What’s up, what’s down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
You must log in or register to comment.
I’ve finally powered on a 15 year old machine to run a bot I’ve been writing. The thing is slow as dirt and stuck behind a flakey power line network, but it’s working. I got to write my first systemd service definition, which is kind of cool.
The computer I’m using currently, I set the BIOS in 2012. WHen I built it, I stuffed every last piece of cutting edge tech of the time into it. Dual CPU, SLI, started with 64gb ram then later on maxed the board out at 128gb. It’s still a workhorse tho. It’s one of the three I use all the time for music production, selfhosting etc.
My machine is not a workhorse. I got it second hand. It has around 8gb of RAM, and an 80gb HDD I found in a laptop.
But it’s enough to work as a testbed, so it’s fine with me.
This is the home lab creed: You do with what you have. Before I accumulated a bit of equipment, I’ve used laptops, RPi, minicomputers, at one time I had a cluster of Wyse thin clients bootstrapped together.
Finally switched from plex to jellyfin, seems to be ok so far. Needed to make some small scripts for metadata management but it’s running smoothly. Finally decided I’m hosting enough software with user accounts that I’ve made an authentik instance for SSO with each (ofc jellyfin first)
Hey, we’re also thinking about setting up authentik. Could you answer the following, where I haven’t found answers to yet: does introducing SSO impede logging into Jellyfin on a TV / phone app at all?
no, works fine. there’s an LDAP plugin for jellyfin so you can use the jellyfin internal login page and the server will verify the login against authentik. took some setting up though.
Alright, thank you!
Ann reason you choose authenik? There are a nmber of options and I’m not sure why to choose one over the other.
I did no research whatsoever and picked the one I’d seen the name of more often. I figured if it didn’t work for me I’d try something else, same as when plex wasn’t working for me so I switched to jellyfin. I have no idea how it compares to the other options but it feels pretty solid so far
I’m not the person you’re replying to, but Authentik:
- Has a UI for configuring it, including adding users.
- Supports LDAP if you need it. Authelia needs a separate LDAP server.
- Supports practically every two factor auth protocol you’d need: OIDC (OpenID Connect), OAuth2, SCIM, SAML, RADIUS, LDAP, and proxying for apps that don’t support any of them (which is getting rarer).
- Supports permissions and permission groups, i.e. only allow certain users to access particular apps.
- Can be used as the source of truth for Google Workspace and Microsoft Entra. Maybe not as relevant for home use.
I haven’t tried Keycloak but I hear it’s pretty good, albeit a heavier app to deploy.
I have tried Authelia, and it’s much less powerful than Authentik. Authelia requires you to manually modify config files rather than using a web UI. It also only supports OIDC (which is in beta) and proxying. Proxying is not recommended and has several issues since it’s not “true” single sign-on.
I’m considering Keycloak myself because it’s trusted by security professionals (I think it’s a RedHat project), whereas Authentik is basically a passion project.
I hear keycloak has quarkus builds as well these days which should be much slimmer than how it used to be built.
I hadn’t heard of it, and looking into quarkus just reminded me of how complicated the whole Java ecosystem is. Gross.
Hosting Go, Rust, etc stuff is dead simple, but with Java, there’s all this complexity…
Nothing’s as bad as trying to host and maintain a Ruby on Rails app :)
Docker has made a lot of it a non-issue though, since the apps are already preconfigured within the Docker image.
Agreed, with the clear exception being PHP, which often requires configuring a web server.
Keycloak is very much lighter actually. Can run under half a gig ram whereas authentik uses about 1GB.
Authelia is king though in running with just about 30MB of ram.
That’s interesting… It used to be a lot heavier.
Authelia is definitely the lightest in terms of RAM, but it’s also the lightest in terms of features. As far as I can remember, they only added OIDC support fairly recently - previously it only supported proxying.
The only feature I want that jellyfin doesn’t have (or I haven’t found it) is shuffle. Throwing on how it’s made or mythbusters on shuffle is great background stuff.
Aren’t there clients that support that?
Maybe, i haven’t seen it yet though
I do it for music
Damn ok that sucks it doesn’t seem available on the client for apple tv.
Yeah I dont know why any Dev wouldn’t choose a cross platform framework
I’ve never done dev for apple stuff, but I think it’s probably just not that friendly with more open/cross platform frameworks
I see it in the default WebUI, perhaps whatever app you’re using doesn’t support it?
Ya I don’t think it’s supported on the apple tv app. Damn.
Doing that switch soon.
Plex doesn’t do hw accel well, which kind of defeats the purpose.
Setting up HW accel on Jellyfin was a bit more manual than a single checkbox. You have to tell it which codecs it should HW decode and encode. I had some issues with it so left it off for now
Found out that docker volumes are important after restarting my server 🙃
That’s a mistake you only make once!
Meh, made it a few times.
Some images treat volumes differently .
Looking at you, nextcloud.
Am I mistaken that docker creates temporary volumes with a nondescript name and you can potentially dig up the volumes that were being used in
/var/lib/docker/volumes?
