I run this entire stack on a k3s cluster at home. syslog-ng, Promtail, Loki, and Grafana are all deployed as Kubernetes workloads in the infra namespace. If you are running this on bare Docker or a single VM, some of the specifics will differ but the problems are the same.

So I set up the whole logging pipeline. OPNsense sending syslog to syslog-ng, syslog-ng writing to a file, Promtail tailing that file and pushing to Loki, Grafana on the other end showing everything. Ticked it off the list. Done.

Except nothing was working. Zero logs. I just never actually checked.

When I finally went to look, I found three separate problems. None of them threw an error. None of them told me anything was wrong. The pipeline just sat there silently doing nothing.

Here is what they are, so you do not have to find them yourself.

The Pipeline

Before we get into what breaks, here is what we are building:

1
2
3
4
5
6
OPNsense
  └─ UDP syslog → syslog-ng (LoadBalancer IP, port 1514)
       └─ writes to file on PVC
            └─ Promtail (tails file, parses filterlog)
                 └─ pushes to Loki
                      └─ Grafana queries Loki

syslog-ng sits in Kubernetes and receives raw syslog from OPNsense. Promtail tails the file syslog-ng writes. Loki stores it. Grafana shows it. Simple enough. Let’s see how it breaks.

Gotcha 1: syslog-ng Needs a LoadBalancer, Not ClusterIP

OPNsense lives on your LAN. It is not inside Kubernetes. When it sends a UDP syslog packet somewhere, that IP needs to be actually reachable from your network.

ClusterIP is only reachable from inside the cluster. So if your syslog-ng Service is ClusterIP, every single packet OPNsense sends just disappears. No error on the OPNsense side. No dropped message anywhere. It looks like everything is configured correctly and nothing arrives.

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: v1
kind: Service
metadata:
  name: syslog-ng
  namespace: infra
spec:
  type: LoadBalancer   # not ClusterIP
  ports:
    - port: 1514
      targetPort: 1514
      protocol: UDP
  selector:
    app: syslog-ng

If you have MetalLB running, changing to LoadBalancer gives you a real IP on your LAN. That is the IP you put into OPNsense.

1
2
kubectl get svc syslog-ng -n infra
# look at the EXTERNAL-IP column

Then in OPNsense go to System, Settings, Logging / Targets. Transport UDP, host set to that external IP, port 1514.

Tip: If EXTERNAL-IP stays as <pending> forever, MetalLB either is not running or has no IP pool configured for that range.

Gotcha 2: Promtail Does Not Listen for Syslog

This one surprised me because it seems like it should work.

I had syslog-ng configured to forward logs to Promtail over UDP. Seemed reasonable. syslog-ng forwards, Promtail receives. Nope.

Promtail does not receive syslog. That is not what it does. Promtail tails files, reads new lines, pushes to Loki. It has no UDP listener, no syslog receiver. So this destination in syslog-ng was sending packets into nothing:

1
2
3
4
5
6
7
8
destination d_promtail {
  syslog(
    "promtail.infra.svc.cluster.local"
    transport("udp")
    port(1514)
    flags(syslog-protocol)
  );
};

How it actually works is simpler. syslog-ng writes to a file on a PVC. Promtail mounts that same PVC and tails the file. That is the whole relationship.

1
2
3
4
log {
  source(s_opnsense);
  destination(d_local);   # writes to /var/log/opnsense/opnsense.log
};

1
2
3
4
5
6
7
scrape_configs:
  - job_name: opnsense
    static_configs:
      - targets: [localhost]
        labels:
          job: opnsense
          __path__: /var/log/opnsense/*.log

syslog-ng writes, Promtail reads. If you also had a Traefik IngressRouteUDP pointing at Promtail port 514, remove that too. Same problem.

Gotcha 3: OPNsense Logs Are CSV and Grafana Cannot Read Them Without Help

After fixing the first two, logs started arriving in Loki. Progress. But when I tried to build a dashboard, I hit a wall.

Every OPNsense firewall log line uses a format called filterlog. Each connection gets logged as a CSV string:

1
5,,,1000000103,em0.10,match,block,in,4,0x0,,64,0,0,none,6,tcp,...

Those fields contain everything you care about: which interface, whether the connection was blocked or passed, direction, protocol. But if you do not tell Promtail to parse them, Loki stores the whole thing as a blob of text. You cannot filter by protocol. You cannot ask for blocked inbound traffic only. You just get walls of unreadable CSV in your log panels.

Field positions (0-indexed): 4 = interface, 6 = action, 7 = direction, 8 = IP version, 16 = protocol.

Add a pipeline_stages block to your Promtail config to pull the useful bits out:

1
2
3
4
5
6
7
8
pipeline_stages:
  - regex:
      expression: 'filterlog\[\d+\]: (?:[^,]*,){4}(?P<iface>[^,]+),(?:[^,]+),(?P<action>block|pass|reject),(?P<dir>in|out),(?P<ipver>4|6)(?:(?:,[^,]*){7},(?P<proto>[^,]+))?'
  - labels:
      action:
      dir:
      iface:
      proto:

You get action, dir, iface, and proto as proper Loki labels. Lines that are not filterlog (system events, DHCP, config changes) just pass through as-is.

Why not pull out source and destination IPs too? Every unique IP creates its own Loki stream. Your firewall sees thousands of unique IPs. Label them and your query performance tanks. Leave IPs in the raw log line and pull them out with LogQL when you actually need them.

Building the Dashboard

Once you have real labels, Grafana queries are straightforward.

Blocked vs passed over time: sum by (action) (count_over_time({job="opnsense"}[$__interval])). Protocol split: sum by (proto) (count_over_time({job="opnsense"}[$__range])). Same pattern with iface if you want to see which VLAN or interface the traffic is coming through.

