Self hosted web services and infrastructure

Julien ARNAUD

[this article is a work in progress]

I'm a strong advocate for local hosting over cloud services provided by big tech companies like Google, Apple, Facebook, Amazon, and Microsoft (GAFAM).

I have no trust in these corporations, and some of their decisions pose significant threats to civil rights. For instance, Apple's move to scan all your photos for illegal content (initially). The importance of data sovereignty and the risk of surveillance are critical issues.

Thus, to the best of my ability, I prefer to host everything myself.

At home, everything revolves around the following microserver (in a NUC form-factor)

  • Ryzen 4800U (15W TDP)
  • 32 GB of DDR4
  • 1 TB NVMe SSD
  • 2x 4 TB S-ATA SSD (backups) 
  • 2x 1Gb NIC

The only publicly open port is 443. It is NATed via pfsense (now migrated to OPNsense) to an LXC running nginx, which is acting as a reverse proxy for the different services. It provides TLS encryption and a Web Application Firewall (ModSecurity, with attempts to migrate to openappsec unsuccessful due to poor LXC support from openappsec).

At home, I have an FTTH 1Gbps symetrical. It goes into one of the NIC of a Ryzen 4800U.

Services

  • Proxmox Virtual Environment (Virtualization)
  • Proxmox Backup Server (Backups)
  • Internet Routing (pfSense, now OPNsense)
    • NAT
    • Firewall
    • IDPS (Suricata)
    • Ads and trackers blocking (DNSBL)
    • Geoblocking (GeoIP)
  • Online photo library (Lychee)
  • Unifi Access point management (Unifi Network)
  • Bloging (Publii)
  • Webmail (Roundcube)
  • Home automation (Home Assistant)
  • Statistics (Munin)
  • VPN (Wireguard)
  • Password manager (Vault Warden)
  • CCTV (Frigate + Coral TPU)
  • Internal file sharing (Samba)
  • Web Hosting (nginx + php-fpm)
  • Email
    • Postfix+Dovecot
    • Proxmox Mail Gateway

Most of the services run in dedicated and unprivileged LXCs, some run in actual VMs.

Backups

The first backup of all VMs and LXCs is done from the internal NVMe SSD to the one of the internal 4To S-ATA SSD using Proxmox Backup Server.

A second backup goes to a Raspberry enclosed in an aluminium case and powered by PoE. It runs Debian with an NFS server, with a 1 TB microSD card. This server lives outside the house, and would survive if a fire consummed the whole house.