Home Lab: Difference between revisions
Wikisailor (talk | contribs) |
Wikisailor (talk | contribs) |
||
| Line 19: | Line 19: | ||
==[[Attacks]]== | ==[[Attacks]]== | ||
The various VMs are exposed to the Internet and will therefore be subject to attack. If the configuration of Pfsense, edge router(from the ISP) or the individual VMs and services has errors or omissions there will be some risk of hostile actors gaining some control. Obviously, any mis-config can be mitigated by having several layers of configuration so that if one thing is missed other defences will cover that possible vulnerability. Merely having locally hosted webservers will make them a target and also other ports will also be probed, although these probing attacks can be deflected by using Cloudflare's proxy service instead of DNS only. The big problem with Cloudflare's proxy service it that they will only proxy the web ports on the free tier, it is possible to proxy other ports but only if additional fees. '''[[Attacks | The attacks]]''' were triggered by having a service hosted as DNS only and the RDP service was giving a response so the attack bots simply tried probing. | The various VMs are exposed to the Internet and will therefore be subject to attack. If the configuration of Pfsense, edge router(from the ISP) or the individual VMs and services has errors or omissions there will be some risk of hostile actors gaining some control. Obviously, any mis-config can be mitigated by having several layers of configuration so that if one thing is missed other defences will cover that possible vulnerability. Merely having locally hosted webservers will make them a target and also other ports will also be probed, although these probing attacks can be deflected by using Cloudflare's proxy service instead of DNS only. The big problem with Cloudflare's proxy service it that they will only proxy the web ports on the free tier, it is possible to proxy other ports but only if additional fees are paid. '''[[Attacks | The attacks]]''' were triggered by having a service hosted as DNS only and the RDP service was giving a response so the attack bots simply tried probing. | ||
==[[Kiosk Container]]== | ==[[Kiosk Container]]== | ||
I wanted to repurpose a older tablet that is not used too often into a digital picture frame so I install a kiosk application from play store and it needs to point at a webserver so I created a LXC based on Ubuntu and installed the relevant servers on it. It is outside Pfsense for easy access and it does not need to be accessible from the Internet so this is the easiest. I have added on some basic monitoring just because I can but it is not a replacement for Zabbix or Prometheus + Grafana stack by any means. The admin page is at admin_index.html and the kiosk should be served from the index.html. A more comprehensive guide mostly generated by Gemini is '''[[Kiosk Container | here]]''' | I wanted to repurpose a older tablet that is not used too often into a digital picture frame so I install a kiosk application from play store and it needs to point at a webserver so I created a LXC based on Ubuntu and installed the relevant servers on it. It is outside Pfsense for easy access and it does not need to be accessible from the Internet so this is the easiest. I have added on some basic monitoring just because I can but it is not a replacement for Zabbix or Prometheus + Grafana stack by any means. The admin page is at admin_index.html and the kiosk should be served from the index.html. A more comprehensive guide mostly generated by Gemini is '''[[Kiosk Container | here]]''' | ||
Revision as of 16:23, 24 January 2026
Introduction
The purpose of the home lab will be to provide a safe store for all of my pictures and videos. Also there will be a website to document my adventures, It will be contained within the Proxmox Server, The main host for all of the has the host name Pear. Pear will be backed up by a smaller host with less processing, memory, storage and everything with a host name Kiwi.
Virtual Machines
There will be a collection of Virtual Machines, mostly Linux hosts partly because they are free but now that i have found a really cheap license seller the cost is less of a concern. Reliability is the other reason for basing the systems around Linux. The general setup is to have a Pfsense firewall at the central gateway to my network all of the rest of the servers being linked by it. There is already a Nameserver, a reverse proxy to allow access to Webservers. there will be a VPNserver to allow remote access to some Desktop VMs. There is a CA server so I can issue my own certs to the various computers that I use. There is a management kiosk that I am using to do most of the configuration, as it is not going to be easily access from outside it will keep all of the configuration inside Proxmox. More details of the VMs can be found here.
External Access
I want to allow access to some of the network from remote sites initially by SSH but also other means at a later date.
GPU PCI Pass Through
It proved impractical to do GPU PCI Pass Through with the AMD 6700xt GPU so it is being replaced with a Nvidia 5060. further details of the steps taken to do the PCI Passthrough with an Nvidia GPU can be found
Attacks
The various VMs are exposed to the Internet and will therefore be subject to attack. If the configuration of Pfsense, edge router(from the ISP) or the individual VMs and services has errors or omissions there will be some risk of hostile actors gaining some control. Obviously, any mis-config can be mitigated by having several layers of configuration so that if one thing is missed other defences will cover that possible vulnerability. Merely having locally hosted webservers will make them a target and also other ports will also be probed, although these probing attacks can be deflected by using Cloudflare's proxy service instead of DNS only. The big problem with Cloudflare's proxy service it that they will only proxy the web ports on the free tier, it is possible to proxy other ports but only if additional fees are paid. The attacks were triggered by having a service hosted as DNS only and the RDP service was giving a response so the attack bots simply tried probing.
Kiosk Container
I wanted to repurpose a older tablet that is not used too often into a digital picture frame so I install a kiosk application from play store and it needs to point at a webserver so I created a LXC based on Ubuntu and installed the relevant servers on it. It is outside Pfsense for easy access and it does not need to be accessible from the Internet so this is the easiest. I have added on some basic monitoring just because I can but it is not a replacement for Zabbix or Prometheus + Grafana stack by any means. The admin page is at admin_index.html and the kiosk should be served from the index.html. A more comprehensive guide mostly generated by Gemini is here
