@[email protected]

Mid 2022, a friend of mine helped me set up a selfhosted Vaultwarden instance. Since then, my “infrastructure” has not stopped growing, and I’ve been learning each and every day about how services work, how they communicate and how I can move data from one place to another. It’s truly incredible, and my favorite hobby by a long shot.

Here’s a map of what I’ve built so far. Right now, I’m mostly done, but surely time will bring more ideas. I’ve also left out a bunch of “technically revelant” connections like DNS resolution through the AdGuard instance, firewalls and CrowdSec on the main VPS.

Looking at the setups that others have posted, I don’t think this is super incredible - but if you have input or questions about the setup, I’ll do my best to explain it all. None of my peers really understand what it takes to construct something like this, so I am in need of people who understand my excitement and proudness :)

Edit: the image was compressed a bit too much, so here’s the full res image for the curious: https://files.catbox.moe/iyq5vx.png And a dark version for the night owls: https://files.catbox.moe/hy713z.png

  • krash@lemmy.ml
    link
    fedilink
    English
    arrow-up
    8
    ·
    10 months ago

    How do you like crowdsec? I’ve used it on a tiny VPS (2 vcpu / 1 GB RAM) and it hogs my poor machine. I also found it to have a bit of learning curve, compared to fail2ban (which is much simpler, but dosen’t play well with Caddy by default).

    Would be happy to see your Caddy / Crowdsec configuration.

    • 7Sea_Sailor@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      10 months ago

      The crowdsec agent running on my homelab (8 Cores, 16GB RAM) is currently sitting idle at 96.86MiB RAM and between 0.4 and 1.5% CPU usage. I have a separate crowdsec agent running on the Main VPS, which is a 2 vCPU 4GB RAM machine. There, it’s using 1.3% CPU and around 2.5% RAM. All in all, very manageable.

      There is definitely a learning curve to it. When I first dove into the docs, I was overwhelmed by all the new terminology, and wrapping my head around it was not super straightforward. Now that I’ve had some time with it though, it’s become more and more clear. I’ve even written my own simple parsers for apps that aren’t on the hub!

      What I find especially helpful are features like explain, which allow me to pass in logs and simulate which step of the process picks that up and how the logs are processed, which is great when trying to diagnose why something is or isn’t happening.

      The crowdsec agent running on my homelab is running from the docker container, and uses pretty much exactly the stock configuration. This is how the docker container is launched:

        crowdsec:
          image: crowdsecurity/crowdsec
          container_name: crowdsec
          restart: always
          networks:
            socket-proxy:
          ports:
            - "8080:8080"
          environment:
            DOCKER_HOST: tcp://socketproxy:2375
            COLLECTIONS: "schiz0phr3ne/radarr schiz0phr3ne/sonarr"
            BOUNCER_KEY_caddy: as8d0h109das9d0
            USE_WAL: true
          volumes:
            - /mnt/user/appdata/crowdsec/db:/var/lib/crowdsec/data
            - /mnt/user/appdata/crowdsec/acquis:/etc/crowdsec/acquis.d
            - /mnt/user/appdata/crowdsec/config:/etc/crowdsec
      

      Then there’s the Caddyfile on the LabProxy, which is where I handle banned IPs so that their traffic doesn’t even hit my homelab. This is the file:

      {
      	crowdsec {
      		api_url http://homelab:8080
      		api_key as8d0h109das9d0
      		ticker_interval 10s
      	}
      }
      
      *.mydomain.com {
      	tls {
      		dns cloudflare skPTIe-qA_9H2_QnpFYaashud0as8d012qdißRwCq
      	}
      	encode gzip
      	route {
      		crowdsec
      		reverse_proxy homelab:8443
      	}
      }
      

      Keep in mind that the two machines are connected via tailscale, which is why I can pass in the crowdsec agent with its local hostname. If the two machines were physically separated, you’d need to expose the REST API of the agent over the web.

      I hope this helps clear up some of your confusion! Let me know if you need any further help with understanding it. It only gets easier the more you interact with it!

      don’t worry, all credentials in the two files are randomized, never the actual tokens

      • krash@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        Thanks for the offer! I might take you up on that :-) If you have a Matrix handle and hang out in certain rooms, please DM me and I’ll harass reach out to you there.

        • 7Sea_Sailor@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          10 months ago

          Hm, I have yet to mess around with matrix. As anything fediverse, the increased complexity is a little overwhelming for me, and since I am not pulled to matrix by any communities im a part of, I wasn’t yet forced to make any decisions. I mainly hang out on discord, if that’s something you use.

    • Sekki@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      Somehow I only had issues with CrowdSec. I used it with Traefik but it would ban me and my family every time they used my selhosted matrix instance. I could not figure out why and it even did that when I tried it on OPNSense without the Traefik bouncer…