Debian 12 Homelab with Cosmos-Cloud
simple and intuitive
-
Table of Contents
Summary
My goal is to have a easy to manage homelab with cool features like a media server, file hosting, install some security applications like Intrution Detection Systems, manage a KVM Virtual machine server and have other tools to help me with my studdies like a MySQL server.
I’m going to be using Debain 12 as its pretty easy to set-up and has lots of compatibility with everything im going to use.
Cosmos-Cloud can provide me all of this with easy provitioning and decommitioning of docker instances and to install it you just run a one-liner in the terminal on a fresh up-to-date system. The recommended OS is Debian 12 as it’s stable releases tested by the developers.
Checklist
- Install Debian 12 w/ Cosmos-Cloud
-
Configure https certificates - [] Setup Cloudflare Zero-Trust
- [] Cloudflared Tunnel
- [] Reverse Proxy
- DNS Records
- Add DNS for Cosmos-Cloud
- [] Firewall
- [] Docker Network
- Bridged Network Adapter (enps34 –> br0)
- Access Controls
- Strict Password Policy & Account Policies
- MFA Required
- Region Lock (IP whitelist)
- Application Security
- Apps only available when logged into Cosmos-Cloud
- Apply same policies for password & account if app has that service
Network Layout
So i’ve got multiple zones that I have to account for. First is of course the Public Internet, local network, and the internal networks for my Host like Docker and KVM Bridged, NAT, Isolated etc.
Right now I have my server in the local network inside a NAT so I have to port-forward my http and https traffic I get coming to my router to the local machine so I can serve Cosmos-Cloud.
The Docker network is fine as default as I dont use the 172.16-32 IP range for anything else on the network, the main part is keeping the networks docker uses organised.
I’ll turn my network adapter into a bridged adapter so I can let my Virtual Machines use the physical network I have in my house. This lets me port-forward applications or just have other servers running that can run programs I dont want on my hypervisor that cant be run in a container (easily) like a snort server.
Let’s Encrypt and Cloudflare DNS
Cosmos-Cloud comes with a tool that lets you eaily make Let's Encrypt HTTP Certificates. At first I didn’t relise that when you point your DNS A record to your server and reverse proxy it, cloudflare tries its hardest to use their own signed certificates. So I had to disable to proxy feature and turn off TLS for cloudflare as the site wouldnt load if I had both the Let’s Encrypt certificate on the server and had anything but the Off setting in TLS on cloudflare.
I’m planning on using something like a cloudflare Zero-Trust tunnel instead as I dont like my IP address just being pointed at by a single DNS record but having this provides me with a legitimate secure connection across the internet.
DNS is a handful.