Long are gone the days we all used to run servers on a shelve at home.

Be it because energy is more expensive, family growing requires more space, or to avoid the heat and noise, we (geeks) end up converging our infrastructure and shrinking it as much as we can without losing the ability to run our labs or small applications for personal use.

Small compute units such as Raspberry PIs helped in the “nanofication” of our home labs (some small companies used them on DataHalls to serve their customers). Single instances, clustered, inexpensive Linux desktops to start developing, CCT applications, IPPBx, containerisation workflows, NAS servers….

I think it is safe to say imagination is (literally) the limit on what you can do with them.

Enter Covid from the context of the accelerated transformation it had on our ways of working and living. Converging infrastructure kicked across businesses from 2020 until, well, still ongoing.

Such converging exercise has been coupled with a massive migration to the cloud. The latter being by far the most mediatic.

Bring to the mix the chip shortage crisis: getting that inexpensive Raspberry Pi is now ( 2022 ) a completely different reality.

So, where did our labs and personal applications end up?

In the cloud. Be it AWS, Azure, GPC or other less-known cloud players. All of us, IT people, had to ramp up and learn almost overnight how to operate in this “magical” realm. Learn concepts like IaC ( Infra as code ), speed up DevOps adoption in the organisations we contribute, learn new technologies and last but not least, Security Awareness and the constant thrive on being on the top level when it comes to posture and best practices.

We all started to have access to and learn about technology stacks like Docker, Kubernetes, MPS ( Mail protection systems ), Cloudflare, and similar.

I am sure this contributed heavily to how many of us run our Home labs. I certainly changed my workflow and infrastructure a lot.

Let us start with a general overview of my setup:

From the diagram above, it is easy to conclude that my setup is composed of several vital aspects and relies on six different providers:

• Tailscale for the fabric and glue.
• Cloudflare, so you can access this blog.
• NextDNS for all the family devices and home perimeter DNS activity ( on top of PiHole ).
• Linode to host a VM that, in turn,, runs:
  • Docker-Compose
• Datadog free tier for monitoring hosts, containers, networks and services.

This setup drastically reduced some dependencies I had on some home kit.

I used to have my internet access configured on a Mikrotik, dialling PPPoE to my ISP; I was running a nano server to have enough computing to run my Unifi controller, Wireguard VPN server, DNSMASQ and other minor services that were needed to make everything work together.

Let’s not forget the overhead of keeping everything patched and up to date and the £0.20/hr that nano servers cost me ( old KW/h prices ).

With this setup, I now only use my ISP’s router ( and let them deal with updates), my Pi with PiHole and even my Unifi Access points are now managed from a controller running on docker from a Linode node.

Enter Tailscale (https://tailscale.com/).

Tailscale is simple. It is a Zero config VPN. Honestly, that is pretty much all that is to say about it. So simple it hurts trying to explain 🙂

It runs based on WireGuard and provides an easy and efficient management backplane, where you manage your authentication provider ( yes! Wireguard with MFA!!!! ), keys, ACLs etc.

I use the free tier, up to 20 devices, one user, unlimited ACLs and one subnet router (More information here).

I defined an ACL based on tags and tagged my devices according to “zones”, like Home, Cloud, External etc. This tag is configured to allow some tags to access everything, including subnet spaces published by the subnet router, or to allow only certain services or restrict to specific IPs.

As a curious fact, it’s possible to use GitHub to manage your ACL:

One of my raspberry Pis is used as a subnet router. This will advertise routes to my tailinet connected devices, and then you can control who is entitled to access those subnets as needed. Such a feature is handy when travelling and you need to access your CCTV, Printer etc.

This is all fun and games! However, even managing less than 20 devices, sometimes having to mememorise IP addresses is not the best use of your memory. So, this brings us to name-resolution across all your devices, independently of where you are running them from.

A few things are possible:

• Run your DNS ( let’s not even start….please)
• Add A record to the zone associated with your TLD ( if you have one )
• Edit all host files in all your devices ( yeah..right…..)
• Run PiHole and use its DNS (good idea, but then it only works at home….)

