Home on slefhost.casa

Cloudflare load balancer for home lab services

Thu, 18 Sep 2025 00:00:00 +0000

Cloudflare LB Setup

Traffic -> Load Balancing -> Create Load Balancer (paid feature) Each tunnel you created in the first step was assigned an origin address, which you’ll use here for the two orgins in your load balancer. I’ve set each to 50%, alternating each request evenly between the two tunnels. The hostname of your load balancer will be the endpoint that you can use for other CNAMEs as you add ingress rules for local services you want to host or expose. To ensure your LB groups show as healthy, add in the healthcheck endpoint defined in your ingress rules, which should look like this https://lb-hostname.domain.net/check I find this setup to be my preference vs hosting my own Traefik proxy (or similar) since I do not need to open up any ports on my firewall.

Configure Split DNS with Tailscale and Local DNS

Fri, 08 Aug 2025 00:00:00 +0000

asd Tailscale is a fantastic tool for securely accessing all your systems and applications remotely. However, it does come with some trade-offs — especially when it comes to DNS. By default, Tailscale takes over your system’s DNS settings. While non-Tailscale domains are generally forwarded to your local resolver, that behavior depends on Tailscale functioning correctly.

Recently, I ran into an issue where one of my nodes had an expired key and couldn’t connect to the tailnet anymore. As a result, all DNS queries on that system failed, even for unrelated domains.

Deploying a Hugo Site with Cloudflare Workers

Sun, 20 Jul 2025 00:00:00 +0000

I recently migrated my blog from Jekyll to Hugo — more on that soon. As part of the migration, I needed to set up deployments to Cloudflare. I typically use Cloudflare Pages, but when I went to configure it, I was met with a notice recommending Cloudflare Workers for new projects.

While Cloudflare hasn’t explicitly stated the future of Pages, it’s clear that the focus and innovation are shifting toward Workers.

Managing Portainer Stacks Using GitOps

Mon, 07 Jul 2025 00:00:00 +0000

Container orchestration can quickly become complex as your infrastructure grows. By combining Portainer’s intuitive UI with a GitOps workflow, you can declaratively manage your Docker stacks and enjoy both transparency and reproducibility. In this post, we’ll walk through the process of installing Portainer, configuring GitOps using a Git repository, and automating deployments of your Docker stacks.

Why GitOps with Portainer?

Declarative Infrastructure: Store your stack definitions (Compose files, environment variables, configs) in Git — your single source of truth.
Version Control & Auditability: Every change is tracked, making rollbacks and audits straightforward.
Self-Service Deployments: Propose changes via pull requests, fostering collaboration and code review.
Automated Sync: Portainer’s GitOps integration will automatically reconcile your live environment with the desired state in Git.

Install Portainer

The first step is to install Portainer on the host where you plan to manage your Docker Compose stacks.

Ansible Essentials Managing Secrets with Vault

Thu, 29 May 2025 00:00:00 +0000

Storing API keys, tokens, and passwords in your playbooks isn’t safe—especially if you keep your Ansible project in version control. That’s where Ansible Vault comes in. It lets you encrypt sensitive variables while still using them like any other part of your automation.

In this third part of the series, I’ll show you how I use Vault to securely manage secrets in my homelab setup. In this example, we’ll use Vault to store a Tailscale auth key, which one of my roles uses to authenticate a server into my private Tailscale network.

Remote Packet Capture with Wireshark

Mon, 26 May 2025 00:00:00 +0000

This guide explains how to configure Wireshark for remote packet capture over SSH using tcpdump.

Prerequisites

Wireshark installed on your local machine.
SSH access to the remote host:
- Either standard SSH with sudo privileges, or
tcpdump installed on the remote host.

Configuring Remote Capture in Wireshark

Steps in Wireshark

Navigate to: Capture ? Options ? Manage Interfaces.
Click the options icon next to SSH Remote Capture.
Enter the interface details:

Ansible Essentials Playbooks, Roles & Handlers

Mon, 19 May 2025 00:00:00 +0000

In this part of the Ansible series, you’ll learn how to automate routine system maintenance tasks like updating packages and rebooting, while organizing your project using roles and handlers for better structure and reuse.

