And let’s be fair to them, who’s even heard of lithium batteries catching fire?
Euhhhh… You sure about that? Maybe you’re beeing sarcastic? But buses lithium batteries catching fire is not something unheard off ! Even a few Teslas burned to the ground went viral in the news !
I still need to find a “$35 Raspberry Pi” 🤣
This seems cool and is not off topic at all :) It does seem to answer to my “question” and seems a nice thing to have :) However, someone suggested Terraform but after some reading it’s not the tool I was looking for… Ansible seems more the like I guess ! But coolify seems also very interesting ! Different and more similar to my current setup.
I think Terraform, Ansible, Tofu are the next generation tool to solve my current issue… They are declarative tools ! But I don’t want to rush things and have another dead setup lying arround !
Thanks for your reply !
Edit: There’s also an alternative https://github.com/Dokploy/dokploy in case you didn’t know :) If you know, can you tell me why you choose on over the other?
This is indeed similar ! And looks like a working certificate :) (You even use as .csr file).
The book adds something (Not very useful but kinda neat to have): a certificate revocation setup and an IntermediateCA signed by your rootCA. So you can keep your rootCA out of your system :)
(Thanks to darkan15 for explaining that).
I have to look at his answer to have a better understanding :P
The diagram would be useful. Considering that rn I’m losing my mind between man pages.
I’m working on it right now :) I’m a bit overwhelmed with my own LAN setup, and trying to get some feedback from other users :P
As for the book… I can’t accept. Just give me the name/ISBN and I’ll provide myself. Still. Thanks for the offer.
Good. If you have the money to spare please pay for it otherwise you know the drill :) (Myself I’m not able to pay the author so it’s kinda hypocrite on my end… But doing some publicity is also some kind of help I guess?)
Demystifying Cryptography with OpenSSL 3 . 0 by Alexei Khlebnikov <packt>
ISBN: 978-1-80056-034-5
It’s very well written, even as a non-native it was easy to follow :). However, let me give you something along the road, something that will save you hours of looking around the web :) !
Part 5, Chapter 12: Running a mini-CA is the part you’re interested in and that’s the part I used to create my server certificates.
HOWEVER: When he generates the private keys, he uses the ED448 algorithm, which is not going to work for SSL certificates because not a single browser accepts them right now (same thing goes for Curve25519). Long story short, If you don’t want to depend on NIST curves (NSA) fall back to RSA in your homelab ! If you are interested in that story go to p123:
Brainpool curves are proposed by the Brainpool workgroup, a group of cryptographers that were dissatisfied with NIST curves because **NIST curves were not verifiably randomly generated, so they may have intentionally or accidentally weak security. **
Here is a working example for your certificates:
Book:
$ mkdir private
$ chmod 0700 private
$ openssl genpkey \
-algorithm ED448 \
-out private/root_keypair.pem
But should be:
$ mkdir private
$ chmod 0700 private
$ openssl genpkey \
-algorithm RSA \
-out private/root_keypair.pem
You have to use RSA or whatever curve you prefer but accepted by your browser for EVERY key you generate !
Other than that, it’s a great reading book :) And good study material for cryptography introduction !
Sorry, what do you mean by physical/logical diagrams :S! You mean something like Excalidraw ?
I did It for sometimes, but If I do some changes in my setup I always have to keep that update too… So I have to think about it… I do like drawing those diagrams, but keeping those updated is sometimes not directly possible and I can get forgetful !
Thanks for the pointer :). I’m more into open source, so TrueNAS is maybe more fitting, however I’m not sure I do understand it right… Those are OSes? Not some application I can host in a container right? More like Proxmox ?
Sorry I didn’t respond earlier :S !
To let me access the services both from the desktop and the laptop. I’d need to have two DNS resolvers, since for the laptop it needs to resolve to the 192.168.0.* address of the homelab router. While for the desktop it needs to resolve directly to the 10.0.0.* address of the server.
I’m not entirely sure if I get what you mean here. If you have a central DNS resolver like pihole In your LAN it can resolve to whatever is there. I have a pihole which resolve to itself (can access it as pihole.home.lab) and resolves to my server’s reverse proxy, which handles all the port shenanigan and services hosted on my server. I think I can try to make a diagram to show how it works in my LAN right now, not sure if this can be helpful by any mean, but this would allow me to have a more visual feedback of my own LAN setup :P. However, I do use Traefik as my reverse proxy for my docker containers, so I won’t apply to nginx and I’m not sure if this is possible (It probably is, but nginx is a mystery for me xD)
Also, little question. If I do manage to set it up with subdomains. Will all the traffic still go through port 1403? Since the main reason I wanted to setup a proxy was to not turn the homelab’s router into Swiss cheese.
Your proxy should handle all the port things. Your proxy listens to all :80 :443 Incoming traffic and “routes” to the corresponding service and it’s ports.
While I do have my self-learned self-hosted knowledge, I’m not an IT guy, so I may be mistaken here and there. However, I can give you a diagram on How it works on my setup right now and also gift you a nice ebook to help you setup your mini-CA for your lan :)
Subpaths are things of the past (kinda) ! SSL wildcards are going to be a life saver in your homelab !
I have a self-signed rootCA + intermediateCA which are signing all my certificates for my services. But wait… It can get easier just put a wildcard domain for your homelab (*.home.lab) and access all your services in your lan with a DNS provider (pihole will be your friend!).
