I’ve seen a few mentions of PiHole and AdguardHome, I started on PiHole, then moved to AdguardHome for adblocking. Then I heard about and have been using TechnitiumDNS server which is sort of overkill for our needs, but with the right ad-lists, it is fantastic at blocking advertisements on my home network. Super fast install too, even on a Raspberry Pi 2 :) I run that along with Proxmox-VE (Protected behind OIDC Login) and several other containers on my cranky old Dell Desktop server.
Mostly Vaultwarden, and a few other services for home private use such as PairDrop for inter system sharing and a self destructing file sharing server for when we need to send documents to our Attorney’s (rarely but sometimes we need to) office via Pingvin.
I also run:
With Authentik setup, I can login to things like my Fresh Tomato Router TechnitiumDNS (Both use HTTP Auth headers) and Memos which uses OIDC/SSO. It’s meant to replace our Google Keep notes.
docker logs -follow
command.I still use Portainer-CE and am happy there, I may try Dockage or the others, but it’s fine for what I need it for (It’s also protected by OIDC)
I’m sure I may have missed a few, but this post has gone on long enough. :)
Grafana + Prometheus dashboards can be quite addicting or useful. Noted.lol put together a nice tutorial for getting started.
For most of my services though, I simply use Uptime Kuma which then sends an alert to Gotify when my services go down or whatnot, Gotify then instantly notifies my phone so I can be aware. It helps keep the spouse happy when their go to service for some reason crashed. :)
Authentik is my IDP provider so I put it in front of all my publicly facing Apps which support OIDC login. For example, I can log into my Portainer instance from an external network, but to do so, I log into Authentik First which sends it to my service.
For the apps which support HTTP headers, like I said, Pomerium acts as the service which passes my credentials to the device. I admit - Authentik does this also without the need for Pomerium, (through their flow settings) but I found Pomerium to be much easier to set up for this than Authentik and haven’t looked back or felt the need to change it.
With that, I use Pomerium for apps which accept a HTTP Headers, for example, my Fresh Tomato firmware flashed router, it has a HTTP dialog. This allows me to login from the road if I need to manage something like rebooting it or updating firewall rules etc.
My access flow is this :
router.example.com —> Cloudflare Tunnel —> Pomerium IP —>Authentik —> Router’s Gui.
It works flawlessly. I don’t often use it, but when I do, it helps. I also had it enabled for AdguardHome but moved to Technitium DNS which I prefer and that doesn’t have the HTTP Headers so it’s not fully compatible with Pomerium that I’m aware of.
I am a former IT Desktop drone…er…support worker… I used to swap towers for my local municipality back when Windows XP was being replaced with 7. I saw passwords on post-its attached to the monitor, mouse pad, and even under the keyboard or keyboard drawer (I had to get under desks to do the swap). Our policy was to remove those whenever we saw them and trash them in a different can across the building or a different one. They have a standard 90 day password cycle and most people couldn’t handle that. I would answer the phone often to 'unlock" their account after 3 attempts. My all time favorite when I would help an end user with software was when I would encounter someone’s “God Mode” icon for some of the registry hacks that used to float around. Everyone had Admin privileges (ironically), so it wasn’t really needed anyway.
Their primary server admins and IT folks in the main office were Top notch though. Never any downtime and the main security guy was very strong in making sure everything was adhered to. We, as desktop support didn’t have the master password to decrypt a laptop which was GPG protected and had to bring it to him if we had a user which locked themselves out. With great consternation, only a few machines would be allowed to XP and those were VLAN’d and isolated from the outside world.
The rest of the server admins handled everything with ease seemingly. The fun part was when they had a third party come in and do a security audit. No problems on the server side, but it wasn’t a success. They did the 'ol drop a flash drive randomly in different locations test. Knowing human nature, they knew someone would pick it up, plug it in and be baited with an excel file which looked like it had financials. Unbeknownst to the user, it sent a ping to their reporting server and the drive ID. Which was later reported back. They also did physical security penetration tests - walk in behind you type of thing. I remember seeing a group of guys non company ID badges try to follow me into the main IT office. I stopped them and asked who they were and what they wanted (this was a Govt building), and the look of confusion mixed with satisfaction from them that I stopped them was priceless. I let the head IT guy know who was at the door and left it up to them to unlock it for them.
I now work in a help desk position for a software company and miss those days of desktop support. But, I know for a fact that I.T. Guys an Gals don’t get enough recognition. They are the understated backbone of a company’s well-being especially when holidays and weekends are prime time for systems to fail and they are practically on call no matter what.
I use Proxmox and don’t use Truenas. My setup is basically to install Cockpit on the host server via apt-get and then the 45 Drives cockpit-sharing plugin. This provides the NFS and Samba sharing I need and use. I host Home Assistant in a VM and Docker containers in a few LXC containers which host about 10 containers each. Then, in combination with https://tteck.github.io/Proxmox/ you can set up pretty much anything you need from there.
