I had no idea what I was getting myself into when I wrote the first version of The Homelab Almanac. I thought I was writing a little volume of tips and tricks I'd discovered in my own homelab journey. The book grew in the writing, and the result was more than I could have possibly imagined—as was its reception.
Folks routinely tell me they recommend the Almanac as the book to get started homelabbing. That's incredibly humbling, but it also fills me with a sense of obligation. I want this resource to be the best guide to this world possible. And in almost two years' time, I grew dissatisfied with the gaps I saw in the book.
Version 3.0 addresses those gaps. Let's go through it all.
Just want the link? Okay: https://taggartinstitute.org/p/the-homelab-almanac
Price Change
Let's get the bad news out of the way first: the price of The Homelab Almanac is going up from $19.99 to $29.99. That's a big increase, percentage-wise. But let's remember we're talking about a 230-page guided manual for extremely technical skills. Combine that with the work I've put into it, and I feel that it's a fair price.
And don't despair: there will be sales. If you're reading this at the launch of v3, there's one going on right now. Use code OMGVERSIONTHREE to get 50% off until the end of the month!
Did you already buy a previous version of the book through TTI? As always, you just got access to the new version for free.
DNS
There are so many huge changes in this version, it's hard to call any one the "biggest," but this is a whopper. The book now guides you through the setup of proper DNS name resolution in the environment, with separate domains for the Infrastructure and Isolation Lab networks. This makes inventory management much easier, since you can use host domain names directly without needing to modify a hosts file or reference hard-to-remember IP addresses.
Since we have working DNS, it only made sense to introduce the next huge change.
PKI
The Public Key Infrastructure addition to the lab took a lot of time and care, but I'm so pleased with the results. By combining Caddy and Easy-RSA, homelabbers create a lightweight but effective Root Certificate Authority. We can create, request, and sign X.509 certificates. But that's not all: by configuring Caddy as an internal ACME, we enable web servers in the environment to request (and renew) their own signed certificates based on the DNS hostname assigned to them. It's like having automatic LetsEncrypt in the lab, without requiring a public internet connection.
And while we're improving security baselines, let's address one of the pain points of the lab: secrets management.
Vault is Dead. Long Live KeePassXC
Hashicorp's Vault initially made sense as the secrets manager for the lab, given our use of the other Hashicorp tools in the lab. In practice, however, it was a bit of a stumbling block for usage. It was almost too much tool for the lab. Meanwhile, as I got more comfortable using KeePassXC as a personal secrets manager, I realized that the CLI interface meant it could perhaps serve as a lightweight replacement for the lab.
And so it has! A little connective tissue was necessary to get Ansible and Packer to play with KeePassXC, but with that written and available in the repo, everything integrates seamlessly. Now the lab secrets are encrypted, but lightweight and portable. In fact, since there are no access tokens stored as environment variables as with Vault, I actually think KeePassXC is more secure than Vault for our purposes.
Windows Servers
The Windows deployments have been completely overhauled. Deployments are smoother, and now that Packer supports Proxmox TPM configuration, we can create proper Windows 11/Server 2022-25 templates automatically. The Domain Controller creation process has also been streamlined.
There's more Windows stuff later. Stay tuned.
New Deployment: CryptPad
All the guided Deployments have been updated, and there's a brand new one: CryptPad. Enjoy setting up your own end-to-end encrypted productivity suite!
AD Lab
Okay, by amount of work, this is the biggest addition. The Active Directory lab is a whole new beast. It includes a Bloodhound Server, and for good reason: I've included an entire set of Ansible roles for creating common AD vulnerabilities. The users are randomized, as are the locations of the vulns. Enable as many or as few as you like, then use Bloodhound and your Kali VM to attack the domain. Vulnerabilities include:
- Kerberoasting
- ASREP-Roasting
- DCSync
- Constrained Delegation
- and more!
Chapter 4: Beyond the Server
That's right, a whole new chapter and I'm only now mentioning it! This new chapter discusses going beyond a single homelab server. Topics covered include:
- Proxmox clustering
- Cross-node networking
- Network storage
- Exploring/integrating cloud services
- Securely publishing homelab assets to the internet via a cloud relay
I'm really happy with the last one. It's the culmination of pretty much the entire book, and sets you up for doing serious work with a homelab and a safe DMZ for hosting internet-facing assets. If you're interested in (mostly) ditching the cloud and bringing services under your roof, you won't want to miss this.
Go Get It
I'm so excited to share this version of THA with you. I finally feel like it's telling the complete story I wanted to when I got started. I hope you find it valuable, helpful and inspiring.
Happy homelabbing!
https://taggartinstitute.org/p/the-homelab-almanac
Hey, you read to the end of the thing! Thanks! Here's a 65% discount for you: use code READINGPAYSOFF at checkout.