I think it’s overkill for homelab

How about a remote VPS?

Do you have a particular risk that you are worried about?

A couple of the Docker compose files I’ve used have non-hashed secrets in the compose itself. I am assuming, should someone penetrate the firewall, and gain access to Portainer somehow, they could see these compose entries just like I can. While I feel like I have adequately hardened the server (Lynis reports a score of 87) and I have rather robust ids/ips, firewall, and assorted accoutrements to support a secure server, there’s always that ‘what if’ scenario running in my brain and it causes doubt. Perhaps a secrets manager is over kill for a single user, docker container server.

“Don’t feel crazy/bad/dumb, I’ve had the same thing happen to me!”

There you go. As far as ‘my area’ I didn’t grow up in the US or any particular area. I grew up around the world and multiculturaly, so there is no telling where I picked that up at. LOL

The way you go about it on your wiki, is almost the same process/format, tho not as fancy . I’ll even throw in a couple links to tuts I found useful for that particular segment in the notes.

was some variation of crazy/bad/dumb?

No, no, no. I wouldn’t call you crazy or dumb. It was meant as ‘don’t feel singled out’ or ‘don’t feel like you’re the only one’.

NOTE: The instructions aren’t exactly difficult! So, I don’t see how I’d have gotten it wrong!

Dude, don’t feel pregnant. It took me an embarrassingly long time to wrap my noodle around Caddy. Seriously, I just couldn’t grasp what was going on in the Caddyfile. Then, after extensive trial and error, I happened upon one tutorial that changed everything. Now it’s so simple for me, but at the time, I felt like a complete dumbfuck.

Is it a single server?

Well I run a hybrid set up of 3 VPS and one rack in the closet.

Maybe something like sops is all you need

Unpack that a little for me if you would.

That’s a K8s application I’ve never explored, and the ‘commit the encrypted secrets to git and deploy with ArgoCD’ is well above my pay grade at the moment. Not saying it’s not unattainable, however, I’m still trying to thoroughly understand Docker, which should take me quite a while. LOL

Ansible is one of those ‘on the list’ things to check out. It seems to have a broad range of applications.

as they are often stored unencrypted by the service/app that needs it

That’s what I’m worried about

An encrypted disk might be better in that case.

See, that is one of the ideas I’ve been toying with. I’ve never encrypted a remote VPS. I have encrypted all my local drives. There is some response loss on local drives it seems to me. Negligible, but still. I’m just wondering if there would be a performance hit.

Thinking about getting some or most of this over to a service like hetzner, perhaps even splurging on a baremetal dedicated system.

If I may, I find LUXVPS to be quite capable and responsive hosts.

Black Luxury Deal #1

   4 vCores (Xeon Gold 6150)
    26 GB DDR4 RAM
    150 GB Raid 1 NVMe
    1 Gbit internet speed | 40 TB Traffic
    1x IPv4
    1x /64 IPv6
    3.2Tbit Premium DDoS Protection
    24/7 Ticket Support
    4 Backups
    For ONLY 10€/Mo (recurring)

I’ve never used Hetzner, and I don’t know what you are hosting, but I’m sold on LuxVPS. I also use Contabo, and Ethernet Services. The latter would indeed be bare-bare-metal as there are no frills. However, for a test server and for $35 a year, it works.

proxmox

You will enjoy Proxmox. When you get it all jammy, check out the Proxmox Helper Scripts: https://community-scripts.github.io/ProxmoxVE/

You can restrict Caddy access to use your tailscale. For instance in your Caddyfile:

For tailscale ip range:

myverycoolserver.duckdns.org {
    @allowed {
        remote_ip 100.64.0.0/10  # Allow Tailscale IP range
    }
    respond @allowed 200  # Allow access
    respond 403  # Deny access for others
    reverse_proxy localhost:YOUR_SERVICE_PORT  # Your service configuration
}

For specific tailscale IP:

myverycoolserver.duckdns.org {
    @allowed {
        remote_ip YOUR_TAILSCALE_IP  # Replace with the specific Tailscale IP
    }
    respond @allowed 200  # Allow access
    respond 403  # Deny access for others
    reverse_proxy localhost:YOUR_SERVICE_PORT  # Your service configuration
}

I am the note taking king probably. I worked in the construction industry for 20 years. The rule was, ‘if you didn’t write it down, it didn’t happen.’ That has just carried over to every other aspect of my life including selfhosting. Whenever I sit down to my terminal to do anything, I open Notepad++ and a regular windows notepad session. The windows notepad session is a little script I came up with that opens windows notepad with 1000 empty lines. It’s one of the many quirks I have, but I hate having to hit the enter key to start a new line. I like to be able to click on a new line for a new line of thought and start typing.