For a live feed of blocked connections only: {job="opnsense", action="block"} |= "filterlog".

Chuck the dashboard in a ConfigMap and it loads automatically every time Grafana starts. Lives in git with the rest of your infrastructure. No importing JSON through the UI every time you redeploy.

The Short Version

• ClusterIP is not reachable from outside Kubernetes. OPNsense is on your LAN. syslog-ng needs LoadBalancer.
• Promtail tails files. It does not receive syslog over UDP. Do not forward syslog to it from syslog-ng.
• OPNsense filterlog is CSV. Without a Promtail pipeline stage, everything in Loki is unreadable text you cannot filter.
• Label action, direction, interface, protocol. Keep source and destination IPs out of labels or query performance suffers.

I knew running servers 24/7 costs something. What i did not realise was how much of that $500 was pure waste. Not useful waste. Just forgotten stuff sitting there drawing power.

What Changed in Those Three Months

Let’s be honest about what i added.

The biggest thing was the k3s cluster. I already had a GPU passthrough VM called ghostgpu running Ollama on a GTX 1660 Super for local AI. When i built out Kubernetes and started routing workloads through it, ghostgpu’s behaviour changed. Services like Immich ML for photo recognition, Paperless AI for document classification, karakeep’s AI bookmark categorisation, all of them started touching that GPU VM in ways they were not before. The GPU went from occasional inference to consistent workload. A GTX 1660 Super under load is not light on power.

On top of that i added a second 8TB drive to TrueNAS to set up a mirror. Two spinning hard drives 24/7 instead of one. Seagate Exos drives are not heavy power consumers but they are not free either, especially during scrubs.

Then there was everything i deployed on the cluster. I went a bit overboard. Sonarr, Radarr, Prowlarr, Readarr, Audiobookshelf, Kavita, the whole arr media stack. Authentik for SSO. Prometheus and Grafana for monitoring. Paperless for documents. karakeep for bookmarks. Most of it was genuinely useful at the time.

Then life got busy. Got a Netflix subscription. Amazon Prime covers the rest. I stopped using the media stack. But i never stopped running it. All those pods sitting there in memory, nodes drawing power, doing nothing for me.

That is the part that stings.

Finding the Waste: The VMs First

First place i looked was Proxmox. I wanted to see what was actually running.

Two VMs stood out immediately.

security was a VM i provisioned months ago to set up some security tools. Never got around to deploying anything. It was just on. 8 GB of RAM, CPU cores assigned, running nothing.

ghostmedia was my old media server VM from before the Kubernetes migration. I had moved everything to the cluster but never deleted this VM. Still running Docker containers, some of them duplicating what was already on the cluster. Also 8 GB of RAM.

That is 16 GB sitting on two VMs doing nothing.

Here is the thing about Proxmox memory ballooning most people miss. Ballooning lets the hypervisor reclaim RAM from a VM down to a minimum floor you set. If that floor is too high, the balloon cannot deflate. Those VMs had their minimum at 8 GB. The host could not take a single byte back.

And idle VMs are worse than you think for CPU too. A powered-on VM needs housekeeping. The hypervisor schedules it. Those cores cannot reach deep sleep states. C-states are how a Ryzen drops power at idle. The 3600X can drop significantly when cores hit C6. Block that and the CPU sits at higher wattage around the clock, permanently.

I deleted both VMs. Biggest single win.

Finding the Waste: The Kubernetes Cluster

With the VMs sorted i looked at the cluster. Ran kubectl top pods -A --sort-by=memory and sorted by memory usage.

Some numbers i expected. Paperless at 587 MB, karakeep at 328 MB with its AI features, authentik nearly a gigabyte between two pods. Those made sense.

What i did not expect: Grafana at 320 MB and Prometheus at 438 MB scraping ten machines every 15 seconds. Chrome, the headless browser karakeep uses for screenshots, sitting at 188 MB with zero limits set.

And the media stack. 937 MB combined across Sonarr, Radarr, Prowlarr, Readarr, Audiobookshelf, Kavita and the rest. Full replicas. For services i had not meaningfully touched since life got busy.

Warning: RAM allocated in Kubernetes is not free. It keeps the node’s memory bus active and keeps the CPU managing page tables and caches. Not the same as an idle process doing nothing.

Fixing It

Media stack first. Scaled everything i was not using to zero:

1
kubectl scale deployment sonarr radarr prowlarr readarr audiobookshelf kavita lazylibrarian -n media --replicas=0

937 MB gone immediately. Can spin back up when i actually need them.

Prometheus. Scraping ten hosts every 15 seconds is overkill for a homelab. Changed scrape interval to 60 seconds, added a storage retention size cap. Dropped from 438 MB to 242 MB.

Chrome. No limits, no flags, just running wide open. Added flags to cap the V8 JavaScript heap and cut everything unnecessary:

1
2
3
4
5
6
args:
  - --js-flags=--max-old-space-size=128
  - --disable-extensions
  - --disable-background-networking
  - --disable-sync
  - --disable-translate

188 MB down to 66 MB.

Authentik. Default worker and thread counts designed for production. Set AUTHENTIK_WEB__WORKERS=1 and AUTHENTIK_WORKER__THREADS=1 in the Helm values file. Server came down from 515 MB to 377 MB.

Tika. Apache Tika is what Paperless uses to parse PDFs and Office files. Java application. Java will eat all the heap you give it. Added a JVM cap:

1
2
3
env:
  - name: JAVA_TOOL_OPTIONS
    value: "-Xmx128m -Xms64m"

Also found a YAML bug sitting quietly in the Paperless deployment. The replicas, selector, and template fields were under metadata instead of spec. Kubernetes was ignoring all three. Deployment was running on whatever defaults it fell back to. Hard to catch just by reading a long YAML file.

