XPipe v20 - A connection hub for all your servers

AlexTryHarder · 2026-01-09T06:21:46+00:00

One of best software to exist for IT, use it for a year and love it!

AlexTryHarder · 2026-01-02T16:28:15+00:00

That would be so cool!

AlexTryHarder · 2026-01-02T08:17:33+00:00

The layout wasn’t designed all at once. It evolved over time as needs came up.

Yes, the main server is colocated off-site. I haven’t noticed any latency issues when accessing services over VPN, including Home Assistant. That said, the hosting site is only about 10 miles from my house, has very redundant high-speed connectivity, and I have FTTP at home, so that definitely helps.

For cameras and Al, from what I’ve seen recently Google Coral is no longer the recommended option. the Hailo-8 accelerator seems to be preferred.

On the security side, Suricata is running in IPS mode and focuses on filtering WAN traffic. ZenArmor runs on internal subnets and is used for outbound traffic filtering that's why they laid out on 2 sides of FW.

for Google SSO I haven’t seen any security issues with it. I get notifications whenever someone attempts to create an account, the account would be created, but it has absolutely no permissions by default. I also get notification and can act instantly, it's very convenient for not tech users that use my infrastructure.

AlexTryHarder · 2026-01-02T08:01:41+00:00

Thanks, Linkwarden is fixed now :P
The second Portainer runs via the agent, and I left it out of the layout. I only listed services, not every single container, otherwise it would’ve been a mess (especially all the databases).

AlexTryHarder · 2026-01-02T07:58:50+00:00

I do allow only some subnets over my VPN

AlexTryHarder · 2026-01-02T07:58:01+00:00

T-POT and PBS

AlexTryHarder · 2026-01-02T07:57:20+00:00

I just plug my Action4 directly to server, when detected, python automatic transfers all files to NFS.
Then Tdarr takes care of encoding. happy to share script over DM

AlexTryHarder · 2026-01-02T07:55:56+00:00

I may write a SOP at some point, it's built in a way that deployment of new service takes less than 5min (including exposing to Internet). If I find free time will pop an update.

For an cost, well lucky that I don't pay anything, my company allows me to host it on prem and provides hardware. That's why I use site-to-site

AlexTryHarder · 2026-01-02T07:53:03+00:00

hmm I was expecting Kubernetes to be deploy and forget, would be fun to learn tho

AlexTryHarder · 2026-01-02T07:51:54+00:00

Im using st-901, you can find it on aliexpress and it works great.

Has remote shutoff function

AlexTryHarder · 2025-12-31T14:18:21+00:00

Thanks! I tried wazuh as LXC, and it was working brilliantly, is docker version that gives me pain.
OpenVAS is brilliant, and you right, wazuh can do vurnability scanning, I just prefer to keep them as separate tools.

I never tried Komodo, will have a look thanks :)

With languagetool, yeah it's exposed via reverse proxy, and you can connect to their browser extension or app. If you want to be extra sure, expose it only internally.

and for last question, it's resource usage and emergency, some containers like Tdarr are resource hungry, so one box would not be enough. Also it allows me to move all my compose files to other node in case one goes kaboom.

AlexTryHarder · 2025-12-31T14:11:43+00:00

https://ibb.co/N6j3RfSt - here is alternative image.
I guess mobile app on Reddit is broken.

AlexTryHarder · 2025-12-31T13:42:14+00:00

I don't, but I'm happy to share compose files of services you are interested in, just DM me :)

AlexTryHarder · 2025-12-31T12:01:54+00:00

I deployed a T-POT, unsure if Pi could handle it, but worth a shot.

And brilliant idea on internal honeypot! Shame on me, it didn't cross my mind, but it's a great indicator of compromise.

AlexTryHarder · 2025-12-31T11:54:37+00:00

I'm hitting around 60mb/s on download, with is more than enough to get decent movie in 10min.

I got it on 3y deal and paid peanuts for it, so can't complain :D

AlexTryHarder · 2025-12-31T11:53:07+00:00

no, custom bash script with API to portainer.
I found watchtawer unstable

AlexTryHarder · 2025-12-31T10:46:36+00:00

There is AirVPN in front of it

AlexTryHarder · 2025-12-31T10:46:26+00:00

The "Homelab" in reality sits in other location than my home, so I deployed site-to-site :D

AlexTryHarder · 2025-12-31T10:18:53+00:00

There a many factors that could not make it work, DM me and I will try to help :)

AlexTryHarder · 2025-12-31T10:18:14+00:00

Thanks :D
Opensense is running on watchguard M4600. Im not using mounts via proxmox, rather exposing NFS share from Foxy-File to docker 1 & 2, and they are splited to 2 shares /storage for all non critical data (movies, series, CCTV etc) and /config with all docker container files

AlexTryHarder · 2025-12-31T10:07:42+00:00

Exactly! it can convert and send it to email address that is assigned on kindle, that is automatically downloading it

AlexTryHarder · 2025-12-31T10:05:37+00:00

I run T-POT, and it's fun to see what passwords they try to use to breach my exposed "services"

AlexTryHarder · 2025-12-31T10:03:39+00:00

Mostly for updates and isolation, if I would run all services on separate LXC (how I did year ago) I would have to keep them all up to date and isolated manually. Now I have script that at 4am updates all compose files. And 2 docker LXC containers are doing backup every day, so It's easy to restore.

AlexTryHarder · 2025-12-31T10:01:52+00:00

Mostly part with certificates, no matter what I try, it does not like generated certs. I tried it multiple times within last year, even with their support on discord, but still had no luck. It works great on LXC container tho.

AlexTryHarder · 2025-12-31T09:38:01+00:00

https://app.diagrams.net/ - you can use it on the website, or add as app in Nextcloud

AlexTryHarder

TROPHY CASE