up with cloud storage or maybe he was tired of the constant service outages? Or maybe the solution to his problem doesn't exist yet? Either way, he knows he can do it better himself.
- Learn a new skill and get a new hobby. Home servers and homelabs can scale infinitely. There is always room to learn something new or do things slightly different.
If you're here and considering building a lab, you probably already have a purpose in mind. If not, check out awesome-selfhosted for a gigantic list of applications you can host yourself. Some applications popular with /hsg/ anons include:
- Media streaming
- File storage
- NAS servers
- Game servers
- Personal websites
- Network-wide adblocking
- Securely store your porn
For sysadmin solutions and services see awesome sysadmin software.
Your First Server
The first step to setting up your homelab is to acquire your first server. You have a few options to choose from:
- Old desktop machines
- Single board computers like the Raspberry Pi, Intel NUCs, or thin clients
- Used servers
- Build your own
Your old gaming PC, workstation, or laptop is a great option for a home server (provided it is not too old). Performance and capability will vary from machine to machine. When in doubt, post specs in /hsg/ and ask. Laptops are not really designed for 24/7 use but their battery does act as a built in UPS.
Hardware you already own is free, which is very appealing and a great way to get started. Keep in mind that older hardware can be less energy efficient and if power usage is a concern you may want to purchase newer hardware.
RAM tip: You will need at least 32GB of RAM for a home server, ideally at least 64GB.
Power Usage
There is a lot of discussion about power efficiency in the homelab world. Part of that is because some people live in regions where electricity costs significantly more. But more often than not it's because our homelab has grown to the point where it eats a third to half of the power bill. This is a worthy investment for some but others aren't willing to spend that much. You need to decide how important power efficiency is to you.
Building a NAS
"uuuuuh guys, how do i build a nas?" is the most frequently asked question on /hsg/. Here's a dedicated section to point to when someone asks this question for the tenth time in a row.
Pro-tip: you will want a separate boot drive to install the OS onto. Your storage pool will be used exclusively for storing data.
If you are interested in a prebuilt system, check out Synology or QNAP. Many anons rag on Synology for being "underpowered" and "not worth the money" but what Synology does best is being a complete functional package that just works. Sure, it may be more cost effective on paper to build your own NAS but if you want something that will run forever with no maintenance then a Synology device could be perfect for you.
Your To Do List:
- Pick a target storage capacity.
- Decide what level of RAID redundancy you want (tip: 2 disk redundancy. RAID 6 or RAID 10).
- Pick a case or used server that can hold the number of drives required to reach your target storage capacity + redundancy level.
- Acquire your server.
Building a Media Server
This is the second most asked question on /hsg/.
Basically, a media server can be as complex as something like Jellyfin and Plex or as simple as a network share that you play using VLC. The media server route is suited for serving multiple users at once (such as family and friends). It also works well when traveling or streaming on many different devices. On the other hand, the network share excels at simplicity.
The most common applications in the media server landscape is Plex, Jellyfin, Kodi and Emby.
If you want a feature comparison between these to find out which is right for you, check out THIS handy table.
Your To Do List:
- Decide if you want hardware transcoding. If so, you need to pick a CPU with an iGPU and transcoding features or find a suitable GPU.
- Pick a target storage capacity.
- Decide what level of RAID redundancy you want (tip: 2 disk redundancy. RAID 6 or RAID 10).
- Pick a case or used server that can hold the number of drives required to reach your target storage capacity + redundancy level.
- Acquire your server.
- Figure out your WAN capacity. Is your internet connection fast enough to stream to multiple clients?
Want to transcode multiple streams simultaneously? Check out these hardware requirements
Have an Intel iGPU and want to offload transcoding? Check out this resource
Operating Systems
Looking for a server operating system? Check out the full list of the popular server operating systems or SBC operating systems.
Hypervisors
A hypervisor is a system that creates and runs virtual machines. The machine the hypervisor runs on is called the host machine, and each virtual machine (VM) is called a guest machine. Virtualization is the process of running an operating system in a virtual machine and allows for a more efficient use of computing resources.
Instead of installing all your services and applications on a bare-metal server, run each in its own VM. This makes management much simpler (and contains any mistakes you make to only that VM).
In order to run a hypervisor, your CPU must support virtualization. The tech is called VT-x on Intel and AMD-V for AMD. Directed I/O support is required if you wish to pass devices from the host machine to the VMs (VT-d on Intel, AMD-Vi for AMD). Nearly every CPU and motherboard made within the past 10 years supports these technologies, but older hardware may have compatibility issues and lack more modern virtualization tech.
