Homelab

Homelab

Table of Contents

Homelab

This post is to guide tech people who want to keep track of there personnal data for free and have a remote access to it.

Requirements

  • An internet connection with access to DHCP settings
  • A linux low power device like a Raspberry Pi 4 (used in this tutorial)
  • A hard drive to store your data connected to you device

Disk & Fstab

Prepare data storage to be auto mounted on system startup, with right permissions.

Create a linux group to group users with access to the same data and keep the gid (1001 in this tutorial)

sudo groupadd homelab
getent group homelab # 1001
  • Create the folder to mount the disk mkdir -p /var/www/webdav
  • Note the disk UUID with lsblk -f, 67B8386472AFC717 in this tutorial
  • Use fstab to add descriptive information about the filesystems the system can mount. Add a line at the end of /etc/fstab
UUID=67B8386472AFC717 /var/www/webdav     ntfs    defaults,uid=33,gid=1001,fmask=0113,dmask=0002          0       0

Now at system startup or using mount -a the disk will be mounted to /var/www/webdav as www-data user and homelab group with read write access for owner and group.

Homelab DNS & Dnsmasq

  • On your DHCP fix the IP address of your Raspberry Pi, 192.168.1.2 after.
  • Create your own lighweight caching DNS server with Dnsmasq by putting the configuration below in /etc/dnsmasq.conf. You will see the fix ip address and a local domain name home.arpa
  • Make sure clients use dnsmasq as their DNS. The config is useless if devices are using their own DNS (e.g. DHCP-assigned 192.168.1.1 pointing elsewhere). Configure your router’s DHCP to advertise the IP running dnsmasq (192.168.1.2 in that case).
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below).
no-resolv

# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read.
no-poll

# Add other name servers here, with domain specs if they are for
# non-public domains.
server=1.1.1.1
server=9.9.9.9

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/home.arpa/

# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
address=/dav.home.arpa/192.168.1.2

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=wlan0
interface=eth0

# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces

Apache

Install Apache2

sudo apt update && sudo apt upgrade -y
sudo apt install apache2

Then add user to homelab group sudo usermod -aG homelab www-data

Security SSL & mkcert

Install mkcert a tool for making locally-trusted development certificates, depending of your device. You can run commands below to create a wildcard certificate for your installation.

mkcert -install
mkcert "*.home.arpa"
sudo mkdir -p /etc/apache2/ssl
sudo mv _wildcard.home.arpa.pem /etc/apache2/ssl/home.arpa.crt
sudo mv _wildcard.home.arpa-key.pem /etc/apache2/ssl/home.arpa.key

Here’s how to configure remote devices to trust the certificate:

ClientHow to trust
LinuxCopy to /usr/local/share/ca-certificates/homelab.crt, run sudo update-ca-certificates
Fedorasudo cp ~/.local/share/mkcert/rootCA.pem /etc/pki/ca-trust/source/anchors/homelab-mkcert.crt, sudo update-ca-trust
macOSDouble-click the .pem, add to Keychain, set to “Always Trust”
WindowsDouble-click → Install → “Trusted Root Certification Authorities”
Android/iOSEmail or serve the .pem file, install via device settings
FirefoxSettings → Privacy → View Certificates → Import

Webdav server

Now we have our storage, network configured and SSL certificates we can deploy a lightweight WebDav server with Apache2. All apache2 configurations are in /etc/apache2/

  • Disable default site: sudo a2dissite 000-default.conf
  • Create a password file: sudo htpasswd /usr/local/apache/var/user.passwd
  • Create a new webdav site cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/webdav.conf with the configuration below
DavLockDB /usr/local/apache/var/DavLock

# Redirect HTTP → HTTPS
<VirtualHost *:80>
    ServerName dav.home.arpa
    Redirect permanent / https://dav.home.arpa/
</VirtualHost>

<VirtualHost *:443>
    ServerName dav.home.arpa
    DocumentRoot /var/www/webdav

    # Securtiy using SSL
    SSLEngine on
    SSLCertificateFile    /etc/apache2/ssl/home.arpa.crt
    SSLCertificateKeyFile /etc/apache2/ssl/home.arpa.key

