It’s time again, time to work on more home lab projects! Today, I’m focusing on security in the home lab, as well as uniquely moving some of your resources away from virtual machines and into containers. Here are three projects you can try in your homelab this weekend.
Skip the virtual machine and just deploy Kasm workspaces
Why spin up virtual machines when a browser-based OS is easier?
I will admit that I have a “test” virtual machine on my server that I spin up and down when I need to test something without breaking any other OS. This is the way I’ve always worked, and it’s worked well for me for years.
However, when I found out… Kasm workspacesEverything changed. Kasm is a project that I will self-publish this weekend.
What Kasm Workspaces does is provide you with small containers that look like a virtual machine that resides in your browser (and runs on your server). There are multiple operating systems (mostly Linux, though… He is Possible for Use Kasm with Windows virtual machines inside a container) to choose from, and you can also choose the way they behave.
For starters, you can have a “one-throw” session where you rotate the existing Kasm workspace just for that browsing session. The moment you close the window, the entire operating system you were using will disappear. This is great when you need to test things without destroying your environment, or if you really have to use that super-hard site to download something you probably shouldn’t.
Another way to use Kasm Workspaces is to have a virtual desktop that you can access through a browser anywhere. It can run programs like VS Code (or Antigravity), Audacity, or even Blender in a web browser. In fact, it runs in your home on your own server, but you can access the virtual machine from a web browser anywhere, making it very easy to program, design, or just get work done from any device with an Internet connection.
Setting up persistent sessions requires a little more work by enabling persistent profiles and setting a folder on your drive so Kasm knows where to store persistent information. However, once set up, you’re ready to go.
Protect your servers with bulk blacklists with CrowdSec
Fail2ban is great until new hackers come along.
Fail2ban is a staple in the homelab community for keeping bad actors off your servers. How Fail2ban works is by looking into your system logs and blocking IP addresses that try (and fail) to log into your system. This is great, don’t get me wrong, but it’s just the first layer of security.
CrowdSec Fail2ban takes it to the next level. If you’ve used Waze before, CrowdSec works this way. Instead of waiting for bad actors to try to break in, then In blocking them, CrowdSec is taking a different approach. The way CrowdSec works is it uses a collective list of bad actors and proactively blocks IP addresses before they can even try to log into your server.
Using this type of technology, CrowdSec can prevent a problem before it happens, rather than waiting for someone to try to break into your system and then just blocking them.
CrowdSec not only helps prevent brute force tactics, but also has more sophisticated strategies than Fail2ban, by focusing on behaviors like credit card stuffing, sabotage bots, and more.
Another thing CrowdSec does is have a proxy running on a primary server in your home, and then guards that can be run elsewhere, keeping everything in sync. So, you can run the agent on your primary device and run Sentinel on other devices at home.
The guard constantly communicates with the agent, asking which IP addresses it should allow or block. When the proxy detects a new bad actor, it tells all the guards on your network to block that IP address, keeping everything in sync.
It is simply a more powerful Fail2ban software, and should definitely be something every home worker runs in their software package.
Secure your home lab with Authentik
Stop fiddling with passwords and deploy your own single sign-on (SSO) solution.
I don’t know about you, but I have a lot One of the passwords I must remember in my home lab. Almost every service I run has its own login flow, with unique usernames and passwords. Although I remember most of them (or have them in my 1Password), sometimes it’s a little annoying to have to sign in to multiple things in a row. This is the place genuine Come.
Authentik is your homelab’s internal single sign-on solution. Simply place Authentik in front of your services (as with a reverse proxy) and Authentik will handle all your authentication. Sign in to Authentik, then Authentik will authenticate you for everything else.
Once you’re signed in to Authentik and set up in front of your services, your services will simply ask Authentik “Can I trust this person?” Authentik will respond either “yes” if you’re signed in, or “no” if you’re not.
This works well for apps that have their own built-in login pages, or apps that don’t have any built-in authentication at all. that it especially Useful for the second category, where an application should never be opened without authentication on the Internet through a reverse proxy.
Authentik also lets you set up two-factor authentication for a single service (Authentik) instead of having to set up two-factor authentication for every piece of software you deploy.
All in all, Authentik makes managing your home lab a much smoother experience once you get it up and running, as you won’t have to keep remembering all kinds of passwords or dealing with different forms of authentication anymore.
If you’re just starting out with a home lab, these projects may be a little advanced. Although my home lab has become one of the most useful things in my house, I certainly wasn’t going to start setting up my Authentik and Kasm workspaces.
First, I’ve made a list of several lessons I’ve learned while running a home lab over the past five years so you can avoid some of the same mistakes I made. Once you’re ready to not make those same mistakes, I’ve detailed all the major software I run in my home lab — from Plex to Pi-hole.