← Back to context

Comment by windexh8er

24 days ago

Most people will use nginx-proxy [0] or Traefik [1] for front ending home labs with LetsEncrypt certs... Beyond that people will protect them with things like Tailscale [2], Cloudflare Tunnels [3] or even just mTLS [4] for protected access.

Home labbing today has a lot of amazing software and it's hard to keep up!

And as for dashboarding [5] on top of all this there are a lot of options.

Also, for those new to the game who want an easier way to approach take a look at Tipi [6].

[0] https://nginxproxymanager.com/ [1] https://traefik.io/traefik/ [2] https://tailscale.com [3] https://developers.cloudflare.com/cloudflare-one/connections... [4] https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi... [5] https://selfh.st/apps/?tag=Dashboard [6] https://runtipi.io/

I use Tailscale for a bunch of self hosted services on a raspberry pi in my house. Port numbers and TLS certs are my current main problems with this setup but it's not annoyed me quite enough yet to do anything about it.

  • BTW why bother with TLS over already-encrypted and authenticated Wireguard tunnels? Is this just so that browsers won't complain, or do you have a more complex threat model?

    • Sorry for late reply, exactly that yeah - so the browser doesn't complain. I'm not worried about the security of HTTP over wireguard or anything like that. And domain names are easier to remember than ports so... http://raspberrypi:8123/ vs homeassistant.raspberrypi.local (or something)

  • > I use Tailscale...Port numbers and TLS certs are my current main problems with this setup

    I've been running a Tailscale container, using the `tailscale serve` feature[0], as a sidecar for each containerized service I want to access. External access, TLS (to make my browser happy), and domain names all come for almost free. This allows me to set up `https://my-cool-service.lemur-pangolin.ts.net` with relative ease.

    There's a ton of boilerplate, which drives me a bit nuts. But at least copy/paste is easy to do. Looking just now I have 31 Tailscale containers running that are almost duplicates of each other. You could probably do config generation but for a homelab I'm not motivated to really do that.

    The command line interface for this tool is a little bit limited and forces you to share the network stack between your service and the sidecar. I would recommend injecting a config file into each container to give you full flexibility. I put up an example config on pastebin[1].

    ---

    [0] https://tailscale.com/kb/1242/tailscale-serve

    [1] https://pastebin.com/raw/PSgLqS0T

  • Lots of options to proxy and provide automation for certs. I'm personally a huge fan of Traefik, but I know a lot of folks use NPM since it's so simple and Nginx has great performance overall.

Can I suggest giving Caddy a go? I used to do everything with nginx but as soon as I found caddy I haven't looked back.