Proxmox Virtual Environment
Proxmox is the premier open-source virtualization platform. If you're looking for a hypervisor, Proxmox is it.
Features:
- Built on Debian.
- Utilizes KVM, QEMU for virtual machines.
- Runs containers using LXC.
- Built in ZFS support and other advanced storage technologies.
- Tight integration with Proxmox Backup Server.
Install Proxmox and give it a try. You will find it's super useful and the best way to fully utilize your server's resources.
VMware ESXi
Those who work in IT will almost certainly be familiar with VMware ESXi. It's the most popular, feature rich hypervisor available. Unfortunately, it is a paid product and has a limited free tier with a limit of 8 cores per VM. No vSphere or most vStorage options like vMotion and distributed switching. These restrictions are probably fine for the non-professional homelab user but if you find yourself limited, try Proxmox.
If you use version 6.5 or 6.7 you can use this key to unlock all these features:
- vCenter: 0A0FF-403EN-RZ848-ZH3QH-2A73P
- vSphere: JV425-4h100-vzhh8-q23np-3a9pp
VMware 7.0 has dropped support form westmere-EP/gulftown (x5xxx) CPU's. If your system has these old CPU's you should consider upgrading to something later than Sandybridge if you want to use the latest version of ESXi.
SmartOS
If you are looking to get back to your roots, check out SmartOS. An open source spiritual successor to Oracle's Solaris. Home_Server/Operating_Systems#SmartOS
Storage-Focused (NAS) Operating Systems
These are operating systems that are designed to store and serve data over a network. While some of these have minor virtualization capabilities, if you are looking to run VMs and/or containers you should consider a true hypervisor like Proxmox. You could always virtualize your NAS.
TrueNAS
TrueNAS is a NAS appliance operating system that uses ZFS.
TrueNAS has two versions: CORE and SCALE. Both accomplish the same task.
CORE (formerly FreeNAS) is based on FreeBSD. This version is considered more stable.
SCALE is more recent than CORE and based on Linux. This version sports better hardware compatibility and stronger virtualization features. Can host Docker containers.
OpenMediaVault
https://www.openmediavault.org/
Based on Debian. A pure storage server without any virtualization capabilities. No gimmicks, just file storage.
unRAID
UnRAID advertises itself as the "NAS OS for gamers". Not free, you need to fork over some money to buy it. Supports differently sized physical disks and adding hard drives to expand as needed.
Unraid 6.8.3-6.9.2
- SHA256: 18F75CA34A39632DC07270510E453243753CFF302F3D5ADD4FA8813D4ADB304D
- magnet:?xt=urn:btih:180782e4ff3e00b7efc8a0529239b896e0557f72&dn=unraid692.7z
Containers
Containers are a method of isolating running processes from the host OS and other processes. BSD calls them "Jails".
There are a number of reasons why containers are neat:
- Less overhead than standard virtual machines because you aren't virtualizing the entire kernel.
- Process isolation.
- Containers are portable (even more so than VMs). You can create a container, configure it however you want, and deploy it again somewhere else.
- Like VMs, removing containers, rebuilding from scratch, or restoring a backup is easy.
- Containers are incredibly easy to deploy and you can find pre-built container images online.
There are two types of containers: application and system. Application containers, such as Docker, are designed to package and run a single service. Once the application is packaged, it can be tested and deployed to different environments without any changes. This makes it easy to scale and manage the application.
System containers, on the other hand, are designed to simulate a full system. They are more like lightweight virtual machines. They can run full-featured environments, system services, and even contain their own process space, users, network stacks, and file systems. Examples of system containers include LXC.
Regardless of the route you decide to go, the best practice is to keep the host OS as clean as possible and install each individual application (such as PLEX, Samba, etc) in their own container.
Docker
Instead of simulating an entire Linux OS (like LXC), Docker virtualizes a single application. This makes management easy and safe since your applications never touch the base file system.
While popular and easy to learn, Docker has some downsides. Some people go overboard with Docker containerization and make things more complicated than they need to be. But Docker can excel when used in the right situations.
There are a number of platforms that make managing your numerous Docker containers easy:
Portainer: provides a GUI to "manage all your orchestrator resources (containers, images, volumes, networks and more)".
Podman: not strictly Docker. A platform to run all sorts of containers.
LXC/LXD
If you are considering LXC, take a look at Proxmox and its built-in LXC support. It's a very convenient platform that makes container management a breeze.
LXD is built on top of LXC and offers a more user friendly way to manage your containers. LXC is a low-level tool for running containers, while LXD is a high-level tool for managing them.
What differentiates LXC from Docker?
