After quite some time, I finally have all the pieces in place. Over the last 30 minutes, I’ve set up one of my servers from scratch. Here are some key changes:
- Reverse Proxy: Nginx with Modsecurity (WAF)
- Container Isolation: Every container runs in a seperate linux user
- Podman Quadlet: I rewrote all my compose stacks into quadlet files - now all containers are starting probably after reboot 🥳
- Grafana: Grafana's configuration is no managed by Opentofu which provitions at the moment the datasources (Grafana Loki and Prometheus) as well as the dashboards.
- Server hardening: Improved ssh configuration, firewall, permissions in general on this host
- Ansible: Everything is powered by ansible
- Certbot: Use wildcard certificates for my domains / subdomains for easier renew process
- Backups: All those services have proper backups configured which are timed with systemd timer and are replicated into my local homelab.
- Services that are running at the moment
- Grafana
- Prometheus
- Grafana Loki
- Grafana Alloy
- GitLab Runner
- some other services that I wanna migrate to this server
#homelab #sysadmin #linux #ansible #automation #devsecops #selfhosting #declarative #gitops #monitoring