Finished my migration from Plex to Jellyfin
I’ve been learning bash and working on scripts to automate stuff in my homelab. It’s been a lot of fun. I’m currently working on a script that will rename the movies and TV shows I rip from my DVD collection.
The script queries the tmdb api, presents me with a mwnu of matches if there’s multiple matches, renames the media files according to jellyfin spec, and then places them in the proper folders to be indexed by Jellyfin and Kodi.
Would you mind sharing the code?
Bash variable manipulation is really, really fun.
automate stuff in my homelab.
Love me some homelab automation. It puts a smile on my face when I get a little ding from telegram giving me a summary of this morning’s email, what the weather will be for the day along with a summary of established connections to my servers 'cause I’m paranoid like that. LOL fun stuff
Oh, I’ve just been tinkering around with LangFlow specifically as a news aggregator.
The flow: https://i.imgur.com/5HqznQm.png
Then asking AI to go get me some news: https://i.imgur.com/ltZPBwC.png
Still needs a little tinkering and as the final step, to send said news stories to my Telegram. I really have a blast with automation platforms like N8N, Flowise, Gotify, DopplerTask, & Kestra.
Afterwards, I smoked a small bowl and worked on a couple songs I have in the works.
HBU?
Recently been working on setting up forgejo to migrate away from GitHub. My open source stuff I’ve actually put onto codeberg and I’ve set up a handful of pull mirrors on my local instance for redundancy. This weekend I’ve been testing out woodpecker-ci for automating pushing files to s3 for some static websites for repos on codeberg as well as my forgejo instance. Today will tell if that is successful!
I’m switching my immich instance to an SSD one and switching my VPN from zerotier to tailscale.
Hopefully that means my Immich will be a little more reactive.
If at all possible see if you can do wireguard yourself. Tailscale is basically inserting a third party company for no reason as its just wireguard with their servers involved. For example if you can run opnsense its easy to get running via the GUI. Very rewarding!
Absolutely. I used Tailscale for a bit because I didn’t want to get a VPS (I’m behind CGNAT), but I needed to expose a handful of services and use my own domain name, and I couldn’t figure that out w/ Tailscale. So I bought a cheap VPS and configured WireGuard on it to get into my LAN and I’m much happier.
I’m considering going this route - just to hide my (static) home IP.
What’s the rough sizing I’d need for a VPS? I’m guessing the smallest possible, but with the best / unlimited data usage?
That really depends on your use case. I use very little transfer because most of my usage is within my LAN. I set up a DNS server (built in to my router) to resolve my domains to my local servers, and all the TLS happens on my local server, so it never goes out to the VPS. So I only need enough transfer for when I’m outside my house.
Here’s my setup:
- VPS - WireGuard and HAProxy - sni-based proxying
- router - static DNS for local services
- local servers - TLS trunking and services
My devices use my network’s DNS, but if that fails, they fall back to some external DNS and route traffic through the VPS.
VPSs without data caps tend to have worse speeds because they attract people who will use more transfer. I think it’s better to find one with a transfer cap that’s sufficient for your needs, so things stay fast. I use Hetzner, which has generous caps in the EU (20TB across the board) and good enough for me caps in the US (1TB base scales with instance size and can buy extra). Most of my use outside my house is showing something off every now and them, or accessing some small files or uploading something (transfer limits are only for outgoing data).
Ok, didn’t think about “unlimited” actually being slower - thanks for the insight.
I’m running a pfSense f/w at the edge, so split horizon DNS and haproxy are already sorted… I’ll check out wireguard - should be straight forward
Thanks
My ISP blocks all outgoing ports. Maybe I’m not trying hard enough but anything I try port forwarding ends up getting blocked.
Minecraft and port 80 are the 2 I’ve tried and they’ve been unresponsive
Pretty sure those two ports are blocked by a lot of IPs because they’re so popular
Any resources you’d recommend?
More incus:
- mounting persistent storage into containers (cheating by exporting NFS from my proxmox zfs into the incus host.
- wrote a pruning backup script for containers, runs daily, keeps last 7 days and the first of the month
- passed through hardware (quicksync) into jellyfin container (it works!)
- launched an OCI container (docker home assistant) natively in incus (this is a game-changer!)
Next:
- build 2nd incus node
- move all containers from proxmox to incus
- decom proxmox
- setup Debian with NFS export
I hear about Incus being the next best thing. I’ve never played around with it. Is it all that and a bag o’ chips?
Side question, but where are you hearing this about incus?
I’m wrapping up 9 years of using proxmox and I have very specific reasons for switching to incus, but I this is the third time I’m fielding questions in the last month about incus.
I read a lot. LOL I might not understand it all, but I read TBs of articles and stuff.
I think so.
It is LXD + KVM, so way more and finer tune control on lxc instances. It can run OCI images as well, so for docker instances with only a few configs and no persistent storage, it is actually quite handy. For docker instances that need pretty complicated compose files, I just run docker inside an lxc for now, until I figure that out.
