Self-hosting setup, Sept. 2024
Like many, I get annoyed by subscription pricing that doesn’t accurately reflect my needs. I don’t want to spend $5 a month for a color picker app. I don’t really want to spend $4/month on ControlD for ad-blocking and custom internal DNS hosting, and NextDNS is worth $20/year until I hit the five or six times a month it’s completely unresponsive and kills all my internet connectivity.
(I recognize I departed from the mainstream on the specifics there, but my point is still valid.)
I’ve self-hosted this blog and several other websites for more than a decade now; not only is it a way to keep up my Linux/sysadmin chops, it’s also freeing on a personal level to know I have control and important to me on a philosophical level to not be dependent on corporations where possible, as I’ve grown increasingly wary of any company’s motivations the older I get.
So I started looking at options that might take care of it, and over the last few months I’ve really started to replace things that would have previously been a couple bucks a month with a VPS running four such services for $40 a year.
Peep the stackI miss skeumorphism
I had an old TV lying around, so I mounted it on my wall vertically. I grew up on StatusBoard, which was especially invaluable in newsrooms in the early aughts (gotta make that number go up!).
I figured as I got deeper into self-hosting and my homelab I'd want some sort of status board so I could visualize what all was running, and partially just because everybody gets a dopamine hit from blinkenlights when they buy new stuff.
Clicking this link gives the illusion of activityNot everything has to use the same design language! Feels like there’s a space between all and nothing. “Some.” Is that a thing? Can some things be flat and some skeuomorphic and some crazy and some Windows XP?
We can maybe skip over Aero, though. Woof.
I've recently been beefing up my homelab game, and I was having issues getting a Gotify secure websocket to connect. I love the Caddy webserver for both prod and local installs because of how easy it easy to configure.
For local installs, it defaults to running its own CA and issuing a certificate. Now, if you're only running one instance of Caddy on the same machine you're accessing, getting the certs to work in browsers is easy as running caddy trust
.
But in a proper homelab scenario, you're running multiple machines (and, often, virtualized machines within those boxes), and the prospect of grabbing the root cert for each just seemed like a lot of work. At first, I tried to set up a CA with Smallstep, but was having enough trouble just getting all the various pieces figured out that figured there had to be an easier way.
There was.
I registered a domain name (penginlab.com) for $10. I set it up with an A record pointing at my regular dev server, and then in the Caddyfile gave it instructions to serve up the primary domain, and a separate instance for a wildcard domain.
When LetsEncrypt issues a wildcard domain, it uses a DNS challenge, meaning it only needs a TXT record inserted into your DNS zone to prove it should issue you the server. Assuming your registrar is among those included in the Caddy DNS plugins, you can set your server to handle that automatically.
(If your registrar is not on that list, you can always use
certbot certonly --manual
and enter the TXT record yourself. You only need to do it once a quarter.)
Now we have a certificate to use to validly sign HTTPS connections for any subdomain for penginlab.com. You simply copy down the fullchain.pem and privkey.pem files to your various machines (I set up a bash script that scp
s the file down to one of my local machines and then scp
s it out to everywhere it needs to go on the local network.)
Once you have the cert, you can set up your caddy servers to use it using the tls
directive:
tls /path/to/fullchain.pem /path/to/privkey.pem
You'll also need to update your local DNS (since your DNS provider won't let you point public URLs at private IP addresses), but I assume you were doing that anyway (I personally use NextDNS for a combination of cloud-based ad-blocking and lab DNS management).
Bam! Fully accepted HTTPS connections from any machine on your network. And all you have to do is run one bash script once a quarter (which you can even throw on a cron). Would that all projects have so satisfying and simple a solution.
I'm definitely not brave enough to put it on a cron until I've run it manually at least three times, TBH. But it's a nice thought!