The Results

About 1.7 GB freed on the cluster, plus two Proxmox VMs and 16 GB of allocated RAM gone entirely.

Homeserver CPU temps dropped noticeably too. It was hitting 94 degrees Celsius during what should have been normal operation. Not dangerous for a 3600X but absolutely not idle behaviour. After the cleanup it settled back down.

Grafana made the impact very visible. This is CPU usage across all hosts over the cleanup session.

That cyan line is kubetwo. Started the session at around 35% CPU just from the bloated pods and media stack. Drops sharply after the scale-down and tuning. Spike in the middle is authentik restarting during the Helm upgrade. Then nearly nothing. The other hosts, nextcloud, utility, kubeone, flatlined the whole time. kubetwo was carrying almost all of the unnecessary load.

About the Local AI Services

I want to be honest about the AI stuff because it is a real part of the power draw and it is not going away.

I run Ollama on the GPU VM for local language models. Immich uses ML for photo face recognition and smart search. Paperless AI classifies and tags documents. karakeep uses AI for bookmarks. All on my own hardware, on purpose.

The GTX 1660 Super draws power whether it is inferring or not. When Ollama is running a model it spikes well past 100 watts. That is expected and fine.

What i did not account for was Immich. My wife and i both moved off Apple Photos and Google Photos to self-host our entire library. Combined that is around 30,000 photos going back 15 years or more. When Immich ML runs its initial scan on a library that size, face recognition, object detection, smart search indexing across every single image, it does not finish in an afternoon. It runs for days. On the CPU. Constantly. That absolutely showed up in the power draw and i did not connect it to the bill until later.

It is also not done. The library keeps growing as we migrate more. And Paperless AI has barely been touched yet. I have not even started moving documents from Nextcloud into Paperless properly. When that happens and Paperless starts processing years of old scanned documents, there will be another burst of CPU-heavy work.

So there is a baseline cost and there are spikes. The Immich scan was a spike i did not plan for. More spikes are coming. That is fine, i would rather process everything locally than hand it to Google or Apple. But knowing when those spikes are coming is the difference between a surprise bill and a planned one.

The local AI services are deliberate. The forgotten arr pods were not. That distinction matters.

This Is Not Just a Homelab Problem

This same pattern happens everywhere. VMs get provisioned for a project, nobody deletes them when it ends. Kubernetes clusters run at 15% utilisation because nobody set resource requests properly. Monitoring deployed with configs written for hundreds of machines running on eight.

Looking at actual consumption vs. what is allocated, finding what is running vs. what is actually being used, understanding which config options matter, that is real infrastructure work. The numbers are smaller here. The skill is the same.

Honestly, doing it at home on an electricity bill is better practice than doing it on a cloud bill. Every wrong call shows up in your wallet at the end of the quarter.

Tip: In Proxmox, set the balloon minimum RAM close to what the VM needs at idle, not the max you want under load. A minimum set too high means the hypervisor can never reclaim that memory.

The Short Version

• Bill went from $300 to $800 AUD in one quarter. k3s expansion, new TrueNAS drive, GPU VM workload change, and a media stack i stopped using but never scaled down all contributed.
• Idle VMs in Proxmox keep CPU cores busy enough to block deep sleep states. Higher power floor around the clock.
• kubectl top pods -A --sort-by=memory shows what is actually running. Defaults are almost never right for a homelab.
• Java applications eat heap. Cap them with -Xmx or they sit bloated forever.
• Local AI on a GPU costs real power and that is fine if you are using it. Paying for that and also running forgotten pods on top is the part to fix.

The $500 is not fully reversed overnight. But i know exactly where it was coming from and how to keep it from growing back.

I also applied for Google Ads a few months back and got rejected. Not enough content yet. So I am building up posts and will try again later. But in the meantime I still want to know if people are actually reading, which posts get traffic, where they come from. Without handing that data to Google.

Why Umami

Umami is self-hosted analytics. You run it yourself, data stays with you, no cookies, no GDPR banner needed. Lightweight script that loads fast. Dashboard shows you page views, visitors, referrers, countries, devices. Everything you actually care about.

The alternative I considered was Plausible. Same idea but paid unless you self-host it. Umami is free either way and the self-hosted version is the full thing, not a limited free tier.

Where to Run It

Here is the problem with running analytics on the homelab. The tracking script loads in your visitors’ browsers. When someone in Germany reads a post, their browser calls out to wherever you are hosting Umami to send the page view. If Umami is sitting on a VM under my desk, their browser cannot reach it.

I have a Cloudflare Tunnel running on the homelab which I use to expose n8n publicly for webhook reasons. I could have added Umami to that. But I already have an Oracle Cloud VM running WikiJS and Nginx Proxy Manager. It is already public, already has SSL sorted, already has NPM ready to proxy new services. Deploying Umami there was five minutes of work.

The SSL Problem

I ran into one issue. My DNS records for ashishghimire.com are behind Cloudflare proxy. When NPM tries to get a Let’s Encrypt certificate it does the HTTP challenge. Cloudflare intercepts that and the request never reaches my Oracle VM. Certificate request fails.

The fix is a Cloudflare Origin Certificate. You generate it in the Cloudflare dashboard, it is valid for 15 years, covers all subdomains with a wildcard. Install it in NPM as a custom certificate, set Cloudflare SSL mode to Full (Strict), done. No more renewal headaches either.

Deploying Umami

Separate compose file on the Oracle VM, Umami joins the existing wiki-net Docker network so NPM can reach it, its own Postgres on an internal network. Then add a proxy host in NPM pointing umami.ashishghimire.com to port 3000. Add the DNS record in Cloudflare.

First login is admin / umami. Change that immediately.

Add your site in Settings, copy the tracking script, and drop it into your Jekyll _includes/head.html. One file, one script tag. Chirpy picks it up and injects it into every page.

