How to propperly Ansible and selfhost without burning out?

WbrJr@lemmy.ml · 3 months

To add yet another advice:

Get a Lenovo or dell slim client (not a nuc/mini pc but the bigger version with data ports. Roughly same power but more useful hardware)
get 2*4 tb hdd for mass storage
a 500gb ssd for the os. If you have the money, maybe even 2 of them and clone them
the os is tricky. You can use proxmox, which is basically like Linux but as you have multiple vms in there you can have multiple Linux installed to take care of. Another choice would be something like truenas, casaOs, unraid etc. I can’t recommend one there, I use proxmox and its great if you like CLi/sah
to make it accessible from not home, use tailscale. You can also use a domain/dns to not have to remember ips
if you have the option, take a mother thin client or pc with same amount of storage to another location and install a backup system, like proxmox backup system. That way your data is safe. Take a look at encryption if you dong trust the other place.
my backup server draws 15w idle and 40-50w when its working
my home lab is drawing 30w idle and 60 under load
its just another factor to be aware of

Have fun!

WbrJr@lemmy.ml · 7 months

First my specific questions, down below more info:

how do you use ansible? Is there a good source for roles or playbooks to set up services? I feel like ansible is 30% more headache right now during config.
how do you deal with motivation loss?
how do you deal with the overwhelming amount of choices and information and disciplines (networking, storage, VMS, Linux…) that comes with selfhosting?
how do you find the sweetspot between ease of use, ease of set up, security, redundancy? I feel like I am maybe too pranaoid to loose my data again (dropped a hard drive many years back, I lost all of my projects)
maybe overall, how do you manage your perfectionism?

Thanks a lot! I hope you have some insights for me.

More info

Soo I have a motivational push to work on my server every few months for a few weeks or months. I always make progress and I feel like I landed on a good solution by now. Its the third time I redid my setup, everytime I got closet to what feels like the perfect setup for me.

I have a vps for headscale, a home server with proxmox for the rest.

Last push I switched from manually configuring and documenting to ansible. I like ansible, but its also a pain and not as fast to set up my server as just installing it and fiddeling around manually until it works.

My problem is: I want to do it right, so my server is robut with enough redundancy to move all my cloud stuff to it. But I am still kind of a noob and still learning and figuring things out.

My fear is, that if i don’t document well or not use ansible, I will be hating my life once my server dies and I have to restore my data and also set um my services again in a few years.

So ansible seems like the only valid choice here, together with proxmox to be as flexible and future proof. But I am burnt out again and lost Motivation even though I am close to my first goals and running services.

Thank you for reading :)

WbrJr@lemmy.ml · 8 months

Isn’t matter just a standard, that runs on multiple Protokolls like ZigBee or wifi?

WbrJr@lemmy.ml · 9 months

So I am in a vicious cycle. I start doing something, notice there is a better way, change my setup and restart. So from just Ubuntu server, I developed to proxmox. From documenting everything manuall in joplin, i am now using ansible. I started with wireguard, then tailscale with selfhosted headscale. I try to get my setup right on the first try, which i notice is stupid as I am writing. It just hinders me to make progress. I think I should rather try to get it up and running as fast as possible (and securely of cause) to make progress and fail fast maybe? And I like all the changes I made, I think they were the right choice, but its a bit tiering. And I like ansible, I just have the urge to automate absolutely everything, so I can redeploy everything right after I installed proxmox. Which is not necessary at all at this stage, idk :D Maybe someone has some tips how to overcome perfectionism?

WbrJr@lemmy.ml · 9 months

Caddy is nice and super simple. Only issue I had was: it can’t control domains if its behind a VPN. I use hetzner and they have an API, but the feature is not native to caddy so I would have had to rebuild caddy as an docker image. Rather annoying tbh, because everything else is great about it

WbrJr@lemmy.ml · 1 year

Hetzner offers mail hosting, its in the web package included

WbrJr@lemmy.ml · 1 year

Sorry, i thought i was clear.

I used the proxmox ve helper script from here: https://tteck.github.io/Proxmox/ to install ha os.

The local domain does not get resolved how it should, i hoped someone here might have hosted ha in proxmox themselves or ran into a similar problem, or could give me a hint what to check

WbrJr@lemmy.ml · 1 year

Thanks for the advice, i was thinking about it anyways :) i used the proxmox ve helper scripts: https://tteck.github.io/Proxmox/ to install it

WbrJr@lemmy.ml · 1 year

Hi there, I just installed Proxmox on my home server and like the idea a lot, but there is a noticable learning curve. I used this wonderful website and the provided link for home assistant os.

Usually home assistant is available at homeassistant.local without any configuration, i think its called mdns? But on my setup, homeassistant.local does not work for me, on any device, but the ip does.

So i suspect some settings in the proxmox firewall stops the ha vm mdns service from creating an entry in my router (fritzbox). I could not find any useful information about this though, and AI gave me the usual not quite helpful advice.

I hope you have some tips what i can check. Thanks a lot!

ps: I want to host caddy as a reverse proxy on the server some day. Does it make more sense to host a dns server as well and use caddy to forward to the ip?