LXC containers have two privilege levels: privileged and unprivileged. According to the LXC documentation, privileged containers are "not safe at all and should only be used in environments where unprivileged containers aren't available and where you would trust your container's user with root access to the host." If you need a privileged container, chances are you aren't configuring LXC correctly (LXC provides many ways to give specific permissions to containers) or should just use a VM.
BSD Jails
Jails are BSD's version of containers. Since TrueNAS CORE is FreeBSD based you will be using these instead of LXC and Docker.
- TrueNas Jail documentation
- Give Jails access to host storage - Jail version of Bind mounting
- FreeBSD Jail documentation
Hard Drives & Storage
The slang for the spinning type of hard drives is spinning rust and its abbreviation is HDD.
Ever come across anons arguing over SMR vs. CMR?
Hard Drive Recommendations
See Home_Server/Hard_Drive_Recommendations
SSDs
While SSDs are very fast, they cost significantly more than HDDs. As such, the standard procedure is to store your data on HDDs and install the operating system on an SSD.
Check out the SSD buying guide for more on SSDs. If you skipped the HDDs and have a large SSD array, post the details in /hsg/ so we can all drool.
Shucking
Hard Drive Shucking is the process of purchasing an external hard drive enclosure (such as the WD Easystore) and splitting it open to extract the drive inside.
Adding More SATA Ports
If you run out of SATA ports on your motherboard but require more storage there are a number of options for increasing the number of drives your server can support.
See Home_Server/Storage/Adding_More_SATA_Ports
RAID
RAID (Redundant Array of Independent Disks) is a technique where multiple physical hard drives are combined into a single logical unit for the purposes of redundancy, speed, or both. Data is stored in different places on multiple hard disks to prevent loss in the case of a drive failure.
RAID is an expansive subject so it's gotten it's own page.
ZFS
Everyone loves ZFS. Want to know more?
Backups
For more info on generic backups, see the Backups page.
Proxmox Backup Server
https://www.proxmox.com/en/proxmox-backup-server/overview
Proxmox developed a special server OS designed for one thing: storing backups. It has all sorts of very handy features that makes the backup and restore process effortless. It can be tightly integrated into the Proxmox Virtual Environment to enable one-click backup and restore. Proxmox also provides standalone Debian clients that bare-metal hosts can use to back up to the server.
One of the main advantages is its ability to perform incremental backups, which means it only backs up changes made since the last backup, significantly reducing the time and storage space required. The backup server can also automatically test backups to ensure they will restore successfully if needed.
Using the Proxmox Backup Server eliminates the hassle of backups. Even if you only have one server, running a Proxmox Backup Server is a worthwhile investment.
Networking
You will see numbers like 10/100/1000 on networking hardware. This refers to the data transfer speed of network hardware and is measured in megabits per second (Mbps). Make sure your hardware supports 1000 Mbps (1 Gbps). If you only see 10/100 the hardware only supports a maximum of 100 Mbps. Trash it.
Ethernet
Ethernet cables come in different types, each designed for specific networking and data transfer needs.
Cat 5e supports up to 1 Gbps at 100 meters. This is the standard choice for most networks and building wiring. Higher categories such as 6, 6a, and 7 support faster speeds and reject electromagnetic interference better. Even if your LAN (your internal network) only supports 1 Gbps, using higher categories is beneficial. For more info, see the detailed Ethernet CAT Specs page.
The speed of your LAN is based on the network interfaces of your servers, the capabilities of your switches, and the speed of the communicating network cards.
Switches
Connecting your server to the internet requires a physical ethernet line. But what if you run out of jacks on your router? Get a switch.
There are two types of switches: managed and unmanaged. Managed switches can be configured and support advanced networking concepts while unmanaged switches are plug and play with no configuration capabilities. Unmanaged switches are cheaper than managed ones.
Don't cheap out on switches or else you'll be wondering why your network is much slower than it should be. Expect to pay at least $20.
Routers
ISP Provided: these types of routers can be very locked down, but most have the capability to enable "bridge mode". This is where all router functionality is disabled and it acts as a simple modem. You then plug your own router into it.
Consumer: Netgear, TP-Link, Linksys, Asus, etc. Base firmware is usually subpar but OpenWRT can turn them into a powerhouse.
Prosumer: Ubiquity, EnGenius, MikroTik. These should handle whatever you throw at them.
Enterprise: Usually overpowered for the homelab. All the caveats of used servers apply.
Custom: Custom hardware (ie. a thin client or desktop) running OPNsense or PFsense. Very powerful machines capable of performing all network tasks. Steep learning curve but extremely useful in any home network.
