Commit d0d2993
committed
Homelab: Full architecture redesign (#486)
Complete redesign of my Homelab to switch to a much simpler,
lightweight, secure and resource efficient architecture design:
- Replace Proxmox on physical hosts by a lightweight Arch Linux install
that only runs basic services like `sshd`, `firewalld`, `fail2ban`,
etc..., as well as rootless LXC & Podman (see next points) [1].
- Replace VMs by rootless / unprivileged LXC System containers (acting
"VM-Like", with dedicated hostname, IP, resources quota limit, direct
SSH access, etc...).
- Replace Docker by rootless / unprivileged Podman Application
containers.
- Application containers (Podman) run directly on the physical hosts
(rather than in dedicated VMs as before).
- Tasks initially managed via Proxmox (snapshots, backups, etc...) are
handled via Ansible (in addition of the "classic" administration tasks,
system & containers updates, etc...). The Ansible architecture is also
reworked / simplified.
- Every rootless / unprivileged containers are all executed via a
dedicated & unprivileged user, with secured login mechanisms (no ssh
access, no password authentication, no `su - user`, etc... only `sudo
-iu user` / `sudo machinectl shell user@` from another *privileged*
user).
- Day to day administration tasks, log viewing, etc... are done from a
separate / classic user.
- HA for critical services is managed on the software side by running
clusters with the different nodes (LXC Containers) spared across the
different physical hosts and a floating VIP managed at the service-level
by `keepalived`.
This should result in a much simpler, pragmatic, secure & resource
efficient architecture design overall; though at the cost of handy /
"QOL" features such has the centralized Proxmox WebUI, one click
snapshot / backups, built-in HA fencing, live-migration, etc...
However, some of those handy features can (and will) be replaced by
custom scripting / Ansible playbooks (e.g. for snapshots / backups). VMs
are a bit more flexible and have a better isolation by design, but they
are also more complex and way less resource efficient than containers.
As for other stuff like HA fencing, live-migration and so on... while
they are handy, they also imply more or less technical overhead. For
instance, I need to run a third quorum node from a RaspberryPI to get
proper HA from Proxmox, CEPHS storage is resource intensive, cluster
management may complicate things in specific situation (e.g. when
upgrading / reinstalling nodes to a new major version), etc... And it's
fair to say that I don't really *need* those things for my Homelab.
All and all, this is treading (some) convenience for simplicity
(architecture wise), with everything it implies: lighter on resources,
less attack surfaces, lighter maintenance, ... at the cost of loosing
certain extra features or having to rely on custom solutions for those.
It also a fun experiment that I'm looking forward to try.
I *might* write a blog post with my feedback about this change after
some times. 🙂
[1] I was initially considering Alpine Linux instead at first, which
felt like the perfect candidate for such tiny / "appliance like"
servers. But, unfortunately, it turns out that I won't be able to
properly run everything I want / need, mostly due to lack of systemd
ecosystem support. For instance, `podman auto-update` hardly requires
the containers to run from systemd services. I also haven't been able to
start / run Arch Linux (or any distribution running systemd >= v258,
which therefore strictly requires cgroups v2) in LXC unprivileged
containers, presumably because `OpenRC` doesn't handle cgroups
delegation, which is a deal breaker for me.1 parent 8613aec commit d0d2993
243 files changed
Lines changed: 1792 additions & 556 deletions
File tree
- .github/workflows
- Ansible
- inventories
- Antiz.fr
- Proxmox
- Rasp
- Template
- VMs
- VPS
- playbooks
- roles
- configure_template
- tasks
- vars
- dump_databases
- proxmox_system_backup
- defaults
- handlers
- tasks
- vars
- update_antiz_website/tasks
- update_docker_container
- defaults
- handlers
- vars
- update_server
- defaults
- handlers
- vars
- roles
- add_package
- defaults
- handlers
- meta
- tasks
- tests
- vars
- backup_lxc_containers
- defaults
- handlers
- meta
- tasks
- tests
- vars
- backup_podman_containers_volumes
- defaults
- handlers
- meta
- tasks
- tests
- vars
- backup_qemu_vms
- defaults
- handlers
- meta
- tasks
- tests
- vars
- clean_runners
- defaults
- handlers
- meta
- tasks
- tests
- vars
- core_system_backup
- defaults
- handlers
- meta
- tasks
- tests
- vars
- create_update_user
- defaults
- handlers
- meta
- tasks
- tests
- vars
- delete_user
- defaults
- handlers
- meta
- tasks
- tests
- vars
- deploy_lxc_template
- defaults
- handlers
- meta
- tasks
- tests