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Directory where data will be stored + user authentication
    <Directory /var/www/webdav>
        DAV On
        AllowOverride None
        AuthType Basic
        AuthName DAV
        AuthUserFile "/usr/local/apache/var/user.passwd"
        Require valid-user
    </Directory>
</VirtualHost>
  • Enable Apache modules used: sudo a2enmod dav dav_fs ssl auth_basic authn_file authz_user
  • Reload configuration: sudo apache2ctl configtest && sudo systemctl reload apache2
  • Enable the site sudo a2ensite webdav.conf

External Access & Netbird

  • Install Netbird on Linux devices
curl -fsSL https://pkgs.netbird.io/install.sh | sh
netbird up
  • Update /etc/dnsmasq.conf with
interface=wt0
  • Configure DNS on the netbird UI. Add a nameserver pointing to the local DNS server. Add a DNS A zone pointing dav.home.arpa to the netbird IP address of your webdav server

CalDAV & CardDAV & Radicale

Now we will install a server to handle calendar and contact. For that we will use Radicale is a small but powerful CalDAV (calendars, to-do lists) and CardDAV (contacts) server

  • Install radicale sudo apt update && sudo apt install radicale
  • Then add user to homelab group sudo usermod -aG homelab radicale
  • Put the configuration below in /etc/radicale/config
[server]
# CalDAV server hostnames separated by a comma
# IPv4 syntax: address:port
# IPv6 syntax: [address]:port
# Hostname syntax (using "getaddrinfo" to resolve to IPv4/IPv6 adress(es)): hostname:port
# For example: 0.0.0.0:9999, [::]:9999, localhost:9999
hosts = 127.0.0.1:5232

[storage]
filesystem_root = /var/www/webdav/radicale

[auth]
type = http_x_remote_user

[logging]
# Threshold for the logger
# Value: debug | info | warning | error | critical
level = info
  • Override default radicale service sudo systemctl edit radicale to point the data storage and add
[Service]
ReadWritePaths=/var/www/webdav/radicale

  • Enable and start the service sudo systemctl enable radicale && sudo systemctl start radicale

  • Update /etc/dnsmasq.conf with line below then sudo systemctl restart dnsmasq

address=/radicale.home.arpa/192.168.1.2
  • Create an apache site /etc/apache2/sites-available/radicale.conf
    sudo mkdir /var/www/webdav/radicale
    sudo chown www-data:homelab /var/www/webdav/radicale
    ```
    ```sh
    <VirtualHost *:80>
        ServerName radicale.home.arpa
        Redirect permanent / https://radicale.home.arpa/
    </VirtualHost>

    <VirtualHost *:443>
        ServerName cal.home.arpa

        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/home.arpa.crt
        SSLCertificateKeyFile /etc/apache2/ssl/home.arpa.key

        ErrorLog ${APACHE_LOG_DIR}/radicale-error.log
        CustomLog ${APACHE_LOG_DIR}/radicale-access.log combined

        <Location />
            AuthType Basic
            AuthName CalDAV
            AuthUserFile "/usr/local/apache/var/user.passwd"
            Require valid-user

            ProxyPass        http://127.0.0.1:5232/ retry=0
            ProxyPassReverse http://127.0.0.1:5232/
            RequestHeader set X-Script-Name /
            RequestHeader set X-Forwarded-Proto https
            RequestHeader set X-Remote-User "%{REMOTE_USER}s"
        </Location>
    </VirtualHost>
  • Enable the radicale site:
sudo a2enmod proxy proxy_http headers
sudo a2ensite radicale.conf
sudo apache2ctl configtest && sudo systemctl reload apache2
  • Update Netbird DNS to point the netbird ip to radicale.home.arpa

Misc

Mount a disk on your filesystem by hand:

lsblk -f
sudo mount /dev/sda /mnt/webdav
sudo umount /mnt/webdav

Conclusion

I’m happy to share this tutorial with you. I won’t go into detail with the explanations, but if anyone needs them, I’d be happy to provide them by updating this tutorial. See you.

Tags :
Share :
comments powered by Disqus