This is on in computer terms, ancient; a 13 year old Dell Optiplex 990 with 16gb Ram and software such as Authentik and Vaultwarden from different dedicated LXC containers. Never have any issues with overload of the system resources or running out of memory. It’s pretty much rock solid.
As Another Proxmox user - I’ve been doing well with it. I use these scripts for the LXC’s which has been fantastic:
https://tteck.github.io/Proxmox/
I also can log into it from the web as it’s secured by Authentik, SSO OIDC login when Away from home and need to manage it. Rare! But the option is there! :)
I got lost with setting up a nice inbox downloader to store all my emails on a HDD attached to my RPI4, but haven’t quite mastered the SMTP server part or found the right software to run on it. It’s currently powered off waiting for a reflash of the SD Card so I can try again. The end goal for mine is to set up fetchmail and have it grab from my inboxes then imap capabilities so I can read it in Thunderbird. (Don’t talk to me about webmail, I know it’s the way but I’m older than Star Wars (Original one) and am stuck in my ways. Now get off of my lawn!
Seriously though, I have tinkered with it before as an AdguardHome Server, but somehow, my latency increased so I dropped that. Most of it’s life was spent hosting Home Assistant on it until I moved that to the umm…more controversial Proxmox VM method. I’m also on the fence about setting up the Raspberry Pi Nextcloud on it. (Maybe).
Here is a good resource for 36 different things you could possibly do with yours.
Installed and no way to login, see this in your GH issues:
https://github.com/linkwarden/linkwarden/issues/415
This is a fresh install as about 10 minutes ago so using the :latest tag which I believe is the v 2.4.8 build. Signing up is possible and I was able to create my user account so that’s a good start at least. :)
I just installed Pomerium and got it to integrate with AdguardHome and my router which both use basic HTTP, I also use Authentik. It’s a bit of a learning curve, but in short, this is what the config.yaml file needs to work to get it up and running:
The basic auth header for this is just UN: example PW: Password
authenticate_service_url: https://verify.mydomain.com
idp_provider: oidc
idp_provider_url: https://Authentik.mydomain.com/application/o/pomerium/
idp_client_id: AUTHENTIK'S CLIENT ID
idp_client_secret: AUTHENTIK'S CLIENT SECRET
idp_provider_scopes: null
routes:
- from: https://agh.mydomain.com
to: http://192.168.1.200 ##Adguardhome address
policy:
- allow:
or:
- email:
is: myemail@mydomain.com
set_request_headers:
# https://www.blitter.se/utils/basic-authentication-header-generator/
Authorization: "Basic ZXhhbXBsZTpwYXNzd29yZA==" #AdguardHome
allow_websockets: true
- from: https://router.mydomain.com
to: http://192.168.1.254
policy:
- allow:
or:
- email:
is: myemail@mydomain.com
set_request_headers:
# https://www.blitter.se/utils/basic-authentication-header-generator/
Authorization: "Basic ZXhhbXBsZTpwYXNzd29yZA==" #Router
allow_websockets: true
cookie_name: pomerium
cookie_secret: RANDOM 32 CHARACTER COOKIE=
cookie_domain: mydomain.com
pomerium_debug: true
So, now when I go to my Adguardhome’s URL ( agh.mydomain.com), it auto directs to my Authentik instance, then upon matching my signed in email in the browser session, it transparently logs me into Adguardhome without issue. The same applies to my router’s login.
In short, if you have found an NVR which supports basic http auth, Pomerium is the missing piece I’ve found to work.
Because, for Home Assistant, I moved it from Raspberry Pi 4 to a KVM and found it faster. I use Proxmox for that which I found to play nicer with it than just setting up a Debian Server and spinning up a KVM via QEMU on a desktop. I’ve been there and had issues over time. As for why LXC’s they are smaller and the only ones I use are from https://tteck.github.io/Proxmox/ which makes them super simple to set up and run!
Under Proxmox, I have the following running currently:
**As LXC Containers: **
As a VM
The rest is all docker on the host OS which is Debian 12, this is not my complete list but the most used ones in my world:
Protected by Authentik’s SSO
You may wonder why I am using Zitadel and Authentik, I first started with Zitadel, and moved to Authentik, but am evaluating both. They both have their positives. So far Authentik has been the most useful for me. And about the two password managers, I use Vaultwarden as it supports everything I need including Passkey support. My step daughter who is an adult is disabled so having an easier password like Psono makes it easier for her.
I’ll admit, I’m not a huge fan of Traefik (It’s too big of a hassle for me and I use Cloudflare tunnels anyway). I couldn’t get past the login even after literally copy pasta of your example for the user test as a last resort. So, I’m not sure if it’s because I’m not using Traefik or some other reason. (Username tried was test Password Test) I also tried at first my username/password combo I set for it using the command to generate the passwd file.