WbrJr@lemmy.ml · 1 year

I would not even say so. It tool me maybe a weekend to und erstand the concepts. I had no other selfhosting experience before. Specialy docker compose is almost plug and play

WbrJr@lemmy.ml · 1 year

I can only recommens to get into hobbies like building dioramas, electorincs, music (there are daws like bitwig or ableton with free trials, its on the PC as well though), Start some sport, i like bouldering because you basically sit around all the time and then climb some routes and talk with friends. Or be creative with cooking! The only thing is to just start doing something new. Its always fun!

To be honest there are 4 things that combine in a bad way. Sorry if that is too forward, I don’t know you and its just what I’ve read here. So dont take it the wrong way.

you seem to have very high expectations of yourself, which is great but you burn out quck that way. You seem to not want to give up and fail
you seem to be stuck in your day to day rhythm
you seem kind of burned out or depressed
you seem to have a lack of input, variation and aktually kind of life

Try to break your day to day cycle and be kind to yourself :)

WbrJr@lemmy.ml · 1 year

Update: I was overwhelmed by settings. After some more research and thinking I got it working. My dns was set up incorrectly, i referenced the container with the wrong name (the name of the container is not the container_name, but the name of the service in the docker compose file). I then had some other issues with port collisions but could resolve them by killing (docker stop) thingsboard and restarting all services.

So: problem solved! thanks for the answers though!

Hi! I have a server with static ip, that runs docker with caddy and thingsboard (iot dashboard). I have my domain, that points to the servers ip (both ipv4 and ipv6). (I tried using with “www” and with wilcard “*” in the A and AAAA records)

Thingsboard can be reached in the browser via ip:8080, or domain.com:8080 (or with the wildcard “*” set in DNS records with (anything).domain.com:8080). It is set up this way by the creators, where i got the compose file (without caddy) guide here. So i guess no routing is done via caddy.

the caddyfile looks like this:

thingsboard.domain.com {
	tls internal
	reverse_proxy thingsboard:8080
}

Thingsboard cant be reached via thingsboard.domain.com which i would be expecting with this config. Below is the compose file. They are all part of the same docker network (they get listed when i inspect the network).

some specific questions:

how do i have to setup my dns records, so that all requests to any subdomain get send to caddy and i can do all the routing (from the subdomain to the service) in caddy? What am i missing in the caddyfile
can i deactivate the port from the thingsboard container, so it cant be reached via the port from “outside” only from inside the docker network, by caddy?
why am i struggling so much with this basic docker and networking stuff “docker is easy, you should try it” :D

Thanks a lot for reading, i hope someone can help! I dont know what to search for to get this working, networking stuff is still a blurr.

Here is the docker compose file:

services:
  caddy:
    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - /srv/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /srv/caddy/site:/srv
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - caddy_network


  kafka:
    restart: unless-stopped
    image: bitnami/kafka:3.8.1
    container_name: kafka
    ports:
      - 9092:9092 #to localhost:9092 from host machine
      - 9093 #for Kraft
      - 9094 #to kafka:9094 from within Docker network
    environment:
      ALLOW_PLAINTEXT_LISTENER: "yes"
      KAFKA_CFG_LISTENERS: "OUTSIDE://:9092,CONTROLLER://:9093,INSIDE://:9094"
      KAFKA_CFG_ADVERTISED_LISTENERS: "OUTSIDE://localhost:9092,INSIDE://kafka:9094"
      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: "INSIDE:PLAINTEXT,OUTSIDE:PLAINTEXT,CONTROLLER:PLAINTEXT"
      KAFKA_CFG_INTER_BROKER_LISTENER_NAME: "INSIDE"
      KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE: "false"
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: "1"
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: "1"
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: "1"
      KAFKA_CFG_PROCESS_ROLES: "controller,broker" #KRaft
      KAFKA_CFG_NODE_ID: "0" #KRaft
      KAFKA_CFG_CONTROLLER_LISTENER_NAMES: "CONTROLLER" #KRaft
      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: "0@kafka:9093" #KRaft
    networks:
      - caddy_network
    volumes:
      - /srv/thingsboard/kafka-data:/bitnami
  mytb:
    restart: unless-stopped
    container_name: thingsboard
    image: "thingsboard/tb-postgres"
    depends_on:
      - kafka
    ports:
      - "8080:9090"
      - "1883:1883"
      - "7070:7070"
      - "5683-5688:5683-5688/udp"
    environment:
      TB_QUEUE_TYPE: kafka
      TB_KAFKA_SERVERS: kafka:9094
    networks:
      - caddy_network
    volumes:
      - /srv/thingsboard/.mytb-data:/data
      - /srv/thingsboard/.mytb-logs:/var/log/thingsboard



#general networks
networks:
    caddy_network:
      driver: bridge
      ipam:
        config:
          - subnet: 172.20.0.0/24


#general Volumes:
volumes:
  caddy_data:
  caddy_config:
  kafka-data:
    driver: local

WbrJr@lemmy.ml · 2 years

What i dont quite understand: If I use something like a next cloud client app or file manager integration, how would the authenticator work? I thought the app or program would nee d direct access to the service, without anything in front of it

WbrJr@lemmy.ml · 2 years

But no ports only regards the home network, right? The proxy Server has to have open ports, and the home Server that connects to the proxy (how ever that’s done) needs to receive the forwarded packages on its ports, no?

