I write homelab docs mostly for user guidance like onboarding, login, and service-specific stuff. This helps me better design for people by putting myself in their shoes, and should act as a reference document for any member to come back to.

Previously I built an Mkdocs-Material website with a nice subdomain for it, but since the project went on maintenance mode, I’m gonna migrate all docs back to a Forgejo wiki since it’s just Markdown anyways. I also run an issue tracker there, to manage the homelab’s roadmaps and features since it’s still evolving.

I find this approach benefiting compared to just documenting code. I’m not an IaC person yet, but I hope when I am, the playbooks should describe themselves for the nitty-gritty stuff anyways. I do write some infra notes for myself and perhaps to onboard maintainers, but most homelab developments happen in the issue tracker itself. The rest I try to keep it simple enough for an individual to understand

Panasonic Let’s Note, SV7 or SZ7 I think. Japanese domestic notebook for enterprises

Nextcloud forked from the old PHP-based ownCloud stack, while Opencloud forked from the Infinite Scale Go-based stack. It also by default preserves the filesystem hierarchy on your server without needing a database, using a storage driver called PosixFS.

The Windows clients currently do support selective syncing so it is on-par with OneDrive. Android client looks to be forked from old Owncloud, and has offline availability too.

Try Syncthing with IgnoreDelete but note that it’s unrecommended. Maybe use Syncthing as an append-only store

due to it missing ideal features

what features do you want? kindly elaborate

XMPP with Snikket could be an easy solution. If you don’t want to talk to the wider web make sure to disable federation.

It’s entirely possible. If the 2 domains are different, you should look into SNI routing using the TCP router instead of HTTP. With the tls.passthrough flag, encryption is kept intact until it reaches the second proxy.

Pihole runs on dnsmasq right? Maybe you could create a cronjob to copy the underlying dnsmasq.conf to other Piholes

Off the top of my head:

• Allows using DoH/DoT/DoQUIC/recursive upstreams without installing extra packages (unbound, cloudflared, etc)
• Allows acting as a DoH/DoH3/DoT/DoQUIC server alongside normal DNS over UDP and TCP
• Allows configuring SOCKS/HTTP proxies for forwarders
• Act as authoritative zone server with DNSSEC signing
• Allows custom responses via plugins (e.g. conditional responses based on client’s IP addresses)
• Accept PROXY Protocol to forward client IPs from trusted load balancers
• All the clustering and zone transfers magic
• DNS64

It really dives deep into the inner workings of DNS and does pretty much anything Pi-Hole does, with many more security and QoL features. Although the UI may feel a bit dated, I’d recommend it to anyone running their own homelab infrastructure beyond just adblocking

try adding the sysctls parameters to your docker container too

Two separate functions should go into two separate nodes

1. Run Tailscale binary on host. Connect to Jellyfin server using that node’s IP address.

and

2. Run Gluetun + another Tailscale instance in containers. Don’t use host networking, use bridge or something else. Connect to that node as an exit node

As an (advanced) alternative to Gluetun + Tailscale I propose tswg (my project)

I’ve vaguely thought about this with Split DNS.

My concern would be the need to set up some non-Tailnet mechanism to expose it to the internet and keep it secure. Either port forwarding, Pangolin, or even using Funnel… all of which would be better off on a separate device (and maybe a separate VLAN)

It’d be an interesting idea for sure, perhaps for when I can get myself the separate Headscale-dedicated device. Although now I’d have to learn the “normal” zone-based networking ahah

That’s a nice thing with Wireguard yea. I’ll keep this in mind if ever I can grok Tailscale to do such things

• DNS adjustments aren’t needed if you do .well-known delegations which is easier
• Can recommend continuwuity, it runs much better on less resources. Lacks certain features compared to Synapse but overall good
• Notifications (and read markers) depend on client-specific black magic to work
• Federation do sometimes silent-fail completely, you can reset continuwuity’s cache + restart when that happens. But full room history convergence needs patience
• Don’t join large rooms unless your server can handle the load
• Don’t host public rooms without modbots

The many small bugs make Matrix still bad - I wouldn’t recommend a non-tech user unless accompanied by a 24/7 admin. It is trying to improve but very slow because of reasons

Should’ve specifically asked the operators/hosters if they need a better answer. But this has more engagement so

Worth noting that there’s an open issue to support Wireguard peers into Headscale, so you could use it with e.g. a wg0.conf file from a commercial VPN

If you can selfhost and can use containers/docker, I wanna shamelessly plugin my solution: https://github.com/stratself/tswg. Basically mount a WireGuard config from Nord or any upstream VPN, and the container will tunnel traffic to said VPN when you choose it as an exit node.

There are other gluetun + tailscale solutions that are worth a look too

Ah right, completely forgot about that (80 for HTTP-01, 443 for TLS-ALPN-01). Is a bummer unfortunately

Thanks for the guide. How did you get the VPN forwarded port? I believe this depends on the VPN provider’s software?

Let’s Encrypt are rolling out IP-based certs, you may wanna follow its development. I’m not sure if it could be used for your forwarded VPN port, but it’d be nice anyhow

Edit: I believe encryption helps prevent tampering the data between the server and user too. It should prevent for example, someone MITM the connection and injecting malicious content that tells the user to download malware

I’ve poked around Homarr’s setup a bit, and it seems like it can run rootless after a few tweaks!

For anyone interested, I’ve written a POC and feature request here - https://github.com/homarr-labs/homarr/issues/3913

Hope it can be officially supported