Diary of a SysAdmin

Homelab

I host many things on my own network, and avoid Big Tech’s services.

Front of server cabinet
USystems EDGE 3 acoustic rack in my flat

What’s running?

  • A mail cluster since 2019 that’s processed 150k+ emails
  • Half a terabyte of content in Nextcloud
  • This blog, with over 10,000 visitors a year
  • A Kubernetes grid running 90+ deployments
  • A VPN network linking three sites together
  • Loads of Grafana dashboards + plenty monitoring
  • Home climate monitoring with homemade Pi Pico sensors
  • Daily backups taken to bare metal + offsite
  • AD FS to enforce 2FA + biometric logins everywhere

Aren’t you worried about security?

Yes, but Big Tech also gets hacked now and then. I spend a lot of effort on identity services and infosec.

Does it always work?

Nope. Two of my blog posts went viral on HN and it was hard to handle the traffic on a slow broadband line.

It was pretty stressful when this post took off. I went for a walk and realised my blog couldn’t load and was like “oh… it took off then.”

Fine, but why host email? That’s too complex, and high risk.

  1. Because it matters a lot to me (so all the more reason)
  2. It’s not that hard to keep running once stable
  3. There’s no SLA that today’s freemail providers exists in n years’ time

How did I get here?

  1. You asked your DNS resolver where blog.abctaylor.com is
  2. ns1 or ns2.arcza.net (my public name servers) probably said it’s at 81.187.86.89, an IP in a /29 block I have from Andrews & Arnold
  3. A Cisco ISR accepted your packets, and sent you on toward a DMZ firewall
  4. The firewall allowed your traffic into the DMZ
  5. You hit a DMZ load balancer which did TLS with your browser
  6. Another firewall allowed the load balancer though to the core network to a VM running NGINX, which generated this page