I’ve got some fun Homelab projects lined up for this year. Lots of upgrades, migrations, and security improvements.

Migrations and Upgrades

From Ingress to Gateway API

This has been on my list for a while, but I think its going to happen in the pretty near term now that Nginx Ingress is officially deprecated.

From Minio to Garage

Minio used to be hot, and now it very much is not. Luckily Garage has really grown to take its place. I migrated my in-cluster instance of Minio to Garage already, but that one was only lightly used. The big migration will be the instance on my NAS.

Incidentally, I used the garage-operator for my in-cluster deployment and for as early as it is, it is really nice. The dev is very responsive too.

From Rancher Local Path Storage to OpenEBS

I started my cluster with Rancher’s local-path provider years ago and its time to migrate to something more robust. OpenEBS has a lot of potential.

From Loki/Promtail to Victory Logs?

Loki and Promtail are the flakiest part of my observability stack and it seems like many from the selfhosting community have already made the leap to Victory Logs. I need to look at it more closely to see the trade-offs though.

Tailscale

I currently use Wireguard for remote access into my network and it has worked great. I’ve been really curious what I could do with Tailscale for controlling remote access. It seems like a fun platform. I only have a very small number of users for my hosted services so its kind of overkill. It seems cool though. And while I’m at it I might as well deploy headscale and headplane.

Security

I’m embarassed to say I’ve relied far too heavily on the default security guards of Kubernetes and Cloudflare, and considering I do host some public facing services I need to lock things down more. I migrated to Cilium last year, but have yet to take full advantage of their network policy support, so that will be one of the first things.

I also don’t like the idea of relying on Cloudflare for all my external security. They essentially man-in-the-middle all traffic as it passes through, which means they at least theoretically have access to all the data for those services. So moving away from Cloudflared to either a VPS with a VPN tunnel, or just opening up 443 on my router and deploying my on WAF. Both options would be fun experiements. Perhaps I’ll try both. And of course toss Anubis up as well.

My Forgejo instance could be made public too, so I can showcase more of my work without putting it on GitHub or Codeberg. I’m reasonably confident in its security, but I need to give it another look before I’m ready to expose it.

GitOps

I go back and forth on this one, but I’ve been considering publishing the flux repository for my homelab publicly. It’s a great opportunity to showcase what I’ve done, provide examples for others, and get feedback for improvement. The real concern is that it will also show any potentially malicious actor exactly what I’m running and how. What if I leave something open? I suppose its better to learn such a hard lesson at home rather than on the job thoughl.

The flux repo is also hosted on GitHub currently too, and I’d rather not support them more than necessary, so I want to move it to Codeberg. I’d put it on my own Forgejo instance if that didn’t create a chicken and egg problem. I’ve heard some people do that, but it seems crazy.