What I Can See Now

Real visitors, page by page. Which posts get traffic, which get nothing. Where people come from: direct, search, social. What country. Desktop or mobile.

Google Analytics was still running alongside this for a bit. After a week I am turning it off. I do not need two analytics systems and I definitely do not need the one that sends data to Google.

Give it a week and see what the numbers look like. If posts are getting read, great. If not, at least now I know for sure instead of guessing.

The Short Version

• Google Analytics collects your readers’ data and sends it to Google. Umami keeps it with you.
• If you self-host, Umami needs to be publicly reachable — either a cloud VM or a Cloudflare Tunnel.
• Cloudflare-proxied domains break Let’s Encrypt HTTP challenge. Use a Cloudflare Origin Certificate instead.
• Jekyll: one _includes/head.html file with the script tag is all you need.

Then I upgraded my network and introduced VLANs. That broke everything.

Why I Turned Off Global Discovery and Relay

When you first set up Syncthing it uses global discovery and relay by default. Discovery lets devices find each other through Syncthing’s infrastructure. Relay is a fallback when direct connections fail, it routes your traffic through Syncthing’s relay servers.

Now I had two reasons to turn both off.

First, I started monitoring my DNS traffic and noticed how noisy Syncthing was. Constant calls out to discovery servers, relay servers, checking in. Since I host everything locally and I have Twingate installed for remote access, there was no reason for any of that. I want sync traffic to stay on my LAN, not bounce through someone else’s infrastructure.

Second, I had just set up VLANs so I already knew my network was about to get more restrictive. Better to get off the global infrastructure now and do it properly.

So I turned off global discovery and relay. Clean, local, exactly how I wanted it.

That is when things broke.

What VLANs Actually Did

Servers sit on VLAN 10. PC on VLAN 50. Phone on VLAN 20. Three different network segments with firewall rules controlling what can talk to what.

Without global discovery, Syncthing needs to know exactly where to find each device. It used to use UDP multicast on port 21027 for local discovery. Multicast does not cross VLAN boundaries. So with global discovery off and local discovery also useless across VLANs, every device just sat there. Last seen: never.

There is also mDNS involved in local discovery. mDNS is link-local only, it does not cross VLANs on its own. To make it work across segments you need a multicast proxy bridging the VLANs, and I did not want to set that up without fully understanding what it would expose. A proxy like that could let devices on one VLAN discover services on another, which might be more visibility than I want between segments. Pinning addresses manually is simpler and I know exactly what it does.

The already running service that had been working for months was now completely broken.

Fix 1: Pin Addresses Manually

If Syncthing cannot discover devices on its own, you tell it where they are. Simple rule: stationary hosts get a pinned address, mobile devices get dynamic because their IP changes.

The phone’s IP changes across different networks so you cannot pin it. Let the phone always dial out and the other devices will accept the connection.

One thing that tripped me up here. Syncthing has a “device defaults” setting under Actions then Settings. I changed the address there assuming it would update existing devices. It does not. It only applies to new devices added after you change it. Had to go into each existing device individually and update the address.

Fix 2: Firewall Rules in OPNsense

Even after pinning addresses, the phone and PC would not connect directly to each other. VLAN 20 where the phone lives had no rule allowing it to reach VLAN 50 where the PC is. Needed to add one.

Adding the rule was easy. The order was what got me. OPNsense processes rules top to bottom and stops at the first match. I added the Syncthing pass rule but it ended up below an existing block rule for that VLAN pair. The pass rule was never being evaluated.

Correct order on the PERSONAL interface:

1
2
3
4
5
6
Pass   PERSONAL net   SERVERS net     any
Pass   PERSONAL net   TENANTS net     any
Pass   PERSONAL net   IOT net         any
Pass   PERSONAL net   PC net          TCP/UDP  22000   <- Syncthing exception
Block  PERSONAL net   PC net          any              <- everything else blocked
Pass   PERSONAL net   *               any              <- internet

Pass rule for Syncthing port above the catch-all block. Move it up, direct connections started working.

Pairing Devices

Do not type device IDs manually. When an unknown device tries to connect Syncthing shows a banner asking if you want to add it. Click that, approve on both sides and done. Typing those long IDs is slow and error prone.

How It Looks Now

Three-way sync working again. Server and PC, server and phone as the main sync paths. Phone and PC also connect directly when both are on the LAN. All connections show direct LAN IPs, no relay, no DNS noise.

Obsidian vault syncing as it should be, now fully local.

The Short Version

• Turning off global discovery means Syncthing cannot find devices on its own. Pin addresses for stationary hosts, use dynamic for mobile.
• “Device defaults” does not update existing devices. Change each one manually.
• mDNS is link-local only and does not cross VLANs without a multicast proxy. A proxy bridges discovery across segments which may expose more than you want. Pinning addresses manually is simpler and more predictable.
• OPNsense rule order matters. Pass rule must sit above any block rule for the same destination.

Here’s what actually happened.

Symptoms

• New Docker containers can’t resolve DNS
• nslookup google.com inside container returns connection refused or no servers could be reached
• ping 1.1.1.1 from inside the same container works fine
• Existing containers on manually created networks work
• docker run --rm --network host busybox nslookup google.com resolves fine

Everything I Checked That Wasn’t The Problem

• daemon.json — DNS correctly set, config validated with dockerd --validate
• systemd override — bare dockerd was running and reading daemon.json correctly
• iptables FORWARD chain — DOCKER-FORWARD had all the right ACCEPT rules
• MASQUERADE rules — all bridge subnets were covered in POSTROUTING
• Bogon blocking on OPNsense — not enabled
• Removed TCP port 2375 exposure — good cleanup but didn’t fix DNS
• /run/docker.sock was a directory instead of a socket file — fixed it, DNS still broken

The Actual Root Cause

Pi-hole’s nftables rules were redirecting all DNS traffic to port 55, even though Pi-hole hadn’t been running for a while.