What Are Ansible Roles?

Roles are a way to organize your Ansible code into reusable, modular components.

A role has a standard folder structure (tasks/, handlers/ etc.), and can include everything needed to configure a specific part of your system.

Ansible Essentials Installation & Configuration

Thu, 15 May 2025 00:00:00 +0000

Ansible is a powerful automation tool that lets you manage your infrastructure using simple, repeatable playbooks. In this first part of the series, you’ll install Ansible, configure SSH access, and run your first task — laying the foundation for automating your homelab.

Install Ansible

Install Ansible on your local workstation or control node. In my case I use a my macbook as “control node”.

Ensure pip is available and up to date:

Automating Dependabot for Docker Compose

Mon, 12 May 2025 00:00:00 +0000

Keeping dependencies up to date is essential for security and maintainability—but manually managing updates across multiple docker-compose.yml files in a project can be tedious. In this post, I’ll show you a small Bash script I wrote to automate the generation of a dependabot.yml file. It scans your repo for all Docker Compose files and configures Dependabot to check them for updates monthly. It’s lightweight, efficient, and ensures you never miss a patch. Let’s dive in. We will automate the updating the dependabot.yml with Github Actions.

Setting Up Your Travel Router | Secure and Reliable Internet Anywhere

Sat, 05 Apr 2025 00:00:00 +0000

Whether you’re a digital nomad, a frequent traveler, or just someone who values a secure and stable internet connection on the go, a travel router can be a game-changer. In this guide, we’ll walk you through everything you need to know about setting up your travel router—from choosing the right model securing your connection, and optimizing performance. Stay connected, stay secure, and make the most of your travel router wherever you go!

Setting up VyOS router for your home network

Tue, 25 Mar 2025 00:00:00 +0000

Setting up a VyOS router for your homelab gives you enterprise-grade networking with open-source flexibility. In this post, we’ll cover the essential steps to install and configure VyOS for a more secure and efficient network.

VyOS provides a free routing platform that competes directly with other commercially available solutions from well-known network providers. Because VyOS is run on standard amd64 systems, it can be used as a router and firewall platform for cloud deployments.

Monitoring Tailscale clients with Prometheus

Mon, 17 Feb 2025 00:00:00 +0000

Tailscale makes secure networking easy, but how do you monitor its performance? In this guide, we’ll set up Prometheus to collect key Tailscale metrics and gain insights into your mesh VPN connections. Learn how to track bandwidth usage and ensure your network is running smoothly—all with open-source monitoring tools! 🚀

Setting up Prometheus and Grafana is beyond the scope of this post. If you’re interested in setting them up, check out this guide.

How I use GitHub Actions to update my blog daily

Fri, 31 Jan 2025 00:00:00 +0000

This blog is hosted on Cloudflare Pages for optimal loading speed. As a static website built with Jekyll and the Chirpy theme, it relies on a trigger to prompt Cloudflare to rebuild and publish the site. In a previous post, I showed how to set up Jekyll with Cloudflare Pages, where Cloudflare monitors your Git repository and automatically rebuilds the site with every merge or commit.

Jekyll allows posts to be scheduled based on the date in the frontmatter, so I often write posts in advance while working on something new. This means there won’t always be a commit or merge to trigger a rebuild on the right date to publisch a post. Instead of only relying on Cloudflare to watch the repository, we needed a trigger to rebuild the site. This is where GitHub Actions comes in.

Selfhost your website analytics with Umami

Wed, 29 Jan 2025 00:00:00 +0000

Umami is an open-source, privacy-focused web analytics tool that serves as an alternative to Google Analytics. It offers essential insights into website traffic, user behavior, and performance while prioritizing data privacy. Unlike many traditional analytics platforms, Umami does not collect or store personal data, ensuring compliance with GDPR and PECR, and eliminating the need for cookies.

