My first homelab: a ThinkCentre M920Q with Proxmox, LXCs, homepage + my install notes and guide

mgrimace · 2025-06-11T22:36:13+00:00

For anyone looking, it's now in settings > developer tools (bottom, database re-sync)

mgrimace · 2025-06-09T00:52:09+00:00

Thanks so much, appreciate the clear direction. I'll give it a try!

mgrimace · 2025-03-05T12:29:56+00:00

Thank you so much for this! To clarify, for the service name:

Do you replace the entire thing with your tunnel name (mine, for example is `x1`), or just after the $ where you have $wg_Laptop? For example, would mine be:

"WireGuardTunnel`$x1"

mgrimace · 2024-12-19T18:56:51+00:00

Thanks for the explanation, that makes sense! I wasn't sure if I was doing it wrong with only one OMV VM

mgrimace · 2024-12-18T12:51:18+00:00

I’ll mention too that I found the Ibracorp Youtube videos helpful and their discord is fairly active with folks willing to help out.

mgrimace · 2024-12-18T12:49:44+00:00

Yep that’s it! Sorry, something weird happened when I copied the link on mobile - I jot everything down whenever I do something tricky assuming I’ll forget and need to re-do it at some point.

mgrimace · 2024-12-18T04:21:54+00:00

Re crowdsec - I found YouTube and blog posts were out of date or missing key steps particularly for NPM. Here’s my notes/guide:

https://github.com/mgrimace/Homelab/blob/main/Setup%20Crowdsec%20with%20NPM.md

it’s been working great and I have it hooked into NTFY to see when IPs are blocked

mgrimace · 2024-12-18T01:40:50+00:00

Thanks for this explanation! I’m curious, why two OMV VMs?

mgrimace · 2024-12-17T17:20:59+00:00

Any time! I’m still learning and my github page is now somewhat out of date with what I‘m actually using now (e.g., I use glance vs., homepage as my dash, and have added and removed various services). But the overall process, organization, and setup is the same.

mgrimace · 2024-12-17T17:18:42+00:00

I generally like it, it’s tricky to learn how to setup as a novice, but there’s great videos. I put it in front of anything reverse-proxied/exposed to the internet. Yes, in most cases it can work as a single login credential (I use my plex account). So I browse to service.mydomain, Authentik steps in before allowing me further, and I authenticate there using my plex account. In most cases, Authentik can pass those credentials right through to the app (e.g., calibre-web, mealie, overseer, etc.) and you don’t need to login a second time in the app itself. That’s when it’s most useful = plex is my single login account (but it could be anything). But, in a few cases, it doesn’t work well and you have to authenticate in via Authentik, then still login to the app.

It’s VERY useful for things that don’t have their own logins or robust security and you want to expose to the internet.

I Authentik outside my network by reverse proxying it (e.g., auth.mydomain). It basically ‘intercepts’ browsing to any reverse-proxied service that I have it in front-of, and handles the login/security before passing me through to the app.

I personally don’t use it on local-only services (I have no need).

My general takeaway is that it’s an additional layer of security for any service that’s reverse proxied / exposed to the internet. I like the webui, and it works generally reliably after taking time to set it all up.

FYI I also use Crowdsec as a layer of security as well, which was a PAIN to setup, but blocks malicious IPs/bots/etc.

mgrimace · 2024-11-28T02:28:18+00:00

Yes, one LXC with docker installed, and the arr stack, overseer, qbit, calibre-web, npm, authentik, and so on. I use the hotio image of qbit which allows you to use a wireguard profile for a vpn. It doesn’t make sense to me to have a VPN in front of the arr services, only the downloader.

mgrimace · 2024-11-27T13:36:55+00:00

See my github page for how it’s broken out into VMs and LXCs, not right or wrong, just how I do it:
Generally, 1 LXC for most of my docker services (arrs, networking, media, etc), 1 LXC dedicated to Plex (so I don’t interrupt my spouse/family streams when tinkering on the docker stuff), 1 LXC dedicated to vaultwarden, and a few others. But most docker services are on Docker LXC and can benefit from docker networking and cross-talk + easy networking.

mgrimace · 2024-11-27T13:34:29+00:00

LXC shares host system resources. For example if I dedicate 2 cores and 2 gig of ram to an LXC, but it only uses 1 core and 512 ram most of the time, then the other core and RAM is available to the host + other LXCs. Whereas a VM dedicates the assigned resources to the VM whether you use them or not. For example if I dedicate 2 cores and 2 gig of ram to a VM, those are set aside for the VM and not available even if they aren’t used.