WbrJr@lemmy.ml · 2 years

Wow, thanks!! That actually solved it apparently! Why does the wireguard config change if i can ping outside the docker container though? Is it because the wireguard client inside the container opens up ip adresses or something? :) Thanks again! Itried to find a solution for many hours yesterday :D

Oh and is the ‘,’ in the allowed ips meant as an “and” or rather an “or”?

WbrJr@lemmy.ml · 2 years

Hi! I am trying to set up a wireguard client in docker. I use the linuxserver image, I it running in server mode on a different machine (exactly the same ubuntu version) and i can login with my laptop to the wireguard server, but the docker wg-client has problems, i hope someone has an idea :)

The client docker container has trouble starting and throws this error: [___](modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-47-generic ip6tables-restore v1.8.10 (legacy): ip6tables-restore: unable to initialize table 'raw' Error occurred at line: 1 Try 'ip6tables-restore -h' or 'ip6tables-restore --help' for more information. )

I copied the config to the server with the wg server running, it has the same problem with the client. I can ping google.com from inside the server container, but not from inside the client container. Here is the output of the ‘route’ cmd from the client:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.18.0.0 * 255.255.0.0 U 0 0 0 eth0

I searched for a solution quite a bit, but cant seem to find something that works. changed the .yml compose file according to some suggestions but without success.

I tried to install the missing module but could not get it working.

Its a completely clean install of ubuntu 24.04.1 LTS, Kernel: Linux 6.8.0-47-generic.

here is the compose file, in case its needed, it should be exact same one as provided by linux-server in their github:

compose file:

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard-client
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
#      - SERVERURL=wireguard.domain.com #optional
#      - SERVERPORT=51820 #optional
#      - PEERS=1 #optional
#      - PEERDNS=auto #optional
#      - INTERNAL_SUBNET=10.13.13.0 #optional
#      - ALLOWEDIPS=0.0.0.0/0 #optional
#      - PERSISTENTKEEPALIVE_PEERS= #optional
#      - LOG_CONFS=true #optional
    volumes:
      - /srv/wireguard/config:/config
#      - /lib/modules:/lib/modules #optional
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

here is the complete error log from the wg-client docker:

error

[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls55
Build-date: 2024-10-10T11:23:38+00:00
───────────────────────────────────────
    
Uname info: Linux ec3813b50277 6.8.0-47-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 21:40:26 UTC 2024 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/peer1.conf, adding to list ****
**** Activating tunnel /config/wg_confs/peer1.conf ****
[#] ip link add peer1 type wireguard
[#] wg setconf peer1 /dev/fd/63
[#] ip -4 address add 10.13.13.2 dev peer1
[#] ip link set mtu 1420 up dev peer1
[#] resolvconf -a peer1 -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
[#] wg set peer1 fwmark 51820
[#] ip -6 route add ::/0 dev peer1 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/6.8.0-47-generic
ip6tables-restore v1.8.10 (legacy): ip6tables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] resolvconf -d peer1 -f
s6-rc: fatal: unable to take locks: Resource busy
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev peer1
**** Tunnel /config/wg_confs/peer1.conf failed, will stop all others! ****
**** All tunnels are now down. Please fix the tunnel config /config/wg_confs/peer1.conf and restart the container ****
[ls.io-init] done.

Thanks a lot. I appreciate every input!

WbrJr@lemmy.ml · 2 years

When I am on the server, it can even ping the domain. On my laptop, it can only resolve the domain to the correct ip

WbrJr@lemmy.ml · 2 years

Changing the domain does not change the problem sadly. I thought .local is a safe one to use

WbrJr@lemmy.ml · 2 years

So in the dnsmasq.config file is this entry: ‘address=/server.local/192.168.178.10’ and using nslookup it resolves it correctly

WbrJr@lemmy.ml · 2 years

So I am working on my home server. I installed docker and use a dnsmasq container as my dns server to resolve local ip adresses.

Laptop and server are both linux (ubuntu LTS 24.4)

What works:

‘resolvectl status’ shows the ip of my dns server
i can ping the ip of the dns server (that will run other stuff like nextcloud soon as well)
i can use nslookup to resovle server.local to the correct ip address (even after changing the entry, so its not the cache in my laptop)

what does not work:

i can not ping server.local (- for testing i have to stop the systemd-resolved.service to run the dnsmasq server, or else there are port collisions, but that should not be the problem i guess. I am happy to hear your solution :))
i can also not use ssh to log in to server.local, ip address works

What am i missing?

Thanks a lot already! BTW: ZFS is crazy nice :D

How to propperly Ansible and selfhost without burning out?

Home Assistant in Proxmox, local dns not working

Problems with my domain, docker, caddy and thingsboard. Need help networking/routing!

wireguard docker client error with ip6_tables

local DNS server does not work as expected