When Pi-hole runs as a Docker container it injects rules into the nftables ip nat PREROUTING chain to intercept DNS:

1
2
udp dport 53 redirect to :55
tcp dport 53 redirect to :55

These rules do not get cleaned up when you stop or remove the container. So with nothing listening on port 55 anymore, every DNS query from every container was getting an ICMP port unreachable back — which shows up as “connection refused” in nslookup.

The reason ping worked but DNS didn’t is straightforward: ICMP doesn’t touch port 53, so MASQUERADE and routing worked fine. DNS specifically hits the redirect rule and dies there.

You can spot it instantly:

1
sudo nft list ruleset | grep -E "53|redirect"

Fix

Find the rule handles and delete them:

1
2
3
4
5
# See the handles
sudo nft -a list chain ip nat PREROUTING | grep "redirect to"

# Delete by handle number
sudo nft delete rule ip nat PREROUTING handle <handle_number>

Or do it in one shot:

1
2
sudo nft delete rule ip nat PREROUTING handle $(sudo nft -a list chain ip nat PREROUTING | grep "redirect to :55" | grep udp | awk '{print $NF}')
sudo nft delete rule ip nat PREROUTING handle $(sudo nft -a list chain ip nat PREROUTING | grep "redirect to :55" | grep tcp | awk '{print $NF}')

Verify:

1
docker run --rm busybox nslookup google.com

Bonus: The Docker Socket Was a Directory

While debugging I also found /run/docker.sock was a directory instead of a socket file, which is why docker commands weren’t connecting. Likely caused by a failed Docker startup writing to the path before the socket was created.

1
2
3
4
sudo systemctl stop docker docker.socket
sudo rm -rf /run/docker.sock
sudo systemctl start docker.socket
sudo systemctl start docker

Takeaways

• If Docker DNS fails but ping works, check nftables before anything else
• Pi-hole does not clean up its nftables rules on removal — you have to do it manually
• docker run --rm --network host busybox nslookup google.com is a fast way to confirm whether the issue is bridge networking or something deeper

So with latest windows Updates its so hard to stay now, almost like they want you out. So i decided to use Linux as main gig again. Now i use Linux on my Laptops and Servers, it’s even as secondary boot in my main workstation. But i play invasive games like Valorant, FIFA and GTA Online (Now Borked in Linux) with my friends, i have to run Windows. Now this story will continue somewhere else. So recently i have decided to build a real, usable, stable Linux system for my main workstation.

Configuration

Here is what i have decided to go with, for my system.

Main Rig

Even though i have pretty beefy rig i wanted it to be less bloat, so i chose ghostty from get go and removed konsole. Also set one application per purpose. I mean i even cut down terminal, who could go cheaper than that? I also have a bootstrapped dotfiles, which was repurposed from Workstation to Server dotfiles at https://github.com/ghimireaacs/serverdotfiles. So all my servers are configured using this. Hence all of them have:

Servers

DOTFILES

I also recently updated them so i could have same aliases and system running everywhere so its seamless, however i also wanted my servers and workstation to look and behave slightly different, because each have their own need. So i updated the files again, and bootstrapped with my workstation. Now it does auto finds distro and installs needed packages accordingly, also has multiple identifiers for workstation and server so it behaves a certain way. I thought this will be the problem but they were fine. I installed in my main rig, Voila, worked like a charm. I reconfigured this, adjusted with necessary changes, modified prompts and git push.

Problem

Question: So what broke?

At first i got this multiple prompts which looked weird on its own, which i thought was a minor bug. Then i tried to clear screen with ctrl + l and it failed. Then i started to type something, well i got double of same things, and it was broken.

Troubleshooting

Now after this i tried a bunch of different things i don’t remember in order but most obvious were:

1. Changing shell from zsh to bash So I was already on remote, i switched to bash, it fixed some problem like the prompts weren’t weird anymore, however ctrl + l didn’t behave like it should. It did’t clear console but did got to new line, which turns out to be terminal capability issue. I did find a 🗝️ clue here, but i treated it as another sort of problem. I also tried changing local zsh to bashand then ssh to remote, problem persisted.
2. Changing Terminal from ghostty to kitty Even after switching to a completely different terminal kitty, well you guessed it, same problem.
3. Changing OS Now NO! I did not nuke my system again, i booted back to my Windows, ssh from there, guess what? No error! This made me sure there was something wrong with my ZSH or ghostty config or my Entire dotfiles, well mostly .zshrc.
4. Cleared ZSH CACHE before launching ssh.
5. Tried zsh -f, zsh -T none of them worked.
6. Tried changing SERVER Config So remember when i said i got a clue? I tried nano ~/.zshrc to make changes on server side, there now i had that again. Error opening terminal: xterm-ghostty. There, there’s the solution.

BUG: Error opening terminal: xterm-ghostty.

Root Cause

Turns out when we SSH, the client exports the TERM environment variable to the server. Since we have TERM=xterm-ghostty in our local machine, it sent exactly that. Now my server received this and used this, since the server did not have a matching terminfo entry for xterm-ghostty, this caused terminal capability misinterpretation.

Solution

Now i use config file for my ssh, this helps me simplify my hostnames, have different private keys tied to different machines and its portable, so far. Until i needed to add this one more configuration:

1
2
3
4
Host *
    SetEnv TERM=xterm-256color

This configuration helps me have a consistent TERM across all my hosts.

That’s the solution.

TL;DR

• I wanted a pretty, functional prompt across my workspace and servers.
• I used ZSH, OMZ and ghostty terminal to achieve this.
• This introduced a TERM mismatch across SSH sessions.
• Setting a consistent TERM in config file solved it.

