It all depends on how you want to homelab.

I was into low power homelabbing for a while - half a dozen Raspberry Pis - and it was great. But I’m an incessant tinkerer. I like to experiment with new tech all the time, and am always cloning various repos to try out new stuff. I was reaching a limit with how much I could achieve with just Docker alone, and I really wanted to virtualise my firewall/router. There were other drivers too. I wanted to cut the streaming cord, and saving that monthly spend helped justify what came next.

I bought a pair of ex enterprise servers (HP DL360s) and jumped into Proxmox. I now have an OPNsense VM for my firewall/router, and host over 40 Proxmox CTs, running (at a guess) around 60-70 different services across them.

I love it, because Proxmox gives me full separation of each service. Each one has its own CT. Think of that as me running dozens of Raspberry Pis, without the headache of managing all that hardware. On top of that, Docker gives me complete portability and recoverability. I can move services around quite easily, and can update/rollback with ease.

Finally, the combination of the two gives me a huge advantage over bare metal for rapid prototyping.

Let’s say there’s a new contender that competes with Immich. They offer the promise of a really cool feature no one else has thought of in a self-hosted personal photo library. I have Immich hosted on a CT, using Docker, and hiding behind Nginx Proxy Manager (also on a CT), accessible via photos.domain on my home network.

I can spin up a Proxmox CT from my custom Debian template, use my Ansible playbook to provision Docker and all the other bits, access it in Portainer and spin up the latest and greatest Immich competitor, all within mere minutes. Like, literally 10 minutes max.

I have a play with the competitor for a bit. If I don’t like it, I just delete the CT and move on. If I do, I can point my photos.domain hostname (via Nginx Proxy Manager) to the new service and start using it full-time. Importantly, I can still keep my original Immich CT in place - maybe shutdown, maybe not - just in case I discover something I don’t like about the new kid on the block.

That’s a simplified example, but hopefully illustrates at least what I get out of using Proxmox the way I do.

The cons for me is the cost. Initial cost of hardware, and the cost of powering beefier kit like this. I’m about to invest in some decent centralised storage (been surviving with a couple li’l ARM-based NASes) to I can get true HA with my OPNsense firewall (and a few other services), so that’s more cost again.

I’ve written my wiki so that, if I end up shuffling off this mortal coil, my wife can give access to one of my brothers and they can help her by unpicking all the smart home stuff.

I’m using self hosted wiki.js and draw.io. Works a treat, and trivial to backup with everything in Postgres.

It doesn’t have to be hard - you just need to think methodically through each of your services and assess the cost of creating/storing the backup strategy you want versus the cost (in time, effort, inconvenience, etc) if you had to rebuild it from scratch.

For me, that means my photo and video library (currently Immich) and my digital records (Paperless) are backed up using a 2N+C strategy: a copy on each of 2 NASes locally, and another copy stored in the cloud.

Ditto for backups of my important homelab data. I have some important services (like Home Assistant, Node-RED, etc) that push their configs into a personal Gitlab instance each time there’s a change. So, I simply back that Gitlab instance up using the same strategy. It’s mainly raw text in files and a small database of git metadata, so it all compresses really nicely.

For other services/data that I’m less attached to, I only backup the metadata.

Say, for example, I’m hosting a media library that might replace my personal use of services that rhyme with “GetDicks” and “Slime Video”. I won’t necessarily backup the media files themselves - that would take way more space than I’m prepared to pay for. But I do backup the databases for that service that tells me what media files I had, and even the exact name of the media files when I “found” them.

In a total loss of all local data, even though the inconvenience factor would be quite high, the cost of storing backups would far outweigh that. Using the metadata I do backup, I could theoretically just set about rebuilding the media library from there. If I were hosting something like that, that is…

Cheers mate - no doubt I would’ve scratched my head for a bit when I do my weekly container updates tomorrow.

lol - I’m the same, and frequently wonder if I’m allowing tech debt to creep in. My last update took me to 8.0.3, and that was only because I built a new node and couldn’t get an older version for the architecture I wanted to run it on.

I just have a one-liner in crontab that keeps the last 7 nightly database dumps. That destination location is on one my my NASes, which rclones everything to my secondary NAS and an S3 bucket.

ls -tp /storage/proxmox-data/paperless/backups/*.sql.gz | grep -v '/$' | tail -n +7 | xargs -I {} rm -- {}; docker exec -t paperless-db-1 pg_dumpall -c -U paperless | gzip > /storage/proxmox-data/paperless/backups/paperless_$( date +\%Y\%m\%d )T$( date +\%H\%M\%S ).sql.gz

Yep - they introduced paid subscription tiers and put multi-user support into those: https://www.photoprism.app/editions#compare

You do need to be able to reach your public IP to be able to VPN back in. I have a static IP, so no real concerns there. But, even if I didn’t, I have a Python script that updates a Route53 DNS record for me in my own domain - a self-hosted dynamic DNS really.

You certainly can run Wireguard server in a docker container - the good folks over at Linuxserver have just the repo for you.

