VM environment installation blog
2nd round - this time with documentation...
The goals of this blog are to:
- Share my experiences.
- Document my work.
- Get feedback on what I could do better.
Send me an email at email@example.com if it looks like I screwed up, if you think my setup is a security nightmare, or if you have any other comments.
SuperMicro CSE-815 1U rack mounted server
SuperMicro motherboard X9DRi-LN4F+
2x Intel Xeon E5-2660 v2, 2x10 physical cores, 40 threads
24x 16GB DDR3-1333 PC3L-10600R RDIMMs
2x 6TB WDC WD60EZRZ-11T
1TB Samsung SSD 840
NVIDIA GeForce GTX 1050 Ti
Massive overkill, I know, but I ended up with a lot of ram that was going to be scrapped, so I figured I'd setup a homelab to learn.
The server is housed in a 1U SuperMicro CSE-815 case with 2 of the 4 hdd caddies filled and the 2.5" ssd tucked away inside the case.
The server is physically colocated at the good people of serverius.net for €52,60/month, with 2 extra IPv4 addresses, 1A/230v and 1gbit unmetered* and separate IPMI access.
*fair use, etc, etc - not going to be your seedbox or CDN basically.
As this is a rebuild from scratch I have a few goals in mind.
- ✓ Proxmox Virtualization Environment (PVE) 5.3
- ✓ LVM SSD storage for most VM OS drives since the block based storage is very straigtforward in Proxmox.
- ✓ ZFS mirrored spinning platters for slower data storage, including backups, ISOs and lower priority machines.
- ✓ Management of all networking through a virtualized frewall appliance - I like pFsense and Sophos UTM - and will go with the Sophos for this build because of the polished interface/management, including the Web Application Firewall (WAF), VPN ease of use and built-in Let's Encrypt https management (since release 9.6). No machine will connect directly to the internet except the firewall and proxmox host.
- ✓ Default CentOS 7 VMs - build an easy to deploy template with post-clone config script.
- ✓ An LDAP/DNS server to manage users and DNS on my network - I'm going with FreeIPA, the upstream version of Redhat's IDM, since it's basically the go-to option if you work with Redhat products.
- ✓ A Guacamole HTML5 remote desktop server to access my setup from any location with port 443 open
- ✓ A Nextcloud server with proper https+mobile app access for cloud features (boo dropbox for removing most linux fs support)
- ✓ A fileserver to save backups and Nextcloud data
- ✓ A game streaming server - I installed a GTX 1050Ti since it was at the time the most powerful GPU without extra power headers that would fit in my 1U case.. Nvidia deliberately tries to block GPU passthrough on their consumer cards and often end with Windows giving a generic error: 43, but AMD does not currently have the same game streaming abilities, and that left me no choice. Steam and Nvidia Gamestream+Moonlight will be explored.
- ✓ An Ubuntu Desktop that I can reach from anywhere through the Guacamole server - Will consider fedora instead
- ✓ A diskless VM that boots directly into Tails - a linux live distro built around anonymity featuring the Tor browser - for when I want to google STD symptoms without google or anyone adding that to their profile of me.
- ✓ VPN server setup so I can tunnel in when using unsecured public wifi or when I need to get around blocked ports.
- ✓ Regular scheduled backups of all machines
- ✓ A network monitoring service like Smokeping with pretty latency graphs
- Katello/Foreman for managing updates of all CentOS machines (and explore Debian functionality)
- [WIP] An Ansible/AWX (Ansible Tower) machine to automate configuration management.
- [WIP] A Gogs git server for private git repos, including ansible playbooks
- A Wiki to document my projects
- A flat/simple blog cms without a big juicy exploit target painted on the back (Grav looks promising)
- A taskwarrior taskserver (maybe)
- A Windows 2012r2 server for whenever I need to test Windows Server features, since I have a license for it.
- Alarm/notification emails
- An IPv6 capable desktop for testing IPv6 - possibly just the Ubuntu desktop I'll be setting up.
- Setup a DMZ network to host some web-facing gaming servers
I will be using lan.example.com as subdomain on my network in my examples. On my network I'll use an actual domain that I own with the lan subdomain as shown in examples.
In the same way I will show 123.123.x.x in all my examples showing my external IP addresses.
I will use 3 external IP addresses - One for the Server IPMI (optional), one for the Proxmox VM host and one for the Firewall that can manage any number of outward facing services on a single address. So using this guide assumes you have at least 2 available IP addresses.