- vars
- dump_databases
- defaults
- handlers
- meta
- tasks
- tests
- vars
- nvchecker
- defaults
- files
- handlers
- meta
- tasks
- templates
- tests
- vars
- regenerate_ssl_certificate
- defaults
- handlers
- meta
- tasks
- tests
- vars
- remove_package
- defaults
- handlers
- meta
- tasks
- tests
- vars
- shell_command
- defaults
- handlers
- meta
- tasks
- tests
- vars
- sync_crystal_repo
- defaults
- handlers
- meta
- tasks
- tests
- vars
- update_antiz_website
- defaults
- handlers
- meta
- tasks
- tests
- vars
- update_docker_containers
- defaults
- handlers
- meta
- tasks
- tests
- vars
- update_podman_containers
- defaults
- handlers
- meta
- tasks
- tests
- vars
- update_servers
- defaults
- handlers
- meta
- tasks
- tests
- vars
- vps_system_backup
- defaults
- handlers
- meta
- tasks
- tests
- vars
- Servers
- Services
- VMs
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
18 | | - | |
| 18 | + | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | | - | |
| 24 | + | |
| 25 | + | |
25 | 26 | | |
26 | 27 | | |
27 | | - | |
| 28 | + | |
| 29 | + | |
File renamed without changes.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
5 | | - | |
| 5 | + | |
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | | - | |
| 9 | + | |
10 | 10 | | |
11 | | - | |
12 | | - | |
13 | | - | |
| 11 | + | |
14 | 12 | | |
15 | 13 | | |
16 | 14 | | |
17 | 15 | | |
18 | 16 | | |
19 | 17 | | |
20 | | - | |
| 18 | + | |
21 | 19 | | |
22 | 20 | | |
23 | 21 | | |
24 | 22 | | |
25 | 23 | | |
26 | | - | |
| 24 | + | |
27 | 25 | | |
28 | 26 | | |
29 | 27 | | |
30 | | - | |
| 28 | + | |
31 | 29 | | |
32 | | - | |
33 | | - | |
34 | | - | |
35 | | - | |
36 | | - | |
37 | | - | |
38 | | - | |
39 | | - | |
40 | | - | |
41 | | - | |
42 | | - | |
43 | | - | |
44 | | - | |
45 | | - | |
46 | | - | |
47 | | - | |
48 | | - | |
49 | | - | |
50 | | - | |
51 | | - | |
52 | | - | |
53 | | - | |
54 | | - | |
55 | | - | |
56 | | - | |
57 | | - | |
58 | | - | |
59 | | - | |
60 | | - | |
61 | | - | |
62 | | - | |
63 | | - | |
64 | | - | |
65 | | - | |
66 | | - | |
67 | | - | |
68 | | - | |
69 | | - | |
70 | | - | |
71 | | - | |
72 | | - | |
73 | | - | |
74 | | - | |
75 | | - | |
76 | | - | |
77 | | - | |
| 30 | + | |
78 | 31 | | |
79 | 32 | | |
80 | 33 | | |
81 | 34 | | |
82 | 35 | | |
83 | | - | |
| 36 | + | |
84 | 37 | | |
85 | 38 | | |
86 | 39 | | |
87 | 40 | | |
88 | 41 | | |
89 | | - | |
| 42 | + | |
90 | 43 | | |
91 | 44 | | |
92 | 45 | | |
93 | | - | |
| 46 | + | |
94 | 47 | | |
95 | | - | |
96 | | - | |
97 | | - | |
| 48 | + | |
98 | 49 | | |
99 | 50 | | |
100 | 51 | | |
101 | 52 | | |
102 | 53 | | |
103 | | - | |
| 54 | + | |
104 | 55 | | |
105 | 56 | | |
106 | 57 | | |
107 | 58 | | |
108 | 59 | | |
109 | | - | |
| 60 | + | |
110 | 61 | | |
111 | 62 | | |
112 | 63 | | |
113 | | - | |
| 64 | + | |
114 | 65 | | |
115 | | - | |
116 | | - | |
117 | | - | |
| 66 | + | |
118 | 67 | | |
119 | 68 | | |
120 | 69 | | |
121 | 70 | | |
122 | 71 | | |
123 | | - | |
| 72 | + | |
124 | 73 | | |
125 | 74 | | |
126 | 75 | | |
127 | 76 | | |
128 | 77 | | |
129 | | - | |
| 78 | + | |
130 | 79 | | |
131 | 80 | | |
132 | 81 | | |
133 | | - | |
| 82 | + | |
134 | 83 | | |
135 | | - | |
136 | | - | |
137 | | - | |
| 84 | + | |
138 | 85 | | |
139 | 86 | | |
140 | 87 | | |
141 | 88 | | |
142 | 89 | | |
143 | | - | |
| 90 | + | |
144 | 91 | | |
145 | 92 | | |
146 | 93 | | |
147 | 94 | | |
148 | 95 | | |
149 | | - | |
| 96 | + | |
150 | 97 | | |
151 | 98 | | |
152 | 99 | | |
153 | | - | |
| 100 | + | |
154 | 101 | | |
155 | | - | |
156 | | - | |
157 | | - | |
| 102 | + | |
158 | 103 | | |
159 | 104 | | |
160 | 105 | | |
161 | 106 | | |
162 | 107 | | |
163 | | - | |
| 108 | + | |
164 | 109 | | |
| 110 | + | |
165 | 111 | | |
166 | 112 | | |
167 | 113 | | |
168 | 114 | | |
169 | | - | |
| 115 | + | |
170 | 116 | | |
171 | 117 | | |
172 | 118 | | |
173 | | - | |
| 119 | + | |
174 | 120 | | |
175 | | - | |
176 | | - | |
177 | | - | |
| 121 | + | |
178 | 122 | | |
179 | 123 | | |
180 | 124 | | |
181 | 125 | | |
182 | 126 | | |
183 | | - | |
| 127 | + | |
184 | 128 | | |
185 | 129 | | |
186 | 130 | | |
187 | 131 | | |
188 | | - | |
189 | | - | |
190 | | - | |
191 | | - | |
192 | | - | |
193 | | - | |
194 | | - | |
195 | | - | |
196 | | - | |
197 | | - | |
198 | | - | |
199 | | - | |
200 | | - | |
201 | | - | |
202 | | - | |
203 | | - | |
204 | | - | |
205 | | - | |
206 | | - | |
207 | | - | |
208 | | - | |
209 | | - | |
210 | | - | |
211 | | - | |
212 | | - | |
213 | | - | |
214 | | - | |
215 | | - | |
216 | | - | |
217 | | - | |
218 | | - | |
219 | | - | |
220 | | - | |
221 | | - | |
222 | | - | |
223 | | - | |
224 | | - | |
225 | | - | |
226 | | - | |
227 | | - | |
228 | 132 | | |
229 | 133 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
0 commit comments