Tip: Set TERM in your SSH config to avoid terminal capability issues.

Logging In

There are two ways we can login to server:

1. Key Pair Method
2. Username/Password

Although SSH is very secure protocol in on itself, it is not totally immune to Bruteforce attack and other Human Errors that could lead to some error. By allowing users to login with Username and Password, we leave the machine vulnerable to such attacks. And that’s here KeyPair Method comes.

KeyPair Method: In this method we will have a Public Key and Private Key. Each of the keys are a long random complex characters As their name suggest one can be Public and another should be kept very securely.

For our intense and purpose, Public Keys are stored in Remote Server and Private Keys are stored in Our Private Machine.

Generating Key Pair

Now before we move on to server setup, let’s create a key pair.

1. Open your CLI
2. ssh-keygen -t ed25519 -C "username@email.com"
3. Set a Passphrase. (This is not SSH password it’s extra layer of security to use you private key.)

   💡 I choose default name so i do not have to provide ‘-i keyfile’ during login. But if you have multiple private key for different purpose you can name them accordingly.

Now you will have 2 files. Private key: id_ed25519 and Public key with .pub extension: id_ed25519.pub, in your ~/.ssh directory.

Permissions

Make sure you have correct permission set for your keys when you download or paste it in a file. You do not need to worry about permission on the files created by the command however if you choose to backup or copy it in another file you should set the following permission.

1
2
3
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_25519
chmod 644 ~/.ssh/id_25519.pub

Storing The Keys

Private Keys

This should always be on your local machine and nowhere else but you can use a password manager like Bitwarden for backup.

Public Keys

Now this is the best part, you can store this anywhere but i would recommend it to store in Github or Launchpad. For me, I use Github a lot so i choose Github.

1. Go to Github Settings

   

2. On Access Tab choose SSH and GPG Keys

   

3. Click on New SSH Key

   

4. Set a Title, Key Type: Authentication Key

5. Key: Now paste contents of id_25519.pub ‼️ Check its .pub.

6. Add SSH Key

   

7. Fill up your 2FA and Submit.

Now you will see List of public Keys in your account. We will leave this for now and retrieve them from our CLI/shell.

Accessing The Public Key

Now just like almost everything in life there are multiple ways we can do this.

1. Manual Method
2. Automatic Method

Manual Method

This is the method where we simply copy and paste our public key into a file.

1. Copy the content of id_25519.pub
2. Paste it in ~/.ssh/authorized_keys and save it.
3. Check Permission of the authorized_keys or just change it from command chmod 644 ~/.ssh/id_25519.pub.
4. Done.

Now this method is not much of a task on itself if you want to do once or not store public key in some Publicly accessible repo itself. But there is better way we can do it and integrates perfectly and seamlessly with any workflow.

Automatic Method

Given you have to go through setup process but just like any automation once you set it. All you need is One command line. And it will retrieve your Public SSH key and make your machine accessible by you.

ssh-import-id-gh github-username

That’s it that’s all you need. Copy this command, change it to the github-username you saved your public key to and done.

Now you can access your Machine.

If your private key is compromised in anyway remove this newly added line from authorized_keys.

We will be Making a Bootable USB, Installing Proxmox and Setting up Post Installation process.

Prerequisite

Hardware

• USB Stick
• A Computer / Laptop to make USB Bootable
• Another Computer as Server
• WI-FI or A Lan Cable to connect Server to Router

  Software

• Balena Etcher

  Network

• IP Gateway (Router IP) Address and Subnet, Usually 192.168.x.x/24

  Pre-Installation

Before Installing Proxmox we have to make a bootable USB drive. And our system ready to boot from USB.

Prepare USB

1. Download Proxmox VE from Official Proxmox Site
2. Download Balena Etcher from Balena Etcher Official Site

3. Flash Downloaded ISO file to USB

   1
   ⚠️ Make sure you select right device
   

4. Select Yes on Windows Prompt.
5. Let it Flash.
6. Done

BIOS Settings

1. Connect your USB
2. Start/Restart this machine.
3. During Boot, open BIOS/UEFI settings using F8 or DEL key.
4. Now look for Boot Order. Look for Boot option on top.
5. Select your USB as boot device.
6. Now this will boot to Proxmox Installation.

Boot Configuration GUI varies with motherboard manufacturer. Please look for your specific Motherboard Bios settings in the internet.

Installation

During installation you will be prompted with the steps below. Here I have highlighted the selection with Green and things to consider on Purple

1. Select Install Proxmox VE (Graphical)
2. Read The EULA and Agree (Mandatory for Installation)
3. Make sure you select the correct Disk here, one way to see correct disk is Size of the disk. But if you have only one disk you can go next as it will be default.
4. Make sure you select your correct Location and Time Zone here.
5. Write your desired password, Make sure you remember it and it complies with the policy highlighted in purple.
6. ⚠️ Network is arguably most important section here because once its set up, we will be accessing Proxmox only through web.
   1. IP Address (CIDR): This is where you allocate your static IP so it does not change in future and mess up with settings. Its borderline mandatory to have static IP. If you have Ethernet connected your Router will allocate an IP , change it. Personally i recommend changing last bits over 100 and leave subnet to 24.
   2. Gateway : Router IP (Usually prefilled)
   3. DNS Server: Router IP. I recommend router IP so if i change my DNS in my router its global for all devices in LAN. You can also opt to 1.1.1.1 for Cloudflare or 8.8.8.8 for Google’s DNS server.

      💡 All of the Network settings can be changed later too. These settings make sure we have Initial Network Access.

7. Summary: Final summary of all our configuration before we proceed with Installation.
8. After clicking Install it will take a couple of minutes to finish Installation and reboot Automatically.
9. After Reboot Select First option i.e. “Proxmox VE GNU/Linux” and Enter.
10. You will see Your IP and Port 8006 on the top. Yours will be different from mine. This is how we will access the web app and carry on from. Now you can remove monitor from proxmox server and move it to its designated area and will barely need to touch the hardware. Power and LAN is important and that’s all we need.

