bella.network Blog

Introduction: Self-hosted services

A short introduction to services I run in my Homelab and use almost daily.
Some homelabs tend to be a little bit excessive.
Some homelabs tend to be a little bit excessive. (Photo by Panumas Nikhomkhai from Pexels)
This article reflects the personal views of the author.

In my homelab, I run a variety of services that I and my family use almost daily. Some of these services are used for private purposes, others are shared with friends and work colleagues, for learning or development purposes. Most of these services run in Docker containers on a Proxmox VE host. A few services run directly on the host operating system or on virtual machines.

This page is a follow-up to Homelab Page on my personal website and gives a concise overview of the services I run and why.
In the following article I want to give a short overview of the services I run and use. Every service serves a specific purpose and helps me to manage my digital life more effectively. Select the tools and services that best fit your needs and preferences.

Vaultwarden

I use Vaultwarden (a lightweight version of Bitwarden) as a password manager. It is used by me and my family to securely store passwords, software licenses, and other sensitive data. The service is available both on the web and via apps on mobile devices. As this is a sensitive service, I have secured access to the service by not fully exposing it to the internet. Access is only possible via a VPN connection.
All mobile devices have WireGuard installed and connect to my home network via VPN. This way I can also access other services that are not fully exposed to the internet.

If you are not using a password manager yet, I highly recommend starting to use one. It helps to create and manage strong, unique passwords for all your accounts, which is crucial for maintaining good security practices online.

My best argument for myself is that a password, that even I don’t know, is the best password you can have ๐Ÿ˜‰

For family and friends, the best argument is that they only need one strong master password. All other passwords are generated by the password manager and can be easily copied from the app or browser extension - no need to remember or write down any other passwords with the possibility that the tool is doing everything for you.

AdGuard Home

I use AdGuard Home as a network-wide ad blocker and security filter. It acts as a DNS sinkhole, blocking ads, trackers and malicious sites at the network level. This means that all devices connected to my home network benefit from ad blocking without the need to install additional software on each device. AdGuard Home also provides a web interface for managing settings and viewing statistics.
I have currently 3 instances of AdGuard Home running:

  • Home network: This instance is used by all devices in my home network. It is configured as the primary DNS server for my home router.
  • Grandparents: This instance is used by my grandparents’ home to protect my second homelab there, also their devices from ads and trackers. It is configured as the primary DNS server for their home router.
  • Guest network: This instance is used for my guest WiFi network. It provides security filtering only, with no ad blocking and no logging of requests. This way I can ensure that guests are protected from malicious sites, but also with filtering for potentially illegal content.

My main configuration is quite extensive, with many custom filters and rules. The other two instances are configured with a more basic setup.
My basic upstream DNS server configuration looks like this (shortened for clarity):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
### Resolver ###
# Cloudflare Zero Trust
tls://<MY-ID>.cloudflare-gateway.com
### Internal Zones ###
[/ad.bella.pm/]10.20.50.3:53
[/10.in-addr.arpa/]10.20.23.246:5345
[/bella.pm/bella.ml/30.172.in-addr.arpa/31.172.in-addr.arpa/resolver.arpa/]127.0.0.1:5345
[/d.b.6.7.0.7.4.0.1.0.0.2.ip6.arpa/b.9.6.f.9.3.f.8.4.7.1.2.0.a.2.ip6.arpa/dsl.bella.pm/bind/]10.20.23.246:5345
# FritzBox rewrite
[/myfritz.net/]192.168.178.1:53
### External Rewrite Zones ###
# Cisco Umbrella
[/opendns.com/umbrella.com/examplemalwaredomain.com/wbx2.com/webex.com/ciscospark.com/cisco.com/wandera.com/]https://doh.opendns.com/dns-query
# Google
[/r-card-service.at/goog/syncthing.net/google.com/googleapis.com/fitbit.com/youtube.com/googleusercontent.com/firetvcaptiveportal.com/arin.net/ripe.net/gstatic.com/googlevideo.com/ytimg.com/smartmailcloud.com/feedburner.com/waze.com/plex.tv/plex.direct/]tls://dns.google
# Fonira
[/netflix.com/nflxext.com/nflxvideo.net/nflxso.net/3gppnetwork.org/mozilla.com/mozaws.net/icloud.com/apple.com/akadns.net/amazon.com/mmechocaptiveportal.com/amazonalexa.com/apple-dns.net/cloudfront.net/fos5echocaptiveportal.com/akamaiedge.net/windows.net/safebrowsing.apple/fastlydns.net/amazon.co.uk/amazon.de/akamai.net/debian.org/ubuntu.com/strava.com/fastly.net/acsechocaptiveportal.com/mzstatic.com/step.sm/mozilla.org/]tls://dns11.quad9.net
# OpenNIC
[/null/libre/geek/opennic.glue/fur/bbs/chan/ycb/dyn/gopher/indy/libre/neo/o/oss/oz/parody/pirate/epic/]tls://ns1.opennameserver.org