Here is an very simplified example:
Create a rootCA (certificate authority) and put that on every device (Pc, laptop, android, iphone, tv, box…)
Sign a server certificate with that rootCA for the following wildcard domaine: *.home.lab and put that behind a reverse proxy.
Add pihole as DNS resolver for your local domain name (*.home.lab) or if you like you can manually add the routes on all devices… But that"s also a thing of the past !
Let your proxy handle your services
Access all your services with the following url in your lan
This works flawlessly without the need to pay for any domain name, everything is local and managed by yourself. However, it’s not that easy as stated above… OpenSSL and TLS certificates are a beast to tame and lots of reading ^^ so does Ngnix or any other reverse proxy !
But as soon as you get the hang of it… You can add a new services in seconds :) (specially with docker containers !)
https://www.amazon.com/Demystifying-Cryptography-OpenSSL-3-0-techniques/dp/1800560346
It’s really a good book :) And the last part is all about a mini-ca for your homelab !
However, don’t use the ED448/ED25519 algorithm based certificates for TLS as mentioned in the example… They are still not supported by any browser !
If you can support the author, please do ! If you’re on a budget, it’s really easy to find in the piracy corner.
Yeah thats correct !
I Wouldn’t say heavy though (maybe I see it that way because I got a bit better with bash and the like :p) because you can make use of CRL to revoke your certificates and renew them very easily with your intermediate and ready to use config files.
But yeah, there isn’t any automated way to manage certificates like Smallstep does :)
Or simply create your rootCA, IntermediateCA, keys and certifictes with openSSL.
Neither of those are begginer friendly but openSSL is probably a bit easier to get started. There’s a nice book with openSSL (if you are interested I migh look how it’s called) and the last chapter is all about how to create your mini-CA and everthing else to serve your proxy with valid certificates for your homelab.
Them probably uses a special plugin device in the outlet.
I have this bash script you can use and have a general overview but I’m not totally sure if I fully understand it and if it’s the whole system’s wattage or only the CPU 🤷♂️
#! bash
time=5
sum_1=$(cat /sys/class/powercap/*/energy_uj | awk 'BEGIN { sum = 0; } { sum += $1; } END { print sum; }' "$@");
echo "before" $sum_1
sleep $time;
sum_2=$(cat /sys/class/powercap/*/energy_uj | awk 'BEGIN { sum = 0; } { sum += $1; } END { print sum; }' "$@");
echo "after" $sum_2
sum_1f=$(printf "%.0f" $sum_1)
sum_2f=$(printf "%.0f" $sum_2)
final_sum=$(echo "(($sum_2f - $sum_1f) / 1000000) / $time" | bc -l)
#echo $final_sum | bc -l | xargs printf "%.2f\n"
formated=$(echo $final_sum | bc -l | xargs printf "%.2f\n")
echo $formated "w"
Not OP, but I have something to share you migh be interested in.
A few weeks ago I ran qbittorrent on a RPi 3B+ (yes this one is way older than 4 or 5) and It chocked really hard on the ram and USB connected HDD… It even made piHole unresponsive and broke the DNS requests when checking file integrity…
Barebone installation on ext4 FS (without docker) did made it a bit better but was still very slow and wasn’t able to handle 100 consecutive torrents…
As a conclusion, if you’re going to run a few services concurrently on a pi with qbittorrent you’re rapidly going be limited and bottlenecked by the limits of your pi ! Don’t get me wrong those are nice little devices and use my RPi 3b+ as dns resolver for my whole lan with pihole. But I won’t bet on those for more heavy load and multiple services concurrently.
As a side note, I use an 10 year old gaming laptop as server which doesn’t give a sweat with over 20 services (Jellyfin, Vaultwarden, sftpgo, navidrome, baikal,qbittorrent…)
Haha ! Good to keep your brain cells functioning 👍
Wow ! I will still try mealie /Tandoor for family purpose and ease of use. If it doesn’t work as expected, I will totally try this out !!
One question if you don’t mind,
servings Indicates how many people the recipe is for. Used for scaling quantities. Leading number is used for scaling, anything else is ignored but shown as units.
Does this function work well? I didn’t saw any examples so maybe you could tell me :)
Thanks !
Fair point ! Yeah sure if you host a blog online it doesn’t make sense… But if you only self-host your services for family and some friends and access them over VPN, a local CA is actually a privacy respecting choice.
Hosting something on the web (specially self-hosted) without the propre software and hardware is a bad idea in the first place anyway !
I also believe it’s possible to set up HTTPS encryption without a domain name, but it might result in that “we can’t verify the authenticity of this website” warning in web browsers due to using a self-signed certificate.
Just create your own rootCA and IntermediateCA and sign your certificate with those, put the CA in your trust store of your system and get rid of this self-signed warning on every device and happily access all your service via: *.home.lab or whater ever local domain pleases you.
In addition to that, without a secure connection you’re stuck with HTTP/1.1
That’s not entirely true. A lot of requests, even with https, are send over HTTP/1.1. And this is kinda mind blowing that in 2025 we still rely on something so old and insecure…
Same goes with SMS and the old SS7 protocol from 1970… 2FA SMS is probably the most insecure way to get access to your bank account or what ever service promotes 2FA sms login.
Same here ! Although, sftpgo is a bit overkill if you only need it for webdav !