Most of my services reside across two servers, which are named HAL-9000 and SAL-9000.
HAL is a Raspberry Pi 4 connected to a single HDD, and acts as a tiny media server for personal use. It runs:
SAL runs a lot more services, which I’ll refrain from listing here, as I keep adding and removing them over time. The most used ones are:
The complete list of services can be found in the terraform files here.
All of these services run in their own docker containers. This is a primary requirement for me, and I went to great lengths to make sure that nothing runs out of containers. Reasons are:
My home network sits behind my ISP’s NAT, so HAL cannot be reached directly from the Internet. To make it accessible, I use a VPN connection (tinc) between HAL and SAL to bridge the two servers, making HAL locally accessible from SAL. In this network, HAL gets the IP
10.0.0.2 while SAL is
10.0.0.1. This allows me to directly tunnel traffic from SAL to HAL, making it available over the internet.
Tunneling all traffic, though, would mean that services on SAL would be inaccessible. As it’s not guaranteed that all traffic can be identified, I cannot do this selectively for services too. The solution was to get a Floating IP on DigitalOcean and attach it to SAL. Floating IPs are reassignable IP addresses, which can be attached to running instances.
SAL, now has two public IP addresses, the floating IP and the instance’s own public IP. The floating IP connects to SAL through what DigitalOcean calls an Anchor IP, which is added as an alias to the default interface. Now, I can use two different IP addresses to reach my SAL. One by using the SAL’s public IP, and the other via the floating IP (anchor IP on the instance).
+-------------------+ | SAL-9000 | | +---------------+ | | | eth0 | | | | | | Internet ------------>| 188.8.131.52 | | | | | public IP | | | | | | | V | | | | 184.108.40.206 ------->| 10.47.0.5 | | Floating IP | | anchor IP | | | +---------------+ | +-------------------+
My DNS configuration says that
*.hal-9000 should point to the floating IP, while
*.sal-9000 should point to the SAL’s public IP.
I use HAProxy to redirect traffic received on the anchor IP to HAL at
10.0.0.2 over the VPN, and keep the rest on the instance itself. This could be easily done with iptables too, but I wanted all configurations to live in Terraform, hence HAProxy. I’ll be switching to iptables as soon as I add support for them in the Linux Provider.
Once this step is cleared on both servers, all the traffic is forwarded to their respective docker containers. HTTP and TLS traffic, though, all goes to traefik, a reverse proxy with amazing support for Docker (with discovery), ACME, and some capable middlewares. Any contanier which needs to listen to HTTP or decrypted TCP traffic, registers itself with traefik and is ready to go. My traefik config is using Let’s Encrypt to get signed TLS certificates.
The following five services make up the monitoring stack of these servers:
Data from both the servers’ prometheus and loki is displayed on a Grafana instance running on SAL, which is also used for some rudimentary alerting.
A friend once asked why I was using separate loki and prometheus to store data for different servers, when one could suffice. It’s so that HAL can continue to write metrics to its own databases even in case of internet disruption at my home.
I use restic to backup all my docker volumes to Backblaze. Restic is able to deduplicate blobs too, so the total capacity used for backups is less than the sum of all the backups.
I am using Migadu as my email provider for now, but plan to try hosting it myself on a separate server later this year. I also use PIA as my VPN provider instead of hosting my own VPN server, mostly because I switch between regions often, and it was cheaper to use PIA than run VPN instances in different regions.
|Domain name||$30/year||Depending on the TLD, it can be $0 to $$$|
|Cloud Server||$240/year||I have a DigitalOcean instance with 4GB memory. A 512MB one costs $60/year|
|$48/year||I use migadu for my emails. It’s a Swiss provider which allow you to have multiple custom domains as long as you don’t send tons of emails everyday. I’d strongly recommend that you use your own domain for emails, to keep them migratory. But, if you don’t wanna shell out, you can go with free email providers too (Fastmail is pretty good), or maybe what Danny recommends if you really want that domain|
|Backup storage||$0/year||The 10GB free tier of Backblaze is able to store all my backups for now. It’s still pretty cheap at 0.5c/GB when it exceeds that limit though|
|Electricity||$15/year||Raspberry Pi running at 135kWh/year at 10c/hr|
|VPN||$40/year||I use PIA as my VPN provider. Alternatively, you can setup a VPN server on your machine too, if it fits your threat model and you don’t require all the different regions supported by PIA|
|Total||$373/year||If you just go with a small cloud server, and a cheap domain, you can probably bring this down to $61/year. If your home IP is not behind a NAT (static IP, or dynamic DNS), you can host this at your home too, bringing it down to just the hardware and electricity costs.|
Host things yourself. It’s fun.
- Sid Verma | Home | needs a job