Source Code for the Home Server setup. This includes the git server hosting this repository as well. #terraform #docker
https://git.captnemo.in/nemo/nebula/
cloudflare | ||
docker | ||
mysql | ||
.editorconfig | ||
.gitignore | ||
main.tf | ||
providers.tf | ||
README.md | ||
variables.tf |
nebula
Where stars are born.
Manages the local infrastructure of my home server. I'm also doing blog posts around the same:
The canonical URL for this repo is https://git.captnemo.in/nemo/nebula/. A mirror is maintained on GitHub.
modules
- docker: to actually run the services
- cloudflare: to manage the DNS
- mysql: unused, but setup
Self-learning project for terraform/docker
Planned
- Setup DigitalOcean
- Add DO infrastructure via ansible
- ~Add traefik for proper proxying~
Security Headers note
The following security headers are applied using traefik on all traefik frontend docker backends:
- HSTS
- Redirect HTTP->HTTPS
- contentTypeNosniff: true
- browserXSSFilter: true
- XFO: Allow-From home.bb8.fun
- referrerPolicy: no-referrer
- X-Powered-By: Allomancy
- X-Server: BlackBox
- X-Clacks-Overhead "GNU Terry Pratchett" (On some domains)
Currently waiting on traefik 1.5.0-rc2 to fix security specific headers issue (marked as TODO above). (Now resolved with new traefik release)
Upstream
Issues I've faced/reported as a result of this project:
- Airsonic HTTPS proxying is broken. Reported: https://github.com/airsonic/airsonic/issues/641. Turned out to be a known issue: https://github.com/airsonic/airsonic/issues/594.
- Traefik docker backend security headers were broken with dashes. Reported at https://github.com/containous/traefik/issues/2493, and fixed by https://github.com/containous/traefik/pull/2496 ✅
- Headphones dies repeatedly with no error logs. Yet-to-report.
- Terraform doesn't parse mariadb version numbers. Report: https://github.com/terraform-providers/terraform-provider-mysql/issues/6. Got this fixed myself by filing a PR: https://github.com/hashicorp/go-version/pull/34. Another PR pending in the provider to bump the go-version dependency. ✅
elibsrv
didn't support ebook-convert, only mobigen. PR is at https://github.com/captn3m0/elibsrv/pull/1. I've to get this merged upstream for the next release.ubooquity
docker container doesn't let you set admin password: https://github.com/linuxserver/docker-ubooquity/issues/17. (Couldn't reproduce, closed) ✅- Traefik customresponseheaders can't contain colons on the docker backend: https://github.com/containous/traefik/issues/2517. Fixed with https://github.com/containous/traefik/pull/2509 ✅
- Traefik Security headers don't overwrite upstream headers: https://github.com/containous/traefik/issues/2618
Plumbing
Their is a lot of additional infrastructure that is not-yet part of this repo. This includes:
- The Digital Ocean droplet running DNSCrypt and simpleproxy to proxy over a openvpn connection to this box.
- openbox, kodi configuration to run on boot along with the Steam Controller for the HTPC setup
- Docker main configuration with half-baked CA setup
- btrfs-backed subvolumes and snapshotting for most things in /mnt/xwing/ (in-progress)