My primary upstream resolver is Cloudflare Zero Trust, which provides additional security features by blocking access to malicious domains which fall in the following security categories:

  • Newly Seen Domains
  • New Domains
  • Command and Control & Botnet
  • Malware
  • Cryptomining
  • DGA Domains
  • Spyware
  • Phishing
  • Spam
  • DNS Tunneling
  • Scam
  • Compromised Domain

Especially the blocking of newly seen domains helps to prevent access to phishing sites, as these domains are often used for a short time for phishing attacks before they are detected and blocked by other security services.
I recommend that everyone, independent of private or business use, use security features like this to protect against malware and phishing attacks.

In addition to Cloudflare Zero Trust, I also use several other upstream DNS servers to increase redundancy and privacy.

  • Cisco Umbrella and Google are used for primarily their own domains and services and where a change of the DNS server resulted in better performance.
  • Fonira is my local ISP and provides a DNS-over-TLS service. I use it as an additional upstream resolver as its resolution is done locally allowing CDN optimizations for local services.
  • OpenNIC is a non-commercial, open and decentralized DNS provider. It provides access to alternative DNS roots and domains that are not available in the traditional DNS system. I’m not that actively using these alternative domains, but it’s nice to have access to them.
  • Internal zones are used to resolve local hostnames and services within my home network. This includes my own domain (like bella.pm) and reverse DNS zones for my internal IP ranges. This allows me to access local services by their hostname instead of their IP address (and shows really nice traceroutes ๐Ÿ˜‰).

I have some custom rewrite rules active to redirect certain domains to local services - for example to perform Man-in-the-Middle (MITM) on some domains as described in the article Personal Man-in-the-Middle.

Syncthing

I use Syncthing for secure, decentralized file synchronization between my devices. It allows me to keep files in sync across multiple devices without relying on a central server or cloud service. Syncthing uses end-to-end encryption to ensure that data is secure during transfer and storage. I use Syncthing to synchronize files between my desktop computer, laptop, and servers.

Initially, I used to use a local Network Attached Storage (NAS) device for file synchronization. One day after coming home and hearing a strange noise from the NAS I found out that all disks had failed at once. It was a painful lesson to learn what happens when you rely on a single device for data storage, what the 3-2-1 backup strategy means and how important it is to have backsups stored at different locations. For me it was a very good lesson and one of the beginning parts of my journey into IT and system administration.

I started using Syncthing after BitTorrent Sync was rebranded to Resilio Sync and changed its license model. Syncthing is open source and free to use, which aligns better with my preferences. Now I have a robust file synchronization setup with multiple nodes worldwide, ensuring that my data is always available and secure.

Syncthing is also installed in a container on my Proxmox VE host in combination with BorgBackup to create encrypted backups of my important data hourly (at least). These backups are then synchronized to my offsite locations using rsync over SSH.

Immich

I use Immich as a self-hosted photo and video management solution. It is an open-source application that allows me to store, organize, and share my photos and videos securely. Immich provides a range of features, including automatic backup, facial recognition, geotagging, and album creation. I use Immich to manage my personal photo collection, as well as photos and videos shared by family and friends. My family also uses Immich to upload and share their photos and videos with me, allowing us to keep all our memories in one place and easily share them with each other.

Immich is integrated with an automated process that backs up all data to multiple offsite locations. This ensures that my photos and videos are always safe and accessible, even in the event of a complete hardware failure or other disaster.

Paperless-ngx

I use Paperless-ngx to manage and organize my digital documents. It is an open-source document management system that allows me to scan, index, and search for documents easily. Paperless-ngx uses OCR (Optical Character Recognition) technology to extract text from scanned documents, making them easy to search. I use Paperless-ngx to store and manage various types of documents, including receipts, invoices, contracts, and other important paperwork.