@echo off
(for /l %%i in (1,1,1000) do echo.) > empty_lines.txt
start notepad empty_lines.txt

(Save as a bat link on desktop)

Anyways, the Notepad ++ session is for after things get worked out, I make an official entry into the Notepad++. The windows notepad session is just a scratch pad or ‘thinking paper’ from which I transfer to the Notepad ++ doc. Convoluted, no? LOL You asked, and I just pulled back the curtain for you a bit. Careful what you ask for, could stain your brain.

I try to document everything. I feel like, if I’m going to take the time to learn something, I might as well write it down. I take my Grok sessions and distill them down if I found the info relevant. I also do all of this because after my TBI which gave me a seizure condition as well as other mental/neuro issues, my memory is shit, even for someone of my age bracket. But I can stand up a server and secure it, just from my notes in a step by step manner conducive to my limited mental acuity. I’ve often wondered if anyone would be interested in my notes, like maybe some newcomer to selfhosting wouldn’t have to reinvent the wheel since I have a penchant for fucking things up.

Nice rack! I really like these small form racks.

Question: What is redis and valkey giving you in this instance? I took a look at my notes and I’ve never invoked redis. Just curious. School me. This is what I spin up:

services:
  searxng:
    image: searxng/searxng:latest
    container_name: searxng
    ports:
      - "8989:8080"
    volumes:
      - /path/to/searxng/data:/etc/searxng
    environment:
      - SEARXNG_BASE_URL=
      - SEARXNG_INSTANCE_NAME=
      - SEARXNG_CONTACT_INFO=
      - SEARXNG_LANGUAGE=en-US
      - SEARXNG_AUTOCOMPLETE=duckduckgo
      - SEARXNG_THEME=simple
      - SEARXNG_OUTGOING_METHOD=default
      - SEARXNG_ENABLE_METRICS=true
      - SEARXNG_ENABLE_CAPTCHA=false
      - SEARXNG_ENABLE_INFINITE_SCROLL=true
      - SEARXNG_ENABLE_PIWIK_ANALYTICS=false
      - SEARXNG_ENABLE_ADVANCED_SEARCH=true
      - SEARXNG_ENABLE_PRIVATE_RESULTS=true
      - SEARXNG_ENABLE_TORIFICATION=false
      - SEARXNG_ENABLE_HTTPS_EVERYWHERE=true
      - SEARXNG_ENABLE_PROXY=true
      - SEARXNG_ENABLE_PLUGINS=true
    restart: unless-stopped

I do like Invidious, however, I’ve never successfully ran it or Piped, and the whole genre of frontends, for any great length of time. I always seem to get whammied by YouTube. On my desktops and laptops I just forward the request to an Invidious or Piped instance via LibRedirect since they seem to have the setup to keep it going.

Some homelabbers / selfhosters have very rigid concepts and opinions about what selfhosting and homelabing should be and what software should be used. I don’t have issues with NetData. It’s a great piece of software. Damn near covers anything I’d want to monitor, and then some. OP stated ‘network analyzer’ and while Netdata does have some analyzing components, it’s mainly a monitor/alert mechanism. So, I didn’t know how that would fit what they were looking for.

I’ll be the first to admit that I’m a sucker for dialed out dashboards. However, logs are confusing enough for me. LOL I need just the facts ma’am. Graphana is a great package tho, useful for a lot of metrics.

It is my understanding that while you can use Dozzle to view other logs besides Docker logs, you have to deploy separate instances. While Dozzle is awesome, I’m not sure I want to spin up 5 or 6 separate Dozzle instances. I do use Dozzle a lot for Docker logs and it’s fantastic for that.