Docker Container Deployments: How I've been refining my homelab

Nginx Proxy Manager

I recently upgraded from my traditional method of using PfSense’s built in DNS Resolver to translate to my local domain names, and I pointed the DNS in the resolver to a container running Nginx Proxy Manager. There are some upsides to this as everything is able to be issued a certificate by Nginx Reverse Proxy a little easier, but I also noticed some challenges with SSH, since the way SSH works, it doesn’t properly translate on a layer the SSH operates on. You can read more about this issue here

In short, HTTP is layer 7 (Application layer) of the OSI model, and SSH is layer 3 (Network layer); when the connection sees the proxy host, since all the hosts are the pointing to the proxy manager (172.22.22.93), when you try to SSH to a certain host name, (pf.box for example), it will resolve to 172.22.22.93 and you will only be able to SSH into the Nginx Proxy Manager box. This is mainly only for hostnames, so if you remember the IP address of the PfSense box in this example, you can SSH to its IP address at 172.22.22.1 and it will work as normal. The HTTP layer comprises a socket which the proxy manager is able to forward and translate those pieces of information, while at the Network layer, it would have to split apart the packet.

Nevertheless, the switch so far has piggybacked off of my Email server lab where I’ve been able to challenge myself more into the realm of understanding how Public Key Infrastructure works. I’ve been able to use PfSense to issue certificates for all these boxes, with the addition of Nginx Proxy Manager, and I’ve allocated them in, with my own Root Authority, which signs an Intermediate Certificate Authority certificate, which I can then issue and have a chain of trust. It’s still a little more complex than I had hoped to get it set up, and I want to experiment with ways I can automate the certificate generation process, but being able to configure them semi-manually has opened my eyes up to why the automation part will be so fulfilling to get going.

For my mail server, I was able to use Let’s Encrypt since it was going to the public web, but since this is all local, I had to issue the certificates myself, which is probably why it starts to get a little bit more complex. The other downside is that I have to manually install the certificates myself, but at least I get them installed and then they’re pretty much good to go. I don’t have anymore SSL certificate warnings or malicious site warnings for my main desktop which helps streamline my system administration processes.

The other plus side I’ve had with Nginx Proxy Manager is that I can proxy the port number with the IP address, which means that I can potentially run multiple services on the same container without having to worry too much about what port things are on, since I can allocate them better, and for something like my RSS feed box which runs on a port that might be repetitive to type in, I don’t need to worry about typing it in anymore since the proxy manager calls that for me with the domain name. It’s very seamless.

Some new container deployments

I’ve added Dashy, a beautiful web interface that helps me access all my favorite tools. I’ve allocated some of my resources so that people in the local network can access them when necessary.

Next, I’ve added Uptime Kuma, which is a beautiful dashboard to pulse how my servers are doing. I think this is neat because I can set it up to integrate with NTFY, which I have locally deployed as well.

NTFY is a new addition that helps me with push notifications to my Android device, and I love how well it works for being open source. A major fun aside to this project was that I bit the bullet to try Cloudflare Tunnels, (which I didn’t necessarily want to do my Mail Server in the previous post because that would be harder to proxy) and it works very well, which provides a major advantage that I can now call my own domain for my notifications. It is password protected and runs in a Ubuntu LXC container, just can’t get any better than that.

Another amazing tool I found when I was looking at Dashy documentation and stumbled upon the creator’s GitHub, was that the creator created a tool called ‘Who Dat’. I’ve deployed Who Dat because funnily enough, I’ve made a similar tool but it was tied to a paid API. Who Dat is a free API and you can self-host it, so that means I can point it to my domain with Cloudflare Tunnels and have a generous amount of queries on any domain(s). I updated my WHOIS python script to use this API instead of the previous paid one and now I can use it for my general use-case of keeping my domains organized. I was happy to find this one because one of my friends, who also buys a lot of domains, was just about to pay for more credit on an API but loved the project I sent him. Feel free to check it out! I’ll leave the links below for all of these.

I was experimenting with a self-hosted version of Bitwarden, Guacamole, and a self-hosted Wireguard container, which I was wondering if I could set up with Cloudflare tunnels for a VPN, but I think I will table them for somewhere in the near future as I don’t have an immediate need for them.

I’ll be continuing to keep up on more frequent updates with this blog as I’ve been constantly with exploring new technologies and having lots of fun. I’ve had plenty of time to experiment, produce music, work on my websites and software, and study for my CCNA, which I have aimed for February. I feel pretty good about my CCNA studies, which would be a cherry on top to have that certification with all these fun projects.

Take this as a testament though, you see the end-result, but I will also let you know that there were lots of moments, and even now, where I am constantly questioning why something is working because sometimes it just gets complex. There are going to be things that we’re confused, but we need to understand that we can take things one step at a time, and learn by doing. I know more about TLS now than I did yesterday simply because I took the time to mess up, and that helped me understand what doesn’t work, and what does. Whether you’re a technical person or just a friend or family member of mine, I hope this is encouraging!