First Access and Post Installation

1. Go to the given URL on your browser.
2. Since its self signed Certificate it will warn you. Accept the risk and continue.
3. Now for username root and password is what we set during installation.
4. Once we login we will be prompted A subscription message. Click OK.

Post Installation and Scripts

Here comes the magic of Proxmox Community. Proxmox is an open source software with a huge community behind it. The project “Proxmox VE Helper-Scripts” was started by a user who went by name “Tteck” . He sadly passed away and the scripts are maintained by community in a community github repo and can be accessed at https://community-scripts.github.io/ProxmoxVE/ .

We will be using “Proxmox VE Post Install” Script. This script will updates our proxmox, disables bunch of features which are redundant in our use case and also modifies repos. Apart from that it also disables “Subscription Nag” , that ok option every time you have to hit when you open it up.

This is strongly recommended to run Immediately after Installation.

1. Below Datacenter Click on pve.
2. On top right you will see shell.
3. Clicking shell will open a web shell where you can run the script.
4. Now either paste the script below or get it directly from “Helper Script Website”
5. Now it is recommended to select Yes on all prompts.
6. It will reboot and your system is ready for VM.

Now for further we will be installing VMs. Once Proxmox is up, a common next step is getting Docker running — see Installing Docker and Setting Permission.

Welcome to HomeLab.

The right way is the official apt repository method from Docker’s own documentation. It takes a couple of extra steps but you get the latest stable version from a verified source and full control over updates.

The permissions step at the end is important and most guides skip explaining why. By default Docker runs as root. Every docker command requires sudo. That gets tedious and causes permission errors when containers try to write files to bind mounts. Adding your user to the docker group means you run everything without sudo. Just make sure you trust who else is in that group since docker group access is effectively root access on the host.

Installing Docker

1. Setup docker’s apt repo

   1
   2
   3
   4
   5
   6
   7
   8
   9
   10
    sudo apt-get update
    sudo apt-get install ca-certificates curl
    sudo install -m 0755 -d /etc/apt/keyrings
    sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
    sudo chmod a+r /etc/apt/keyrings/docker.asc
    echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
    sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    sudo apt-get update
   

2. Install Latest Docker and its dependencies

   sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

3. Create Docker group (Most likely already created)

   sudo groupadd docker

4. Add user to the group

   sudo usermod -aG docker $USER

5. Logout and Log Back in or restart or ..

   newgrp docker

This will ensure you will not need to run “sudo” everytime you run docker and also fixes most Permission error.

If you run into DNS issues inside containers after this setup, see Broken Docker DNS Due to Pi-hole — a common gotcha on systems that have previously run Pi-hole.

• Backup your data
• Download Balena Etcher & ISO of ARCH Linux
• Burn ISO to a USB
• Restart

Boot

• Press DEL and load to BIOS mode
• Change Boot Priorities to USB
• Reboot

ARCH

• Load ‘Arch Linux Install Medium’

• Connect Your Arch to internet

  iwctl --passphrase "$WIFIPASSWORD" station wlan0 connect $WIFINAME

• ping 8.8.8.8

  • If you get bytes back you are connected

• Check if you are on UEFI mode

  efivar -l

• List your disks (Remember your diskname you want to install Arch to)

  lsblk

for me its sdc

• Split up Partition and Prepare your Drive

  gdisk /dev/sdc

CHOOSE YOUR DRIVE CAREFULLY

1
2
3
4
`x` for 'expert'
`z` for 'Zap'
"Y" to WIPE DISK
"Y" again to Confirm

Verify partitions

lsblk

• notice there is no partition on your disk

Partitioning

1
cgdisk /dev/sdc

• Press any key to continue

We are using cgdisk because its easier, relatively.

• Separate ROOT and HOME Partition

  • Root Partition: Where all OS Files will be stored

  • Home Partition: Where all General Files will be Stored

BOOT Partition

• Use your keyboard and highlight “NEW” press “ENTER”
• First Sector: (Default): (leave Blank and press “ENTER”)
• Size in Sectors: 1024MiB
  • 1 GB for Boot Drive
• Hex Code for GUID: ‘EF00’
• Name your Drive: ‘boot’

SWAP MEMORY

When you run out of RAM this memory is used. Make this regardless of your RAM Size

• Highlight and go to BIG size ‘free space’ (probably 3rd option)
• “NEW” again
• First Sector: (Default): (leave Blank and press “ENTER”)
• Size in Sectors: 16GiB
  • 16 GB for SWAP Drive
• Hex Code for GUID: ‘8200’
• Name your Drive: ‘swap’

ROOT Partition

• Highlight and go to BIG size ‘free space’ (probably last option)
• “NEW” again
• First Sector: (Default): (leave Blank and press “ENTER”)
• Size in Sectors: 40GiB
  • 40 GB for Root Drive
• Hex Code for GUID: ‘8300’
• Name your Drive: ‘root’

Home Partition

• Highlight and go to BIG size ‘free space’ (probably last option)
• “NEW” again
• First Sector: (Default): (leave Blank and press “ENTER”)
• Size in Sectors: (Default): (leave Blank and press “ENTER”)
• Hex Code for GUID: ‘8300’
• Name your Drive: ‘home’

FInishing Partitioning

• Use your arrows key to select “Write”
• Confirm with “yes”
• And arrows key to “Quit”
• clear

Formatting Drives

• lsblk to confirm drives again
• mkfs.fat -F32 /dev/sdc1

  File Allocation Table

• mkswap /dev/sdc2

  To make swap format

• swapon /dev/sdc2

  Enable Swap

• mkfs.ext4 /dev/sdc3

  ‘y’ to confirm if it asks

• mkfs.ext4 /dev/sdc4

  Hint: press up arrow and change sdc3 to sdc4

Mounting the drives

mount /dev/sdc3 /mnt

mkdir /mnt/boot

mkdir /mnt/home

mount /dev/sdc1 /mnt/boot

mount /dev/sdc4 /mnt/home

Basically we are making folder and structuring it with proper drives and partitions we made earlier.