I wrote my own program that parses document contents to automatically extract data like gross / net amounts and fill it into custom fields. This way I can easily search for documents based on their amounts or use this data using API for statistics.

Firefly III

I use Firefly III as a personal finance manager to track my income, expenses, and budgets. It is an open-source web application that provides a range of features for managing personal finances. Firefly III allows me to create accounts, categorize transactions, set budgets, and generate reports. I use Firefly III to track my daily expenses, monitor my savings goals, and manage my investments.

In combination with Firefly III, I use Paperless-ngx as document storage, the two systems are interconnected. This way I can easily attach scanned receipts or invoices to transactions in Firefly III, providing a complete record of my financial activities. APIs are used to automatically keep data between both systems in sync. (The automation between both systems already detected that a company charged me 1 cent too much for a purchase ๐Ÿ˜‚)

WireGuard & BGP

I use WireGuard as a VPN solution to securely connect to my home network from remote locations or to connect multiple locations together as a site-to-site connection. WireGuard is a modern, lightweight VPN protocol that is designed to be fast, secure, and easy to use. It uses state-of-the-art cryptography to provide strong security and privacy for users. An article about WireGuard is available at WireGuard, a fast and secure VPN.

To manage the routing of traffic between different networks and locations, I use FRR (Free Range Routing) with BGP (Border Gateway Protocol). BGP is a standardized protocol used to exchange routing information between different networks. It allows me to dynamically manage the routing of traffic between my home network, my friends’ networks, and other locations, ensuring that traffic is routed efficiently and securely.

A detailed article about this setup is available at Dynamic routing using FRR over WireGuard.

Note: Using a routing protocol like BGP is very advanced and most likely not necessary for a typical home network. I use it because I have multiple locations and friends that I want to connect together. If you only have a single location, a simple WireGuard setup is sufficient.

Mailcow

I use Mailcow as my email server to manage my email accounts and domains. It is an open-source mail server suite that provides a range of features for managing email, including support for multiple domains, spam filtering, and webmail access. Mailcow uses a combination of open-source software, including Postfix, Dovecot, and rspamd, to provide a complete email solution. I use Mailcow to manage my personal email accounts, as well as email accounts for my family.

Note: I do not recommend running your own email server if you are not experienced in managing and securing such a service. Email servers are complex systems that require careful configuration and maintenance to ensure that they are secure and reliable. If you are not familiar with the technical aspects of email servers, it is best to use a reputable email service provider instead.

Additional note: Please, never host your email server on a residential internet connection. Most ISPs block outgoing traffic on port 25 to prevent spam and other malicious activities. Additionally, many email providers use various techniques to detect and block emails sent from residential IP addresses, which can result in your emails being marked as spam or rejected altogether. If you want to run your own email server, please use a VPS or dedicated server from a reputable hosting provider.

Checkmk

I use Checkmk for monitoring my network and systems. It provides a range of features for monitoring servers, applications, and network devices. Checkmk uses a combination of agents and plugins to collect data from monitored systems, providing real-time insights into system performance and availability. I use Checkmk to monitor the health and performance of my home network, servers, and other devices.

Checkmk actively notifies me of any issues or problems via email or push notifications, allowing me to quickly respond to and resolve any issues that arise. This includes connectivity issues with my VPN, high CPU or memory usage on my servers, disk failures, and other critical events.

Guacamole

I use Apache Guacamole to provide remote access to my devices and systems. It is a clientless remote desktop gateway that allows me to access my devices from anywhere using a web browser. Guacamole supports a range of protocols, including RDP, VNC, and SSH, allowing me to connect to a variety of devices and systems. I use Guacamole to access my home network and servers remotely, providing a secure and convenient way to manage my systems from anywhere.

Access to Guacamole is only possible after authentication via PassBeyond, which provides an additional layer of security by requiring a reverse proxy authentication before accessing the Guacamole web interface. This helps to protect against unauthorized access and ensures that only authorized users can access my remote systems. PassBeyond is a self-developed project of mine, securing web applications behind a reverse proxy forwarding authentication requests to an external identity provider like Active Directory Federation Services (ADFS) or Keycloak.