Does Incus allow you to use a VM with a GUI? One thing that’s nice about Proxmox is I have one VM with a very basic lxqt setup for when I need that, and I can either use remote-viewer + the spice protocol to access it or access it through the Proxmox web ui. That’s been very handy.
It can manage KVM, so I don’t see why not .
Scrubbing a little demo project I made featuring a web app behind oauth2-proxy leveraging keycloak as local idp with social login. It also uses a devcontainer config for development. The demo app uses the Litestar framework (fka starlite, in Python) because I was interested, but it’s hardly the focus. Still gotta put caddy in front of it all for easy SSL. Oh, and clean up all the default secrets I’ve strewn about with appropriate secret management.
All of it is via rootless podman and declarative configuration.
Think I might have to create my own Litestar RBAC plugin that leverages the oauth headers provided by the proxy.
It has been a minute since I worked daily in this space, so it has been good to dust off the cobwebs.
A catalog for organizing various Roms you have. It can pull metadata from a number of sources and properly add all the details, cover art, and platform information to each game. It’s smart enough to auto-generate collections based on game series, and embed YouTube videos for gameplay of each one without even any configuration.
The best part? It has Ruffle and EmulatorJS built in so you can play any games supported by EmulatorJS in your browser. I tested games up to N64 and they all ran smooth as butter right in the browser with gamepad configurations built in. They even support local multiplayer.
This week I finally managed to route torrent traffic through a VPS that was sitting around gathering dust. I am behind CGNAT so was taking me 6 weeks to do the kind of traffic I do in a day now. I couldn’t be more chuffed.
What ratio are you at with your Linux ISOs *wink.
Just under two right now but it is throwing out 55-60GB a day at the moment. Gotta keep those Linux ISOs seeded!
Last week got my new epyc server with GPU running ollama and all the trimmings.
This week linked my 2 home bases with wire guard, all the subnets mesh and the wifi isolation is solid. Performance is surprisingly good considering they’re 9 time zones apart on different hemispheres.
Migrating plex to jellyfin to get hw accel working.
Also trying to get my second base multiple statics and 10gb if possible, rural fiber in Europe is unbelievably aweome, hope to drop Comcast business back home if it works.
Got someone to work with on a new company, so that’s part of this, though my day job relies on this too.
I set up my own Lemmy server, mastodon, and matrix. Finally making the move off centralized social media and communication platforms
Do you just do this for your own personal use, a few friends or just anyone from the internet?I’m just curious what the point is and how much effort is involved in connecting with other instances.
Nice! Hosting your own Fedi stuff feels great.
Email… My wife really wants to further de-google, this means moving custom domains off gsute.
Do I move to proton/tuta or go back to self hosting email again like I did for years until about 2010?
If I self host, do I do it at home or on the server that runs my lemmy instance?
I self-host my email using Mailcow, and use a VPS for it. I don’t trust my home server to be reliable enough, and the VPS providers have nicer equipment (modern AMD EPYC CPUs, enterprise SSDs, datacenter-grade 10Gbps or 40Gbps connections, etc). I use a separate VPS just for my emails - it’s the one thing I want to ensure is secure, so I didn’t want any other random software (that could potentially have security issues) running on it…
I also use an outbound SMTP relay to avoid having to deal with IP reputation. Very easy to configure this in Mailcow. SMTP2Go has a free plan for sending <1000 emails per month.
It kind of amazes me that, in this day and age, email has turned out to be the lynchpin of security. Email as a 2FA endpoint. Email password reset systems. If email is compromised, everything else falls. They used to tell us not to put anything in email that you wouldn’t put on a postcard…how did this happen?
That and email protocols are outdated and aren’t too secure. For example:
- Neither SMTP nor IMAP have no way to use two factor authentication.
- Spam blocking is so hard because SMTP was not designed with it in mind.
- SMTP has no way to do end-to-end encryption which is why you need to layer things like GPG on top.
IMAP has a modern replacement in JMAP, but it’s not widespread. SMTP is practically impossible to replace since it’s how email servers communicate with each other.
The “solution” has been for companies to make their own proprietary protocols and apps, for example the Gmail and Outlook apps combined with a Gmail or Microsoft 365 account respectively.
Cool your wife is into de googling! My wife thinks I’m a conspiracy nut. I have custom domains on proton and its been great, but with their moves toward AI and crypto who knows. I would probably try tuta if I was setting it up now - but who knows if they will eventually go wonkey then you will wish you self hosted anyway 🤝
I went with Tuta because it’s my backup if everything else goes wrong. If my house burns down or my VPS shuts down my instance (e.g. billing fail, IP block ban, provider goes under, etc), I don’t want to lose access to my email.
I use a custom domain for it, so if I ever need to, switching to a different provider should be as simple as swapping some domain configs.
It’s relatively inexpensive too at €3/month when paying annually. I wanted two domains (one for personal, one for online stuff) and didn’t need any of the other stuff Proton has, so Tuta worked.
Don’t go to Proton or Tuta - both are impossible to get out of basically, do not support free standards and Proton is scumy in terms of their marketing.
Mailbox.org Infomaniak Fastmail Posted
Just to name a few.
