My personal infrastructure as code and other automation files
| Name | CPU | RAM | Storage | Network (Up/Down) |
|---|---|---|---|---|
| Homelab | Intel i5-6400 (4 Cores) | 16GB | ∞ | 300/100 Mbps |
| HDZ VPS | 4 vCPU | 6GB | 100GB | 10 Gbps |
- Add the ability to dump config directly into the soju database
- Let container roles (vaultwarden, soju) add their own config to the nginx role somehow
- Check how file permissions should be, caddy_reverse_proxy role currently just sets 0740, but who owns it? what group should own it? etc..
- Restrict ansible user's sudo to certain commands
- Implement Geo IP blocking into the reverse proxy.
- Configure backups to a cloud provider.
Minimum of 3-2-1 Backup strategy.
HDZ Data Copies
- Live production copy.
- Homelab should pull backups from HDZ to store locally.
- Push backups to a cloud storage provider.
Homelab Data Copies
- Live production copy.
- Homelab should push its own backups to a local disk.
- Push only critical data to cloud storage provider to reduce costs.
- Ansible playbooks should run on the Homelab node.
- Automated version upgrades using Renovate.
- Backups should be automated through a bash script with a cron job utilizing restic.
- Restores do not need to be automated.
- Homelab needs a one way connection to HDZ.
- HDZ services need to be exposed directly.
- Homelab services should be gated behind VPN.
- Caddy
- Vaultwarden
- Ente
- Local Postgres, Remote S3 Backend
- SSH Key only authentication.
- Crowdsec bouncer for Caddy
- Block Geo IP from any other country than US.
- Consider writing an application that once authenticated will whitelist the IP for a duration to reduce attack surface.
- Homelab should be responsible for all observability.
- Prometheus for metrics, Grafana for visualizer, choose something for Log parser
- Consider Wazuh