Development Server

I use a dedicated development server to host various services and tools that I use for software development and testing. It is a bare-metal server running Ubuntu Server LTS with an NVMe SSD for the OS and services, plus an additional SSD for data storage. My primary use cases for this server are:

  • Visual Studio Code Server: I use VS Code Server to run Visual Studio Code on the server and access it remotely via SSH. This allows me to use the powerful features of Visual Studio Code, such as code completion, debugging, and version control, while working on code stored on the server. All code stored there is automatically synchronized to my local devices using Syncthing, services can run directly on the server without interruption and I have a powerful development environment available from anywhere.
  • Home Automation: I use multiple services for home automation, nearly all of them self-made. These services are used to control and automate various aspects of my home, such as lighting, heating, and security. I use a combination of open-source software and custom scripts to create a personalized home automation system that meets my specific needs. An article about this topic will follow.

Honorable mentions

step-ca: I use step-ca as a private certificate authority (CA) to issue and manage SSL/TLS certificates for my internal services. It is an open-source tool that provides a simple and secure way to create and manage digital certificates. Step-ca uses a modern, lightweight design that makes it easy to deploy and manage. I use step-ca to issue certificates for my internal services, ensuring that all communication between devices is encrypted and secure.

Proxmox VE: I use Proxmox VE as the hypervisor for my homelab. It allows me to run multiple virtual machines and containers on a single physical server, providing a flexible and efficient way to manage my services. Proxmox VE is based on Debian Linux and uses Kernel-based Virtual Machine (KVM) for virtualization and Linux Containers (LXC) for containerization. It provides a web-based interface for managing virtual machines, containers, storage, and networking.

OPNsense: I use OPNsense as my PPPoE router and firewall. It is an open-source, FreeBSD-based firewall and routing platform that provides a wide range of features for network security and management. OPNsense includes features such as stateful packet inspection, VPN support, intrusion detection and prevention, traffic shaping, and more. It also provides a web-based interface for managing the firewall and network settings.

Plex: I use Plex as a media server to organize and stream my media collection. It allows me to access my media from anywhere, on any device, and provides a user-friendly interface for browsing and playing media. Plex supports a wide range of media formats and provides features such as automatic metadata retrieval, transcoding, and remote access. Besides that it’s a perfect solution to stream media to TV devices, like showing my drone footage on my TV to friends and family.

GoAPTCacher: I use GoAPTCacher as a caching proxy for APT repositories. It helps to speed up package installations and updates by caching downloaded packages and serving them from the local cache. This is especially useful in environments with multiple machines that need to install the same packages, as it reduces the amount of bandwidth used and speeds up the installation process. (This is a service I developed myself, an article about it will follow.)

GitLab CI Runner: I use GitLab CI for continuous integration and continuous deployment (CI/CD) of my software projects. It allows me to automate the build, test, and deployment processes for my code, ensuring that changes are tested and deployed quickly and reliably. I have multiple GitLab CI runners connected to GitLab.com that execute the CI/CD pipelines defined in my GitLab repositories.

SonarQube: I use SonarQube to analyze the quality of my code and identify potential issues. It provides a range of tools for static code analysis, including code coverage, code duplication, and code complexity analysis. SonarQube integrates with my GitLab CI pipelines to automatically analyze my code whenever changes are made, providing feedback on code quality and helping me to improve my coding practices.

Sentry: I use Sentry to monitor and track errors in my applications. It provides real-time error tracking and reporting, allowing me to quickly identify and fix issues in my code. Sentry integrates with my applications and provides detailed information about errors, including stack traces, user context, and environment details. This helps me to diagnose and resolve issues quickly, improving the overall quality and reliability of my applications.

Watchtower: I use Watchtower to automatically update my Docker containers. It monitors my running containers for updates and automatically pulls the latest images from the Docker registry, ensuring that my services are always running the latest versions. Watchtower helps me to keep my homelab up-to-date with minimal effort. This way I can focus on using and managing my services, rather than worrying about keeping them up-to-date.

Conclusion

These are some of the main services I run in my homelab and use almost daily. Each service serves a specific purpose and helps me to manage my digital life more effectively. By using a combination of open-source software and custom scripts, I have created a personalized setup that meets my specific needs and preferences.

If I had to build my homelab from scratch again, I would definitely start with Vaultwarden, AdGuard Home, Syncthing, and Immich. These services provide a solid foundation for managing passwords, blocking ads and trackers, synchronizing files, and managing photos and videos. From there, I would add additional services as needed to meet my specific needs and preferences.

An overview of the hardware I use in my homelab is available at My Homelab.

If you have any questions about these services or would like to learn more about how I use them, please feel free to reach out to me. I’m always happy to share my experiences and help others get started with self-hosted services.