• 3 Posts
  • 13 Comments
Joined 1 year ago
cake
Cake day: June 12th, 2023

help-circle
  • My homelab is a 2 node Kubernetes cluster (k3s, raspberry pis), going to scale it up to 4 nodes some day when I want a weekend project.

    Built it to learn Kubernetes while studying for CKA/CKD certification for work where I design, implement and maintain service architectures running in Kubernetes/Openshift environments every day. It’s relatively easy for me to manage Kubernetes for my home lab, but It’s a bit heavy and has a steep learning curve if you are new to it which (understandably) puts people off it I think. Especially for homelab/selfhosting use cases. It’s a very valuable (literally $$$) skill if you are in that enterprise space though.



  • Switched to qbittorrent+gluetun side car recently and it’s been pretty good compared to the poorly maintained combo torrent+OpenVPN images I was using. Being able to update my torrent client image/config independent from the VPN client is great. Unfortunately most of the docs are Docker focused so it’s a bit of trial and error to get it setup in a non-docker environment like Kubernetes. Here’s my deployment in case it’s useful for anyone. Be careful that you configure qbittirrent to use “tun0” as it’s network interface or you will be exposed (got pinged by AT&T before I realized that one). I’m sure there’s a more robust way to makeuse of gluetun’s DNS over TLS and iptables kill switch that doesn’t require messing with qbittorrent config to secure, but that’s what I have so far and it works well enough for now.




  • Not really, its mostly a hobby/nerdy/because I can thing. I am a software engineer with a decade of experience. The job sometimes requires virtual sys admin work (VM/container, cloud networking, etc). Setting up my own baremetal cluster has given me more insight into how things work, especially on the network side. Most of my peers take for granted that traffic gets in or out of a cluster, but I can actually troubleshoot it or design with it in mind.





  • Fyi you will not be able to do live video transcoding with a raspberry pi. I overclocked my pi4’s CPU and GPU and it just can’t handle anything but direct play and maybe audio stream transcoding, though I’ve never had luck with any transcoding period. I either download a format I know can direct play or recently started using tdarr (server on pi, node running on my desktop when I need it) to transcode into a direct play format before it hits my Jellyfin library. Even just using my AMD Ryzen 5 (no GPU) it transcodes like 100x faster than a tdarr node given 2 of the rpi cpu cores. You could probably live transcode with a decent CPU (newer Intel CPUs are apparently very good at it) if you run Jellyfin on the NAS but then you’re at odds with your low power consumption goals. Otherwise rpi Jellyfin is great.

    Good luck, I’d like to build a NAS myself at some point to replace or supplement my Synology.


  • It’s for the chance that I need to administer my cluster when I am not on my LAN. I can set up a port forward to the externally accessible port and everything works as normal like I’m on my LAN. Non-default port, password auth disabled, ssh with root disabled (so you have to have my user and ssh key) and limited ssh connection attempts before ban. I can toggle it on or off with a check box on my router. Yes, I understand there are other ways that are even more secure, yes I understand the risks, but for my circumstances this was a good balance of convenience and security. I’ve also never had an issue :).


  • I do as well on a non-standard port, although that doesn’t really provide any extra security. I found ssh only login acceptably secure personally, but it’s definitely less secure than tailscale which can operate with 0 open ports. The risk would be from os/sshd vulnerabilities that can be exploited. As long as you keep the router up to date it should be safe enough.



  • Generally a hostname based reverse proxy routes requests based on the host header, which some tools let you set. For example, curl:

    curl -H 'Host: my.local.service.com' http://192.168.1.100
    

    here 192.168.1.100 is the LAN IP address of your reverse proxy and my.local.service.com is the service behind the proxy you are trying to reach. This can be helpful for tracking down network routing problems.

    If TLS (https) is in the mix and you care about it being fully secure even locally it can get a little tricky depending on whether the route is pass through (application handles certs) or terminate and reencrypt (reverse proxy handles certs). Most commonly you’ll run into problems with the client not trusting the server because the “hostname” (the LAN IP address when accessing directly) doesn’t match what the certificate says (the DNS name). Lots of ways around that as well, for example adding the service’s LAN IP address to the cert’s subject alternate names (SAN) which feels wrong but it works.

    Personally I just run a little DNS server so I can resolve the various services to their LAN IP addresses and TLS still works properly. You can use your /etc/hosts file for a quick and dirty “DNS server” for your dev machine.



  • Never used Inoreader, but recently switched to Newsblur which is open source (app installable via F-Droid) and selfhostable. If you don’t want to self host they have a freemium model to use their hosted service, couldn’t tell you what free vs paid gets you but I haven’t bumped into any limits yet. You can also log in to their site to browse via web browser.

    So far the app looks better than other open source readers I’ve tried and thumbnails generally load so the lists are a bit livelier.