All good ideas, but the goal is to make it simple, safe and affordable:

Enter NextDNS (The new FW for the New Internet )

This is not a new concept if you are already running something like PiHole. Except, you can have the benefits of blocking adverts and screening your devices against attacks wherever you are (via a client-installed agent).

NextDNS offers you a generous free tier as well. Three hundred thousand queries/month and unlimited devices. However, the Pro or Bussiness tiers are so inexpensive that it does not make sense not to subscribe to them.

(By the way, the link on the header above is an affiliate link, feel free to subscribe)

NextDNS brings you not only filtering, parent control, threat AI protections, blocklisting and many other goodies but also Rewrites. Yes, one of the main points from above > Accessing your devices with a logical name and not having to mememoriseP addresses:

Another great feature is that you can run multiple profiles. Imagine you need to run content filtering or parent control, and do not want to apply it to everyone in your household. You can create a profile for that purpose.

The good thing is that NextDNS does not run exclusively from installed client software. It can be configured as your upstream DNS servers, benefiting all your IoT devices from sending too much telemetry to weird places….

The possibilities with NextDNS are wide, so I insist in that you go and have a go at it. It is a very good solution.

Hopfully, you made it so far in this post, and you are liking my Blog. That brings us to:

Linode, Docker and Cloudflare

I used to run my personal infrastructure on AWS (this blog use to run from a LightSale instance), then moved to Azure, and this summer I decided to move to Linode.

The reason driving this change for me was simplicity and cost. With Linode you can run ( on shared resources) quite cheap instances without “hidden” costs.

At the moment this post is written, my “production” environment is composed of a node, that runs Ubuntu and then out of it I am running some docker containers, via docker-compose and separated as projects. All monitored with DataDog (we will get to this one further down the article)

And there is not much else to say, except the fact that this node is completely isolated from the world, and I can only reach it via tailscale or console from the Linode portal. By the way, Linode Firewalls are completely free.

Note: On what matters Docker, I envison some of you asking why not going serverless, once Linode does offer Kubernetes. The reason is simple at this stage: Cost. Running a node, and separate docker-compose projects cuts my cookie for the time being. 

From the image above, I am sure you have an idea on how you are getting to read this blog post. Via CloudFlare.

On this matter, I am using the free tier: https://www.cloudflare.com/en-gb/plans/#add-ons, which does exactly what it necessary to run this website ( Thank you CloudFlare ).

It not only allows me to keep my infrastructure private, but it also saves me some work managing SSls, by proxying the traffic:

The requirement is that you move your TLD zone to CloudFlare. Farily simple and their DNS management is very simple and complete.

Another nice feature is having access to some stats, for example:

Note on Security and access:

 All these services allow you to access via identity providers. Say you use your Microsoft or google account: Your nice MFA flows are therefore applied to these services.
In my case, I am using a Yubi Key, that not only runs as my authenticator app, with the extra physical layer of security, but also allows me to access to some of the services using the key, like CloudFlare for example. 

Everyone loves a puppy, so Datadog in the house!

Datadog is one of the most rampant observability platforms that is gaining popularity by the day.

There are also nice tools like Zabbix, Grafana integrated with influxDB, Telegraf, Chronograf and Kapacitor (TICK stack ).

For the sake of simplicity (and cost) it was a no-brainer to go with Datadog free tier, where you can access very interesting data ( one day Full-Resolution Data Retention) from up to five hosts, or 350 turn-key integrations, providing nice visibility over your Infrastructure.

Here are some examples:

You can have a nice personal setup with a very low price tag.

My overall spending with this setup is about £13 per month. I was spending more running servers at home.

If you read until now, I really want to thank you. Drop me a line on Linkedin and I will be happy to chat to you.

---

Filed under: Opinion,Tech Articles - @ 16 October 2022 21:00

Tags: cloudflare, docker, Home, linode, nextdns, tailscale