What makes Umami even more appealing is that it can be self-hosted, giving you full control over your data. In this guide, we’ll walk through the process of setting up Umami on your own server and exposing it via Cloudflare Tunnel, allowing it to securely collect the analytics sent by your website, all while maintaining privacy.

Connecting selfhosted apps to Tailscale with TSDProxy

Sat, 25 Jan 2025 00:00:00 +0000

Warning

This project appears to be abandoned. Use at your own risk.

Self-hosted applications often involve juggling network configurations, firewall rules, and ensuring secure access from anywhere. Tailscale simplifies this process by creating a secure, private network—called a “tailnet”—that seamlessly connects all your devices.

Setting up an Mikrotik Router

Sun, 05 Jan 2025 00:00:00 +0000

Setting up a MikroTik router for your homelab can be an exciting way to improve network performance, security, and management. MikroTik routers are known for their flexibility, power, and affordability, making them an ideal choice for homelab enthusiasts looking to build a robust network infrastructure. In this post, we’ll walk you through the essential steps to get your MikroTik router up and running.

Connect to the router

To configure the MikroTik router, you’ll first need to establish a connection. We recommend using either a serial cable or an SSH connection. These methods allow you to easily copy and paste the configuration commands provided below, making the setup process more efficient and error-free.

About selfhost.casa

Fri, 03 Jan 2025 08:00:00 -0900

Why .casa domain?

The word casa means “home” or “house” in several Romance languages, including Spanish, Italian, Portuguese, and Romanian. While the Latin root casa originally meant “hut” or “cottage,” its meaning expanded over time to encompass a broader sense of “house” or “home” within these languages. Now it makes sens to do self hosting or a homelab at, well, home

Motivation:

What is a Homelab?

In case you have never heard the term, Homelab is the name given to a server (or multiple server setup) that resides locally in your home and where you host several applications and virtualized systems for testing and developing or for home and functional usage.

Secure Your Homelab with Tailscale & Cloudflare

Mon, 21 Oct 2024 00:00:00 +0000

There are instances when you want to ensure that only you have remote access to specific areas of your homelab. In this post, we’ll explore how to leverage Tailscale, Traefik, and Cloudflare to establish a private and secure connection to your homelab services.

Cloudflare

Cloudflare API

To begin, we need to generate the necessary API keys with Cloudflare.

Go the API page and login with your Cloudflare Account.

Create a API Key on the link above.

Setup ntfy for selfhosted notifications

Tue, 01 Oct 2024 09:00:00 +0200

In today’s world, staying informed about events in our homelabs is essential. ntfy is a straightforward HTTP-based notification service that allows you to send notifications to your phone or desktop from any computer using scripts or a REST API. The best part? You can host it entirely within your own homelab.

In this guide, we’ll show you how to make ntfy publicly accessible through Cloudflare Tunnels, ensuring you receive notifications wherever you are.

Secure your Cloudflare Tunnel with Authentik

Wed, 04 Sep 2024 00:00:00 +0000

Enhancing the security and accessibility of your self-hosted applications is simplified with the right tools. By leveraging Cloudflare Tunnels and Authentik, you can create a powerful combination that fortifies your setup. Cloudflare Tunnels allow you to securely expose your local server to the internet, concealing your IP address and eliminating the need for port forwarding. In tandem, Authentik provides robust authentication and access control features.

This blog post will guide you through the process of integrating Cloudflare Tunnels with Authentik, demonstrating how to secure your self-hosted services effortlessly.

Self-hosting securely with Cloudflare Tunnels

Wed, 21 Aug 2024 00:00:00 +0000

In the world of self-hosting, secure and reliable server access is crucial. Cloudflare Zero Trust offers a solution through Cloudflare Tunnels, allowing secure access to self-hosted services without opening ports or changing firewall settings. By creating an outbound-only connection to Cloudflare, traffic remains encrypted and routed through its global network, enhancing security and performance while protecting your server from direct attacks.