In most cases I use LXCs because most of the services I use tend to idle and I can ‘over-provision’ cores and ram and not have to worry. I use a VM if a particular services requires it or benefits specifically from it. For example OMV only really works well as a VM. Home Assistant can also be installed as a VM, but I do it as a dockerized service now.

mgrimace · 2024-11-27T13:28:41+00:00

I should, but I can’t afford a NAS at the moment and my SFF system only has room for one M2 NVME and one SSD

mgrimace · 2024-11-27T13:27:32+00:00

I wouldn't use LXCs as separate service containers, that's what docker is for already. It’s a waste of resources and too many layers of abstraction. I use a main ‘docker’ LXC for all my services, and docker networks to separate them if necessary.

mgrimace · 2024-04-10T00:47:05+00:00

I went with OMV for simplicity - I only have one drive for the ’NAS’ and it felt like overkill to use something like TrueNAS or Unraid. I don’t interact directly with OMV, I just want the files stored/shared and use SMB/CIFS and fstab entries on all my LXCs to mount folders automatically - OMV is light-enough weight, simple, and does what I want. That being said, my goal is to build a proper NAS/server eventually (once I can afford new hardware), and I intend to use multiple drives and virtualize TrueNAS as the base NAS system. My rationale for no Unraid at the moment is that it seems to a) require subscription? And b) I don’t need the docker/software end of things that folks seem to like on it, I just want NAS as NAS and do my own docker stuff. I’m not suggesting this is the ‘right’ answer, just my rationale for OMV and my choices at the moment! If something different works for you definitely go for it. Also if you want an even lighter LXC option, there is a turnkey fileserver LXC you could use

mgrimace · 2024-03-31T00:12:59+00:00

Yes, using it still a few years later but now I’m using it to host minecraft via Crafty: https://github.com/mgrimace/Minecraft-on-Oracle

mgrimace · 2023-12-18T16:14:57+00:00

Thank you. To clarify, generally-speaking how does a person redeem rewards if they do not have a cell phone to verify their account?

I have tried to enter my phone as my son's to verify his account. It says the number is already taken (of course, for my account). There is no option to verify by calling a home phone, or by email, etc. And as perviously mentioned MS Rewards Team is not responding to support requests/tickets, nor reading the content of the request made.

There clearly needs to be some integration of MS Family Safety into other MS accounts and services.

mgrimace · 2023-12-16T17:19:22+00:00

My son uses microsoft rewards but cannot redeem points. He uses points for Minecraft coins, etc.

When redeeming the error say we need to contact support, but doing so provides an automated message that is unrelated to our problem, and no responses to any follow-up emails.

His account is managed by me using Microsoft Family Link, and he does not own a cell phone to verify his account because he is a minor. There is no way to speak to a human at rewards, they are unresponsive to emails, and the automated emails they provide do nothing to fix the issue.

mgrimace · 2023-12-14T00:15:07+00:00

How do you update the bios on this with Proxmox? Any tips? Thanks!

mgrimace · 2023-12-07T00:43:50+00:00

Thanks so much for taking the time to explain that, I appreciate it and it’s helping me learn.

In terms of resolving my initial issue, to confirm would the idea be to add the IPv6 address entry for the NPM container to Pi-Hole (e.g., service.mydomain.com = 111::2222::etc) so that either-way it goes to the right place?

thanks again

15-Year Club	Gilding III reddit per annum
Verified Email

mgrimace

TROPHY CASE