Your page links 404 out, but if you reduce it to https://klay.gay/self-host/ it works and shows v.0.9.2 so you may want to edit your post. :)
I have MFA enabled on that account have had it there for years. :) (2FA + Webauth) Password already updated too. :) That email I know has been all over the dark web based on my monitoring alerts and know it’s been used. All of my important user accounts with that email were changed to a new one 6 or so months ago. I just forgot about this one and like I said, never really used it anyway. :)
I use this:
Timekpr-NExT (It’s stylized as this way) Here’s a decent write up of it:
https://itsfoss.com/timekpr-next/
And the source I think: https://mjasnik.gitlab.io/timekpr-next/
Here’s our household need for it and I think most people will not like it, but it’s what works for us. I have a special needs adult step daughter which has a TBI from a major traumatic auto accident at the age of 2. For most people who see her, she passes as high functioning but that is on the outside. As a result of the accident and brain injury at age 2, In real life, she has problems with the concept of time and time management. She also lacks the executive functioning that most adults have such as the correct decisions in life to make, just to name a few. Having this on her system (Arch Linux) allows us to at least limit the screen time which is what we were wanting. As for filtering NSFW stuff. She’s extremely turned off by the thought of people being intimate so, we are pretty comfortable with unfiltered internet. (I also run a DNS server in which if needed can filter traffic).
Another person mentioned using SELinux - this reminded me of using OpenSuSE - that distro is very tuned toward adminstrative access for even basic things such as modifying the network (Well…at least basic for me LOL ) . I think of it is as an ideal OS for small organizations with a single IT person on staff.
What I do is this - and some may frown upon it because well…Cloudflare! But I use Cloudflare’s tunnels to access my remote instances for my password manager, Home Assistant and a SSH shell. All of which are behind passwords and 2FA. I then have only one port open on my router, that’s for my wireguard instance. I access it using my ddns and can be on my home network from anywhere.
I’d move away from the tunnels and push everything through WG, but my family is not as savvy as I am and don’t always activate the tunnel when away from home. I am putting a plan for that this weekend though. :)
Primary benefit of using a VPS:
Placing mission critical items there which you can not afford to have go down due to hardware failure Some of those items may be a DNS Server, uptime monitor, or VPN/Wireguard Tunnel.
They are usually quite fast, and will provide a STATIC IP which makes it easier to set your domain’s DNS resolver to, it never changes as long as you keep paying. :)
**Disadvantage of VPS: **
Who says they don’t log into your VPS Instance and snoop around? I’m sure about 99.99% of VPS hosts will never do that and are ethical, and honestly, won’t really care to. At a moment’s notice, the VPS can close shop and take your data with them. (I had that once a few years ago). No warning was given and they went dark. Very aggravating. Fortunately, I had a fairly recent backup but still.
If you do go with a VPS, a place which supports KVM is a huge bonus! You can then install just about any host OS you want. Pivo is a good place for this and they are reasonably priced. They’ve been around since 1997 and I doubt they will go anywhere. Or you can spin up an instance at Linode and take advantage of some of the free trials they have (Jupiter broadcasting a podcast production company has something like $100 credit for them, so you can get your ‘feet wet’ testing things out.
My advice, if you go with a VPS, avoid eBay for hosting plans, and read reviews of the sites you are considering. Trust pilot and others are often great resources.
**Benefits of your own hardware: ** You have everything on your server, you know where everything is and can have the peace of mind knowing it’s there and not looked at by anyone but you or those you trust.
Disadvantages of your own hardware
If anything fails, you are responsible for repairing/replacing it, this can also mean some massive downtime depending on how long it takes.
Your hardware is limited by the resources you provide it, Memory, Disk Space etc. Your ISP may throttle your data and cap the usage as well.
Started on PiHole a long time ago, went to AdGuardhome, then have moved over to Technitium DNS (https://technitium.com/dns/). That might be another option to investigate, it allows Ad blocking as well as a lot more than AdGuardhome and Pihole.
Bookmarks are cool and all, but having the ability to tap (if on mobile) the link or click on it visually is important. For example, I access my local dashboard via Wireguard on my phone, I can then tap the service I need to access locally. IMO, that is much nicer than hitting the browser’s menu to find the bookmark and then clicking on it.
Aside from that, if you are like me and have hundreds of bookmarks, and a significant other less technically savvy as you are and are visual, then having a dashboard to go to makes it a lot easier!
I took a quick read of the comments and I apologize in advance if this has been suggested already.
I use a self hosted DNS server (AdGuardHome) I was using TechnitiumDNS for a long while, but moved over to the other recently so I could do some more blocking as needed (adult special needs house dweller sometimes needs limited internet). It also acts as a DHCP Server so it takes the role of both the DHCP assignments away from the router. As it so happens, this week, I got to experience the benefit of having this setup live when my main router also went down, I was able to switch to a spare router (My ISP provided one) and all I had to do was turn the DHCP off and optionally point the DNS To my AdGuardHome address, set the SSID’s up and I was in business. All of my devices happily reconnected and grabbed their assigned IP’s.
In short, if you have a spare computer, SBC such as a raspberry PI or whatnot, you can easily host something like that and not have to worry about setting those again.