Rebuilding my Home Server

Hello community, long-time enthusiast, first-time poster here.

I’m curious, is anyone running a sophisticated home server using Balena at its core?

My 2016 Home Server has been simplified down to a docker-compose file for a few years now, and last week I decided to refresh some of the hardware (processor, memory, OS SSD) to better serve my current needs and take the device to EOL.

Being a believer in continuous delivery and having to rebuild the OS drive, I thought to myself, “wouldn’t this be nice if I could minimize the maintenance responsibilities of the underlying os while automating the delivery of the applications?” which led me back to Balena and the pleasant discovery that the Intel NUC device-type can be reused on normal PC hardware!

So far things are promising. I was able to easily run the installer on the drive for the operating system have two containers deployed so far: Traefik and home assistant. I’m new to Traefik so still working through configuring the reverse-proxy service, but once I have that finalized my plan will be to finish the HA configuration, re-implement a media automation to plex, then extend into other kinds of automation, possibly adding a GH Actions Runner and/or OpenFaaS to handle some of the repetitive processing jobs I have.

If anyone’s done similar for their home servers, I’d love to hear your experiences. Even more so if you’re familiar with any gotchas or have implemented a reverse proxy

I’ve been toying with the same idea myself, but haven’t set up anything yet. I’ll be following this thread :eyes:

Hey there,

I actually started playing with this project for displaying ADS-B plane data locally on a display I have here. That project uses Traefik directly and I was quite a fan of how easy the docker-compose labeling made the reverse proxy setup. I hope that helps you get your feet wet with Traefik!

I see you mentioned setting up a GH actions runner, we have here a runner for GitLab which hopefully gives you some inspiration as well.

Please keep us updated on how your progress goes!!

I have a somewhat inefficient setup in that I have a Raspberry Pi dedicated for each self hosted service. This could be easily combined on to one or two devices rather than the 4-6 that I’m using currently.

However, you may find my balenaCloud stack sources useful for reference?







Please feel free to fork and use for your setup!

1 Like

I would be interested in this as well, as I’m currently running servers on various arm-based SBCs. One of them, a NanoPi M4 is fairly powerful and runs docker just fine. Currently I’m running OpenMediaVault on it, but other than the fact that it does SMB fairly reliably, I don’t like it’s interface for administration. Something like this would be nice, especially with the remote consoles.

Update: So far so good. Thank you everyone for the examples to review, they were very helpful.

The Intel NUC installer worked flawlessly with the consumer-grade parts I purchased, and once the device had a network connection it appeared in the console. From there, I was able to deploy Portainer & Home Assistant behind a traefik reverse proxy using the balena-devices.com device address for the host.

I’m sold at this point. Deploys went from a manual sequence beginning with ssh to balena push. That value alone is tremendous for me.

I’ll share my docker config once I finish the configuration for the services

Here’s my current stable version of my docker-compose file for those who are interested:
docker-compose.yml

I may simplify the current iteration by stripping the static IP assignments for the different services within the proxy network to improve horizontal scaling of services, but that’s more/less bike shedding in the grand scheme of things.

What’s next
HTTPS and SSL. So far I’m able to access my different services though app.device-id.balena-devices.com but in my current configuration, I’m encountering warnings in the browser. Balena’s Public Device URL is the cloud-bridge feature I’ve been wanting for years, but I’m not sure if I’ll be able to fully leverage it for my needs. My SSL/Reverse proxy knowledge is shallow and I realize I lack access to the SSL artifacts for the balena-devices.com domain. Ideally, I’d prefer to use my own domain, https://app.knowhere.space, does anyone have insight if this is possible through the balena infrastructure, or would I have to spin up my own public VPN tunnel?

After that
Implement Authentication/Authorization protections into the reverse proxy using Okta, Auth0, or Google. I have more experience than I care to admit around SAML 2.0/OAuth/OIDC so the challenge here will mostly be around the reverse proxy config, but I’ve already found examples online to help with integrating a third-party identify platform. At minimum, I want protected services to be shielded from being accessible, but ideally, AuthN/AuthZ would transform downstream to the different services.

Once All of That Is In Place
So far I’ve done all of this R&D work using the current configuration of my home server; I haven’t installed the new parts yet. I’ve holding off because I intend to share what I’ve learned through a live-stream/recording, where I will:

  • Install the new Hardware
  • Set up an application in the Balena Platform
  • Set up a repo in Github
  • Add a Github Action to push changes to Balena on merge. I have an example repo already doing this here
  • Populate the Repo as a feature branch & Merge

Post-Streaming Roadmap
I’m keeping the scope of the service mesh narrow for the purpose of the streaming event, but after I do intend to scale the services that the server runs. @klutchell has made of these services low-hanging fruit with his open-source examples (thank you!) so I’ll probably first start with these before turning my attention towards some of my more processor-intensive ideas like a Github Actions Runner or an OpenFaaS solution.

