Self hosted web services and infrastructure

Julien ARNAUD

I'm a strong advocate for local hosting over cloud services provided by big tech companies like Google, Apple, Facebook, Amazon, and Microsoft (GAFAM).

I have no trust in these corporations, and some of their decisions pose significant threats to civil rights. For instance, Apple's move to scan all your photos for illegal content (initially). The importance of data sovereignty and the risk of surveillance are critical issues.

Thus, to the best of my ability, I prefer to host everything myself.

At home, everything revolves around the following microserver (in a NUC form-factor)

  • Ryzen 4800U (15W TDP)
  • 32 GB of DDR4
  • 1 TB NVMe SSD
  • 1 TB HDD S-ATA (backups) 
  • 2x 1Gb NIC

The only publicly open port is 443. It is NATed via pfsense to an LXC running nginx, which is acting as a reverse proxy for the different services. It provide TLS encryption and a Web Application Firewall.

At home, I have an FTTH 1Gbps symetrical. It goes into one of the NIC of a Ryzen 4800U

Services

  • Internet Routing (pfSense)
    • NAT
    • Firewall
    • IDPS (Suricata)
    • Ads blocking (DNSBL)
  • Online photo library (Lychee)
  • Unifi Access point management (Unifi Network)
  • Bloging (Publii)
  • Webmail (Roundcube)
  • Home automation (Home Assistant)
  • Statitics (Munin)
  • VPN (Wireguard)
  • Password manager (Vault Warden)
  • CCTV (Frigate + Coral TPU)
  • Internal file sharing (Samba)
  • Web Hosting (nginx + php-fpm)
  • Email
    • Postfix+Dovecot
    • Proxmox Mail Gateway

Most of the services run in dedicated LXCs, some run in actual VMs.

Backups

I first backup of all VMs and LXCs is done from the internal NVMe SSD to the internal HDD.

A second backup goes to a Raspberry enclosed in an aluminium case and powered by PoE. It runs Debian with an NFS server, with a 1 TB microSD card.