Network Interface Cards (NICs)
Intel network cards are considered one of the best for servers due to their high performance, reliability, and advanced features. They are designed to handle heavy network traffic efficiently, making them ideal for server environments. Intel cards usually start at $30 used on Ebay.
Cheaper network cards tend to use Realtek chips in them. The key difference is that Realtek network cards offload much of the network processing to the CPU. This means that the CPU has to do more work, which can reduce the overall performance of the server under heavy load.
If you build a OPNsense/PFsense router, make sure you use Intel network cards. In addition to the performance concerns, BSD and the router software has compatibility issues with Realtek.
Uninterruptible Power Supply
An Uninterruptible Power Supply (UPS) is a device that provides emergency power when the main power. It ensures the continuous operation of connected devices and prevents data loss or damage that can be caused by sudden power outages. A UPS protects against outages a few seconds in duration and can give the servers adequate time to shutdown in the event of an extended outage. A UPS also provides power conditioning, protecting against power surges, voltage spikes, and frequency variations, which can harm the connected devices.
A basic UPS can be bought for $60 and powers a couple machines. A full-featured UPS is around $200 and includes advanced monitoring and signaling to connected machines via NUT (you should set up the auto-shutdown feature if your UPS supports it).
It's highly recommended you purchase a UPS to protect your machines, even if you don't expect any outages.
A UPS's capacity is measured in Volt-Amperes (VA). A capacity of 400 VA is good for one or two desktops. A capacity of 1500 VA can run multiple large servers.
Popular brands are CyberPower and APC. Always by new UPSes, never used.
Opening to the Wider Internet
Just like how your home address is visible to anyone who walks by, your IP address is visible to anyone who knows how to look for it. This includes IP scanners, which are tools that can scan the internet. Don't expect anything you host to be secret if you let it out of your firewall.
This is fine for things like personal websites, but hypervisor dashboards and other admin panels should never be exposed.
Some people think that if you host something on a very high port number (like the port 55432), you'll be safe. That's not true and is a false sense of security. Security though obscurity is never safe.
The SSH port (port 22) is a very popular scanning target. If you allow SSH out of your firewall then you should disable password authentication and only use certificate-based authentication. Using fail2ban to block repeated authentication failures is also a good idea. Don't try changing the SSH port, that's a false sense of security. You should avoid exposing your SSH server and only have it accessible on your local network which you will use a VPN to connect to.
Cloudflare and Hiding Your IP
DNS records can expose your home IP address because when you register a domain name, you need to provide DNS records that map your domain name to your IP address. This is how the internet knows where to send traffic for your domain.
This is a problem because your IP address can reveal information about your location and your internet service provider. It can even be used to launch targeted attacks against your network.
To hide your home IP, you need to proxy your traffic from a middleman. Most of the internet runs on Cloudflare, who provide DNS and DDOS protection for free.
Dynamic IPs
A dynamic IP address is an IP address that changes from time to time, unlike a static IP address. Most home networks are likely to have a dynamic IP address. You can use ddclient to update your DNS records to the correct IP when it changes.
ddclient supports Cloudflare: https://www.davidschlachter.com/misc/cloudflare-ddclient
CGNAT
Carrier-Grade Network Address Translation (CGNAT) is a technology used by Internet Service Providers (ISP) to share a single IP address among multiple customers. It is a response to the shortage of public IPv4 addresses.
When it comes to hosting a server on your home network, CGNAT can cause problems. If you're behind a CGNAT, you don't have a unique public IP address that the wider internet can use to reach your server.
You can use Cloudflare Tunnel to proxy your traffic through the CGNAT setup and directly to Cloudflare. The DIY way is to run a cloud VPS and use a VPN to connect back to your home network.
Reverse Proxy
Nginx is a powerful web server and reverse proxy server. When used as a reverse proxy, it can handle requests on behalf of backend servers.
A reverse proxy allows you to serve multiple applications on different servers from a single forwarded port.
For each internal service, you would host them on a separate subdomain (like plex.example.com, nextcloud.example.com).
More info at Home_Server/Reverse_proxy
VPNs
As you probably already know, a Virtual Private Network (VPN) is a service that allows you to connect to the internet in a secure way by providing an encrypted connection.
This technology can be used to remote into your home network and access your servers. By connecting to a VPN server that is set up on your home network, you can access your home servers as if you were physically present in your home. This is neat because it means you don't have to expose your internal services (hypervisor dashboards, admin panels, SSH, private services only you use) to the outside world. You only have to port forward your VPN port and you can access your home network from anywhere.
Make sure you check out overlay networks, they're really cool.
