So around Monday this past week I had the urge to completely redo my homelab. When I first spun up my Proxmox server in early 2021 I built my environment to be a tad more complex than it actually needed to be, and also didn’t have best practice with some of my setups. So I decided to burn all my CentOS servers to the ground and replace them with Rocky Linux. The only parts I kept were the hypervisor itself and my VyOS firewall, as it’s super easy to redo configurations for it.
Right now here is my lab, divided into two subnets. One for public facing services (1XX), the other for local only (2XX).
As mentioned earlier this is a VyOS firewall, in charge of routing all my traffic, managing subnets, forwarding DNS, etc. Nothing much is different. It still drops all traffic by default, requiring me to specify ports and IPs to allow traffic to and from. While this can be a headache configuration wise, the peace of mind in security is always welcome.
Really it should be called Webserver/Reverse Proxy but I like short names in my configs. This is by far the biggest change as previously I had two servers doing what this one now does. I had a HAProxy server as a reverse proxy, which would point to an Apache httpd server serving my site. But for this I switched to nginx, and rolled all the functionality into one server. And I have to say, nginx is nice. I had an easier time dealing with SSL certs on nginx than I did HAProxy, especially when it comes to subdomains. Speaking of SSL certs.
Pro Tip: You can get certbot without having to install snaps on RHEL based systems if you install epel-release and grab it from that repo.
Pretty self explanatory I think. This is where I run game servers for me and my friends from. It has by far the most hardware resources allocated to it of any of my VMs. Mostly because Minecraft is a RAM hog.
This is where things are completely new. With the redo of my lab I wanted to self host more things, mostly just to see what I can do. So every time I want to host something that is a web application, it will be on this server and be assigned an appropriate subdomain. In fact I already have one service up and running, Owncast.
Owncast in short is a selfhosted streaming platform, like Twitch. It comes with Fediverse integration and is still in really active development. It’s a project I’ve been interested in for a while. But as of right now most of the streams on the Owncast Directory are automated. Some of the appeal of streaming is the live interactions with the streamer being a more social form of entertainment, so needing streams where there is an actual streamer to talk to is important. So I thought, “Hey, I can do that.” and I did. Last night at time of writing I streamed Minecraft for a bit at live.cyberfarmer.xyz. It was a lot of fun actually, so I’m planning on doing more streams soon.
Here we get to my other subnet, the internal only one. My goals for Deployer are a bit more long term. As of right now it merely acts as my SSH conglomeration server. To access any of the other servers through SSH I have to first remote into Deployer. This is by design for my future goals of infrastructure automation, with Deployer as well, the deployer of said automation. I’ll probably end up going with ansible for automation as it’s one of the easiest to use pieces of automation software out there. But that is a project for another day. Right now managing my infrastructure manually is still simple, so I’m not in a rush.
Now if you’re not a cyber security person you may not know much about SIEMs (Security Information and Event Management). In short they aggregate logs and other information and process them to be an easily readable and usable format. The SIEM I use at work is Splunk, which is really good despite being proprietary. But for home I wanted something different and after shopping around a bit I settled on Wazuh. A SIEM built on the ELK stack and OSSEC, licensed under GPLv2. So far it’s been cool, while I’m still figuring out the nitty gritty of it, mostly trying to filter out expected security traffic from my personal testing, it was a breeze to setup which is rare for a SIEM. It fully automated the entire server setup, including installing and running ELK stack.
As you can see the default dashboard is pretty great already, and you can see that my webserver/reverse proxy generates a lot of events. Especially last night when I was streaming. So yeah, it needs some tuning. But for the most part it’s just been catching web scanners trying to find my Wordpress admin login page, which doesn’t exist. And that means I also need to look into an automated IP banning service, because doing it by hand is impossible. I am excited to play around with this a bit more, if it has the features I want it could be a good option for a copyleft SIEM.
All in all this project has been a fun undertaking. It’s been nice to learn more software and services out there and apply the knowledge I’ve accumulated in the past years in a meaningful way. If you have any suggestions for self hosted services I’d love to hear them, because I am still trying to figure out what I want to do with my subdomain server besides just Owncast.