General rule of thumb for me is, if LPL can’t open it in 30 seconds or less, I’m probably safe from most of the fuckwits that live in my area.

This may take us down a bit of a rabbit hole but, generally speaking, it comes down to how you route traffic.

My firewall has an always-on VPN connected to Mullvad. When certain servers (that I specify) connect to the outside, I use routing rules to ensure those connections go via the VPN tunnel. Those routes are only for connectivity to outside (non-LAN) addresses.

At the same time, I host a server inside that accepts incoming Wireguard client VPN connections. Once I’m connected (with my phone) to that server, my phone appears as an internal client. So the routing rules for Mullvad don’t apply - the servers are simply responding back to a LAN address.

I hope that explains it a bit better - I’m not aware of your level of networking knowledge, so I’m trying not to over-complicate just yet.

Yeah, this is why I jumped ship to Immich last year. I was donating to PP, with the understanding that donating users would get access to multi-user features when they happened.

Then they put them behind a paid recurring subscription. For self-hosted users. That move broke all the trust with me.

Mullvad is great for outbound VPN, but inbound is a PITA without port forwarding (as you’ve said). I just host a Wireguard container for inbound connectivity now, and it works flawlessly.

I use an ESP32 board as a wifi-based proxy for the BT temp sensors on my barbecue. Works a treat! It’s doable in esphome, so easily plugs into HA.

Details here: https://esphome.io/components/sensor/inkbird_ibsth1_mini.html

I’ve been thinking about exactly the same problem.

We want to give our near-10yo daughter her first phone, but she’s not allowed to have it at school. She’s also getting to the point where she can be trusted at home for an hour or so before one of us gets home from work, so I also need a presence detection method that doesn’t use a mobile phone.

My best theoretical solutions are like those already suggested here: an ESP32 BT proxy detecting a homebrew BLE beacon in her school bag, or detect activity on her iPad/the TV. But neither of those are reliable for all scenarios - she obviously doesn’t take her school bag to her friend’s house, and doesn’t always use her iPad or the TV.

The only other thing I’m pondering is if I could setup facial recognition using our video doorbell. I use Frigate with a Coral TPU, so hoping there’s a project out there that could possibly do that.

Don’t be a dick, mate. Engage just a little bit of critical thinking before calling people names like that.

By law where I am, our kids aren’t allowed to have their phones at school. My daughter’s school’s policy, then, is that phones are left at the school office.

We want to give our soon-to-be 10yo daughter her first phone later this year (times with a planned family trip, so it can be her new camera as well). But if she takes it to school and has to leave it at the office, I can guarantee she’ll absolutely forget on more than one occasion to pick it up before coming home.

So, her phone will have to stay home. But we’re also getting to the point where she can be trusted to let herself in and wait for one of us to get home (like OP, maybe an hour or so). So a presence detection option can’t be based on whether the phone has moved into the geo zone in HA.

This is a legitimate question for modern parents. Denigrating OP without knowing or understanding all the facts certainly does shine a light on ignorance at play here. Just not OP’s ignorance.

increasingly uncomfortable with paying forever

And paying more and more as time goes on. The thing that shits me the most is the increased prices but decreased range/quality of content. That’s clearly not a business model aimed at customer satisfaction.

For my wife, I have a separate library folder, mapped to just her account in Plex. It doesn’t appear in my library at all, so I don’t really care. Even better, I’ve spun up an Overseerr instance for her, so she can just search and auto-add anything she wants for herself.

• Phone: yoda
• Desktop: bb8
• Firewall: c3po
• Switch: macewindu
• NASes:
  • anakin
  • r2d2
• Wireless APs:
  • biggs
  • garven
  • poe
  • typho
  • thane
  • wedge (virtual controller)
• Proxmox nodes:
  • chewy
  • hansolo
  • obiwan
• Raspberry PIs:
  • bobafett
  • lando
  • jangofett
  • quigon
  • rey
  • finn

Not heaps, although I should probably do more than I do. Generally speaking, on Saturday mornings:

• Between 2am-4am, Watchtower on all my docker hosts pulls updated images for my containers, and notifies me via Slack then, over coffee when I get up:
  • For containers I don’t care about, Watchtower auto-updates them as well, at which point I simply check the service is running and purge the old images
  • For mission-critical containers (Pi-hole, Home Assistant, etc), I manually update the containers and verify functionality, before purging old images
• I then check for updates on my OPNsense firewall, and do a controlled update if required (needs me to jump onto a specific wireless SSID to be able to do so)
• Finally, my two internet-facing hosts (Nginx reverse proxy and Wireguard VPN server) auto-update their OS and packages using unattended-upgrades, so I test inbound functionality on those

What I still want to do is develop some Ansible playbooks to deploy unattended-upgrades across my fleet (~40ish Debian/docker LXCs). I fear I have some tech debt growing on those hosts, but have fallen into the convenient trap of knowing my internet-facing gear is the always up to date, and I can be lazy about the rest.