WireGuard
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.—WireGuard, WireGuard homepage
WireGuard also has Linux kernel modules, making it a very performant VPN. It's also designed to not respond if a peer fails to connect which keeps IP scanners from detecting what is running on that port.
OpenVPN
An older, classic, VPN server. Stick with WireGuard unless you need OpenVPN specifically.
Overlay Networks and Mesh VPNs
An overlay network is a network that is built on top of another network (such as the internet) and sends traffic through that infrastructure. The key benefit of overlay networks is that they can be deployed without changing the underlying physical network. Instead, they can be implemented through software in the nodes of the network. No port forwarding is required.
Mesh VPNs use a peer-to-peer model to create a secure shared environment for their users. They consist of nodes that send traffic between themselves rather than through a central server.
How do these two technologies connect you to your home servers? It eliminates the need for a central server and allows your servers to communicate across any network boundary and without opening any ports. Traffic is encrypted between nodes which is a convenient layer of extra security.
Despite their distributed nature, overlay networks and mesh VPNs always require some sort of cloud server with a static IP to help nodes cross NAT boundaries and discover each other. Running multiple of these cloud discovery servers reduces the single point of failure.
Warning: If the addressing of your overlay network conflicts with the addressing of the physical network you are connected to, traffic won't be able to flow. Make sure you pick an IP range for your overlay network that won't conflict with other networks. 100.64.0.0/10 is a good choice and recommended by Tailscale.
The two leading overlay networks are Nebula and Tailscale. Both are excellent choices.
Nebula
Nebula is an open source overlay network developed by Slack to connect their many datacenters. It has a "focus on performance, simplicity and security". Simplicity is Nebula's main selling point and it is extremely easy to get a Nebula network up and running. Just generate certs and set up a "lighthouse" (what Nebula calls the discovery cloud server).
A lighthouse requires very few compute resources and you can easily run a very large network off of the cheapest cloud VPS you can find (they suggest the $5/mo DigitalOcean server).
Nebula also features a per-node stateful firewall that enables network segmentation, something other overlay networks lack.
Nebula does not support IPv6 inside the overlay network. The GitHub issue tracking progress on implementing IPv6 in Nebula.
Tailscale
Tailscale is built on Wireguard and similar to Nebula in its capabilties.
The biggest difference is that Tailscale has strong user-based SSO authentication. This introduces additional complexity that may not be necessary for the home environment.
Comparison between Tailscale and Nebula.
Tailscale's discovery server is called a "coordination server" and is not open source. Headscale is an open source drop-in replacement.
Tailscale supports IPv6 inside the overlay network, greatly reducing the likelihood of an address conflict with the physical network.
Doing Cool Things With Overlay Networks
Tired of trying to remember what IP address is what? Run an internal DNS server only accessible through your overlay network and assign your hosts easy to remember domain names! Use .nb if you are on Nebula or maybe .ts if you use Tailscale. Then run Nginx Proxy Manager on your lighthouse or coordination server and enjoy free, unique domains only you can access!
Security
Unlike a desktop, a server is always working, accepts connections from the internet (your desktop is normally firewalled and doesn't have any ports open) and is easy to discover (especially if you send mail from it). It's under a bit more risk, and its worth thinking about what intrusions you will try to prevent and how. Refer to Security#Threat_analysis to understand how and what threats you can mitigate.
Basic measures include:
- Privilege separation
- If you are behind a router, only forward ports you need
- Your firewall should reject all traffic which isn't either in response to an existing connection, or destined for a forwarded port
- Make sure to keep your router firmware updated, as vulnerabilities are often patched in newer versions (at least, from the companies which bother even releasing them). If your device doesn't receive support in the form of firmware updates and security fixes, consider running community-maintained firmware such as OpenWRT
- Regularly update software and kernels when they become available for your distro (it is far better to fix what updates break then get owned)
Monitoring
Monitoring allows you to detect and send alerts when things break rather than having months go by before discovering something is wrong. Even if you have only one machine a monitoring platform can be helpful. Some good options include Icinga2, Zabbix, and Uptime Kuma.
If you have something that can stop working, add a monitoring check to make sure it keeps working. Eventually, your entire infrastructure will be monitored and you can have the confidence that things really are working correctly when your monitoring dashboard shows green.
Check scripts in Icinga2 and Zabbix are used to perform specific checks. These scripts can be written in any programming language and return an exit status code and a status message. There are many excellent scripts on GitHub and it's super easy to write your own.
Miscellaneous
Showcase
External Links
- Home server hardware - Hayden James' home lab setup
- STH Forums - Good general resource for server questions
- Learn Command line