Homelab.part 2 : security basics

Locking down a single-node Proxmox. Or trying to.

Homelab security can be a bit of a joke, and everyone knows it. You're not protecting a bank. You're protecting your stuff, your experiments, sometimes your family's data. That changes the threat model entirely. And the effort you put in should match that — not become a second job.

My setup : single node on an Odroid H2+. Not a powerhouse — the CPU makes sure you know it. 1TB SSD for the system, two 2TB HDDs at 5400rpm passed through directly to an OpenMediaVault VM. Slow, yes. Fine for backups and streaming music through Funkwhale, which is all I'm asking. Exposed services sit behind HAProxy on a separate network. That already kills a large part of the attack surface before you even think about hardening anything.

So. What's left.

Proxmox itself : root SSH login disabled, key-based auth only. Fail2ban is on the reverse proxy — it should be on the host too, it's on the list. The built-in firewall is a start (and aslo there should be an active firewall on all your guests my friends), but the host should have its own nftables rules independent of what the UI manages. The UI can be wrong. The UI can be compromised. The UI can also greet you every single login with a subscription nag popup that breaks your focus before you've done anything. That one's on Proxmox, not the threat model.

TOTP on the web UI ? Sure, if it's exposed. Mine isn't. Not the hill I'm choosing to die on.

VLANs : running on a Ubiquiti Dream Router. Not the most hardcore option — OpenWRT people will let you know. But it's VLAN-aware, has IPS, and doesn't require a weekend to configure. That's the deal I made. The idea is that the OMV VM should not be able to talk directly to anything internet-facing without going through HAProxy first. That's already the case here. Keep it that way.

Backups : weekly job, one retention. Not glamorous. Enough to recover from something stupid. The threat model here isn't ransomware at scale — it's me doing something dumb at 2am.

The part nobody talks about enough : all of this is useless if you're not looking at it. I use Beszel for monitoring — lightweight, self-hosted, does the job without asking much in return. Alerts when something's wrong, quiet when it isn't. The goal is to know before it becomes a problem, without having to actively check. Security that requires constant attention is security that gets ignored. Automate the checks, get the notifications, move on.

Does this make it bulletproof ? No. The goal is to make it annoying enough that the path of least resistance goes elsewhere — including for future-me. And to make sure that keeping it running doesn't cost more mental energy than the whole thing is worth.

So be it, then.