I have to also figure out if I’m going to leverage media services in this device still or not. Biggest hurdle there is that I want the media stored on separate internal storage (2x 1TB drives, no RAID configuration); not sure how kosher that’ll play with Balena. I may make my life easier and finally invest in a storage appliance that can run Plex and Transmission/OpenVPN combo

Hey @theaccordance

Regarding HTTPS & SSL, I have a couple containers that would work for you.

The first one is meant as a web gateway and reverse proxy, so it can get SSL certificates for your custom domains and point incoming traffic to the corresponding LAN address. It uses traefik conf files for domain and LAN IP customization.

https://github.com/klutchell/balena-traefik

Another example would be my Nextcloud stack, which includes Traefik with HTTPS reverse proxy support. This is a good example if you have many services running on one device.

Good luck!

@klutchell are you routing your web gateway through Balena’s VPN or just exposing it directly from your home network?

Exposing ports 80 and 443 directly through my firewall to the traefik host. Then it will be proxied to the correct service/host if the domain name is valid.
I’m not using the balena vpn at all in this case.

giphy

Progress Update:

  • DNS for knowhere.space points to server: :white_check_mark:
  • https: :white_check_mark:
  • ssl wildcard subdomain: :white_check_mark:
  • Add Google OAuth to reverse proxy: :white_check_mark:

I need to invest more in the middleware configuration but at this point, I’m in a solid position to scale services horizontally. Some remarks on the effort:

  • Big source of inspiration has been Smart Home Beginner. They had several detail-rich guides published implementing a secured service mesh using traefik and docker-compose labels. I was able to refer back to sections of their guides throughout my implementation process.
  • Traefik had a steeper learning curve than I expected. Their documentation requires an understanding of perspective to quickly navigate & I had a decent amount of trial & error with how I intended to implement the reverse proxy routing. Once I decided to embrace subdomain.domain.tld as the host rule, everything started falling into place.
  • I couldn’t get SSL to work using the dns challenge for namecheap or digitalocean, ended up using cloudflare and implementation became frictionless. Looks like I’ll get some added benefits from using cloudflare that I wouldn’t have had otherwise as well.
  • Shout out to @klutchell for the duplicati examples, I wasn’t familiar with the service so I gave it a try and :heart_eyes: It’s the perfect backup utility for the balena volume mounts. Implementing a daily backup to Dropbox with a week-long retention policy became trivial.
  • Adding linuxserver/code-server provided me with an editor that could easily modify files within the volumes. It was very useful getting up and going, but I do have figure out a better source-control approach for the content though that I created using it.
  • Using thomseddon/traefik-forward-auth as an auth guard, so if you try to access Traefik@Knowhere, it will ask for you to login using a Google account. If the account is included in my white list, then access to my Traefik dashboard is granted, otherwise it’s denied. I think there’s room for a more-robust solution here but this will do for now.
1 Like

Multi-Disk Limitations

Experimented with my hardware configuration a little & attempted to add 2x 1TB HDDs that I originally included in the server. Device wouldn’t properly boot with the added drives; a brief review of the logs implied problems with the volume mounts. I didn’t investigate further to identify a scope, but research on the forums implied known limitations around multi-disk & mutli-container configurations.

tl;dr: Balena works best with single volumes.

I’m adding a 512GB SSD as part of the hardware refresh, and that’s more than plentiful for any home-server context. In theory, I could invest in a 4TB SSD, or 16TB HDD if I wanted to maximize the space of the single volume. Paired the volume with a Duplicati backup to the cloud, and I see this setup as fairly risk-tolerant.

After 30 Days

  • Being able to quickly iterate on service deployments has been absolutely transformative in building out my home lab. I wish I would have discovered this sooner.
  • If I were starting from scratch and wanted to build a home server, I’d purchase a NUC.
  • Scaling services isn’t without friction. I have a 10-service mesh deployed through Balena. It works, it was fairly easy to deploy, but I’ve run into a few instances where a misconfig with one service brings down the whole mesh. Also, it looks like balena refreshes all the services if I tweak one
  • New Idea: What if I use Balena to deploy kubernetes to my home server? That would help improve the gracefulness of the mesh, and enable me to run jobs using containers.