Create Cloudflare Tunnel

Docker compose

To get started, we need to set up a directory to store our docker-compose.yml file.

Selfhost a Single Sign-on MFA with Authentik

Mon, 22 Jul 2024 00:00:00 +0000

Managing authentication and access control for self-hosted applications can be complex. Authentik, an open-source identity provider, simplifies this with features like single sign-on (SSO), multi-factor authentication (MFA), and seamless integration with various apps, enhancing security and user management.

In this post, we’ll walk you through setting up Authentik to streamline access control and strengthen security for your self-hosted services.

Setting Up Authentik

First, create a directory to store the docker-compose.yml file

Jekyll & Chirpy blog on Cloudflare Pages

Mon, 15 Jul 2024 00:00:00 +0000

Jekyll is a versatile static site generator that turns plain text into beautifully designed static websites and blogs. It’s perfect for documentation sites, blogs, event sites, or any type of website you need. With Jekyll, you get a fast, secure, easy-to-use, and open-source tool for building static sites.

In this guide, we’ll walk through installing and configuring Jekyll with the Chirpy theme. We’ll set up the site, create some pages using Markdown, and even host it for free using Cloudflare Pages.

Material for MkDocs on Cloudflare Pages

Mon, 08 Jul 2024 00:00:00 +0000

Material for MkDocs is a responsive, modern, and highly customizable theme that elevates the look and functionality of your MkDocs documentation site. Paired with Cloudflare Pages, it offers a fast, secure, and reliable hosting solution optimized for performance and scalability.

In this guide, we’ll walk through installing and configuring Material for MkDocs. We’ll set up the site, create pages using Markdown, and deploy it for free on Cloudflare Pages.

Github

To kickstart your mkdocs deployment you can use the template I created, by following the steps below.

Traefik Essentials Monitoring with Grafana, Prometheus & Loki

Mon, 01 Jul 2024 00:00:00 +0000

We all enjoy visually appealing graphs filled with data, especially for the services we host. Thankfully, Traefik exposes useful metrics on EntryPoints, Routers, Services, and more. By using Prometheus to scrape these metrics and integrating Promtail with Loki for log collection, we can create a complete monitoring solution.

Setting up Grafana, Prometheus, Promtail and Loki is out of scope of this Story. See my other stories on how to setup Grafana & Prometheus and Promtail & Loki

Log Monitoring with Loki & Promtail

Mon, 24 Jun 2024 00:00:00 +0000

Monitoring isn’t just about metrics—it’s about ensuring application health. Centralized logging with Loki and Grafana provides deeper insights by visualizing and searching logs, helping you quickly identify and resolve issues.

Setup Loki

To set up Loki, we need to create a folder to hold both the docker-compose.yml and the configuration file.

First, create the folder for Loki:

BASH

1mkdir loki

 Click to expand and view more

Open a new docker-compose.yml file for editing:

Host & Container Monitoring with Prometheus

Wed, 12 Jun 2024 00:00:00 +0000

Monitoring your systems and containers is essential for maintaining a reliable homelab or home server. A popular setup involves Prometheus, Node Exporter, and cAdvisor for collecting metrics, combined with Grafana for creating insightful dashboards.

In this guide, we’ll set up a complete monitoring solution by:

Configuring Prometheus to scrape metrics from Node Exporter and cAdvisor.
Using Grafana to visualize the data with intuitive dashboards.

Let’s dive in and build a robust monitoring stack!

Traefik Essentials Reverse Proxy with Docker & Let’s Encrypt

Tue, 21 May 2024 00:00:00 +0000

What is Traefik

Traefik is an open-source reverse proxy and load balancer, perfect for managing containerized applications in your homelab or home server. It integrates seamlessly with Docker, automatically detecting services, configuring routing, and securing connections with SSL. Designed for dynamic, self-hosted environments, Traefik adapts to changes in real-time, making it ideal for scaling and simplifying your setup.

In this guide, we will set up the Traefik Docker container, configure Let’s Encrypt for obtaining SSL certificates.