Mac Mini Homelab Addition

The new addition of an old Mac Mini to my homelab setup has introduced enough computing power to enable a staple in my IT career thus far; virtualization! The immediate choice was the most recent virtualization service I had used at the SEMO Cyber Range, Proxmox. I knew this was free, and highly configurable, a benefit that I saw useful considering the abnormal equipment for my hardware. This is a write up on how I added virtualization to my homelab.

Installation Link to heading

The Proxmox ISO was the first choice for installation. During my time as a sysadmin at SEMO I utilized this installation media every time we added new hardware to the Proxmox cluster. Though, this time the media gave me a hard time, hanging on boot when Initializing ramdisk.... I suspect this was due to problems installing on a legacy BIOS machine, drivers, or some strange Kernel incompatibility. After a couple more attempts, a live boot and recovery kernel later, I switched to using Debian as a base and installing Proxmox on top.

Using Debian 12, I followed the official documentation completing the following steps:

Adding the Proxmox VE Repo
Installing the Proxmox VE Kernel
Installing Proxmox VE packages
Removing the Debian Kernel and using the Proxmox VE Kernel

After a reboot Proxmox loaded up with instructions to head to it’s web app.

WiFi Link to heading

My current situation doesn’t quite allow drilling a hole in the floorboards for an ethernet connection, instead the WiFi card became the new focus. Running lspci showed that I hade a Broadcom BCM 4331

03:00.0 Network controller: Broadcom Inc. and subsidiaries BCM4331 802.11a/b/g/n (rev 02)

With the knowledge of the WiFi card in the machine the driver can be narrowed down and located. Debian has an entire page for exactly that. In a pinch I tethered the Mac Mini to my laptop for network connection. This enabled me to install a package with the correct driver to use my WiFi.

At this point I had access to my web app for Proxmox!

Networking Link to heading

Because of the use of WiFi on the Mac Mini, the default vmbr0 network adapter would not work for my use. I concluded that the next best option was a Linux bridge interface. So with the following config:

auto lxcbr0
iface lxcbr0 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o wlp3s0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o wlp3s0 -j MASQUERADE

I now had a network for machines to exist on that can now reach my home network contingent on the use of a static route.

Certificates Link to heading

The final cherry on top of this project is installing certificates to encrypt my traffic on my network (and get rid of the warning on a web browser). To achieve this, I decided to host an NGINX container for a reverse proxy that utilized certificates made with MKCert, a tool used to create locally trusted certificates.

mkcert -install creates a new local CA. To create the certificates themselves:

mkcert "*.home.red"

The certificates created are then transferred to the Nginx machine (created next step) at the /etc/ssl/ directory. To secure connections useing TLS, Nginx will be configured as a reverse proxy. This server will handle the encryption and decryption while forwarding requests to Proxmox.

I created a new LXC container using an Alpine Template, and installed Nginx:

apk add nginx
service nginx start

Finally, the configuration can be set at /etc/nginx/conf.d/reserve-proxy.conf:

server {
    listen 80;
    server_name proxmox.home.red;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name proxmox.home.red;

    ssl_certificate /etc/ssl/_wildcard.home.red.pem;
    ssl_certificate_key /etc/ssl/_wildcard.home.red-key.pem;

    location / {
        proxy_pass https://10.0.0.27:8006;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_cache_bypass $http_upgrade;
    }
}

With this completed, I then add the address of the nginx server 10.10.10.101 to the address proxmox.home.red to the DNS Records on my pihole. I now have a secure and trusted connection to my Proxmox server. Super excited to have this hardware addition for any sort of project or service that requires hosting!