Update Mirrorlist

cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.backup

We are just Backing up incase we mess something up.

Rank Mirrors

This is to find Fastest mirror suitable to YOU.

If you find error install rankmirrors

sudo pacman -Sy pacman-contrib

Press Enter to confirm

rankmirrors -n 6 /etc/pacman.d/mirrorlist.backup > /etc/pacman.d/mirrorlist

This will be working so system isn’t hang, Wait till it shows root@Archiso.

What it did was found best mirrors and copied it to your mirrorlist

cat /etc/pacman.d/mirrorlist

shows what we did earlier, so yeah ranked mirrorlist

INSTALLING NOW

pacstrap -K /mnt base linux linux-firmware base-devel

We are installing Base Linux.

genfstab -U -p /mnt >> /mnt/etc/fstab

setup all the drives and structure so hard drive is recognized while booting

Booting into Installation

arch-chroot /mnt

Install ‘nano’ and ‘bash-completion’

sudo pacman -S nano bash-completion

Enter to confirm

Enable Locales

nano /etc/locale.gen

• Find your locale (for me its en_AU.UTF-8 UTF-8)
• remove # from its front
• hit ‘ctrl o’ and press enter to save
• hit ‘ctrl x’ to close

locale-gen

echo LANG=en_AU.UTF-8 > /etc/locale.conf

export LANG=en_AU.UTF-8

TimeZone

ls /usr/share/zoneinfo/

From here select your country and press tab

It will list your Timezone

write few characters of your TZ and press Tab

Move to first part of your script and change, mine is Australia Sydney so i will be doing this:

ln -s /usr/share/zoneinfo/Australia/Sydney > /etc/localtime

hwclock --systohc --utc

We are syncing time with BIOS time so Your PC has right time every time you open it.

Hostname

echo archish > /etc/hostname

instead of ‘archish’ use whatever name you want

IF YOU HAVE SSD

systemctl enable fstrim.timer

• Enable 32 bits packages

nano /etc/pacman.conf

Go all the way down to [multilib] and remove # from both line

sudo pacman -Sy

SET USER AND PASSWORDS

• set root password

  passwd

Type password enter, it wont show it but its writing

Add User

useradd -m -g users -G wheel,storage,power -s /bin/bash ghost

instead of ghost write your own username

• give that user password

passwd ghost

Type password and enter.

Modify sudo file

EDITOR=nano visudo

Opens sudo file

Search for %wheel

use ‘ctrl w’

find ‘%wheel ALL=(ALL:ALL)ALL’

Uncomment it (remove # from front)

BootLoader

mount -t efivarfs efivarfs /sys/firmware/efi/efivars/

• Install bootloader

  bootctl install

• Write entries for boot loader

  nano /boot/loader/entries/arch.conf

Write the 3 lines

1
2
3
title ARCH
linux /vmlinuz-linux
initrd /initramfs-linux.img

save and exit (ctrl o and ctrl x)

Point to your harddrive

echo "options root=PARTUUID=$(blkid -s PARTUUID -o value /dev/sdc3) rw" >> /boot/loader/entries/arch.conf

This hardcode your UID of partition to your bootloader

ip link

Know your network

enable ‘dhcpcd’

sudo pacman -S dhcpcd

sudo sydtemctl enable dhcpcd@wlan0.service

install NetworkManager

sudo pacman -S networkmanager

sudo systemctl enable NetworkManager.service

install linux headers

sudo pacman -S linux-headers

Follow ONLY IF YOU HAVE GPU

NVIDIA

sudo pacman -S nvidia-dkms libglvnd nvidia-utils opencl-nvidia lib32-libglvnd lib32-nvidia-utils lib32-opencl-nvidia nvidia-settings

sudo nano /etc/mkinitcpio.conf

• Inside MODULE=() add these in exact order, it should look like this

  MODULES=(nvidia nvidia_modeset nvidia_uvm nvidia_drm)

• make sure they are loaded during boot time

  sudo nano /boot/loader/entries/arch.conf

• right after options line, after rw, in same line

  nvidia-drm.modeset=1

• Hook for pacman to update nvidia driver

  sudo mkdir /etc/pacman.d/hooks

  sudo nano /etc/pacman.d/hooks/nvidia.hook

  Add

  1
  2
  3
  4
  5
  6
  7
  8
  9
  10
  11
    [Trigger]
    Operation=Install
    Operation=Upgrade
    Operation=Remove
    Type=Package
    Target=nvidia
  
    [Action]
    Depends=mkinitcpio
    When=PostTransaction
    Exec=/usr/bin/mkinitcpio -P
  

Else, Continue…

exit

umount -R /mnt

reboot

You can plug out the USB

When the system boots up, use your credentials to login.

Internet

If you cannot connect to internet

nmtui

Activate a Connection and Connect

Install x11 for KDE

sudo pacman -S xorg-server xorg-apps xorg-xinit xorg-tvm xorg-xclock xterm

• to test

startx

if clocks shows up its installed, click any terminal u see and

exit

Install Plasma or Any Desktop Environment you want

sudo pacman -S plasma sddm

• enter password
• just keep entering Enter

• Enable SDDM

  sudo systemctl sddm.service

REBOOT

This is straight method to install arch linux “hard way”. If you get any error or prefer different way, consult Arch Wiki Installation Guide.