the homelab.express domain is reserved for your private use, intended to aid in the setup of TLS in your personal home lab.
we provide you with our wildcard certificate, renewed every month through Let's Encrypt and shared here. for free, forever.
note: because the private key is available publicly, the certificates we provide are in a revoked state. this shouldn't affect their usefulness in most cases*, but you should be aware of this fact before starting to work with the certificates we provide. in every case, it's better to use your own domain if you have one. hopefully, eventually, there will be a better-supported way to provide TLS in local environments, and our service will no longer be needed.
* ios devices use ocsp, so the revoked certificate will not work if you are targeting ios devices.
since many apps need subdomains, our wildcard certificate provides you with a long list of wildcard SANs.
pick whichever set you like and start coding.
*.blackberry.homelab.express,
*.blueberry.homelab.express,
*.raspberry.homelab.express,
*.strawberry.homelab.express
*.red.homelab.express,
*.orange.homelab.express,
*.yellow.homelab.express,
*.green.homelab.express,
*.blue.homelab.express,
*.purple.homelab.express,
*.pink.homelab.express,
*.brown.homelab.express,
*.black.homelab.express,
*.white.homelab.express,
*.rainbow.homelab.express
*.apple.homelab.express,
*.banana.homelab.express,
*.coconut.homelab.express,
*.lemon.homelab.express,
*.lime.homelab.express,
*.mango.homelab.express,
*.orange.homelab.express,
*.pear.homelab.express,
*.pineapple.homelab.express,
*.plum.homelab.express,
*.pomegranate.homelab.express
*.amethyst.homelab.express,
*.beryl.homelab.express,
*.diamond.homelab.express,
*.emerald.homelab.express,
*.garnet.homelab.express,
*.onyx.homelab.express,
*.opal.homelab.express,
*.pearl.homelab.express
*.ruby.homelab.express,
*.sapphire.homelab.express,
*.topaz.homelab.express
*.alpha.homelab.express,
*.beta.homelab.express,
*.gamma.homelab.express,
*.delta.homelab.express,
*.epsilon.homelab.express
*.heart.homelab.express,
*.star.homelab.express,
*.horseshoe.homelab.express,
*.clover.homelab.express,
*.moon.homelab.express,
*.gold.homelab.express,
*.rainbow.homelab.express,
*.balloon.homelab.express,
*.hat.homelab.express
*.gomez.homelab.express,
*.morticia.homelab.express,
*.wednesday.homelab.express,
*.pugsley.homelab.express,
*.fester.homelab.express,
*.lurch.homelab.express,
*.thing.homelab.express,
*.itt.homelab.express
*.zero.homelab.express,
*.one.homelab.express,
*.two.homelab.express,
*.three.homelab.express,
*.four.homelab.express,
*.five.homelab.express,
*.six.homelab.express,
*.seven.homelab.express,
*.eight.homelab.express,
*.nine.homelab.express
*.almond.homelab.express,
*.cashew.homelab.express,
*.chestnut.homelab.express,
*.hazelnut.homelab.express,
*.macademia.homelab.express,
*.peanut.homelab.express,
*.pecan.homelab.express,
*.pistachio.homelab.express,
*.walnut.homelab.express
*.mercury.homelab.express,
*.venus.homelab.express,
*.earth.homelab.express,
*.mars.homelab.express,
*.jupiter.homelab.express,
*.saturn.homelab.express,
*.uranus.homelab.express,
*.neptune.homelab.express
*.pluto.homelab.express,
*.ceres.homelab.express
*.bass.homelab.express,
*.escolar.homelab.express,
*.salmon.homelab.express,
*.tuna.homelab.express,
*.unagi.homelab.express
*.tempeh.homelab.express,
*.tofu.homelab.express,
*.seitan.homelab.express
*.axe.homelab.express,
*.bow.homelab.express,
*.fist.homelab.express,
*.spear.homelab.express,
*.sword.homelab.express
homelab.express provides a certificate updater to simplify the process of regularly pulling down our updated certificates for your docker environment.
this container was created to work with the traefik reverse proxy, but it should work for any TLS provider that supports a certificate with a separate plaintext private key.
if you just acquired a new raspberry pi or similar device and are looking to get it stood up as a personal deployment environment, consider using the setup outlined here to get it up and running in no time.
follow these steps to prepare your device:
once your device is prepped, you can use our script to set up the environment:
then head to /run/homelab/compose/infrastructure/ and start your infrastructure containers:
as long as you have your new lab's IP set in your hosts file, you can head to https://manage.homelab.express, set up a password, and explore portainer.
you can also head to https://{hostname}.homelab.express (replacing {hostname} with the hostname of your device) to view the traefik dashboard.
if you prefer not to use the script, you can replicate its functionality by running the following commands:
once you've copied the files over, make sure to update /run/homelab/compose/infrastructure/docker-compose.yaml to replace ${hostname} with your machine's hostname.
when standing up additional containers, all you need to do to have them served correctly by traefik behind our certificate is to ensure the container is on the same network as traefik and add the traefik labels:
here is an example with the whoami container, which stands up a lightweight demo server:
adding additional devices is the same as setting up the first one, except the script to set up the environment is slightly different:
if you prefer not to use the script, the only difference between the first script and the add-on script is that we use portainer agent instead of portainer in /run/homelab/compose/infrastructure/docker-compose.yaml:
follow these steps to prepare your device:
if your device has multiple IP addresses assigned to it, you will need to specify the static IP address you set in the first step by including the --advertise-addr option in the docker swarm init command.
once your device is prepped, you can use our script to set up the environment:
then head to /run/homelab/compose/infrastructure/ and start your infrastructure services:
as long as you have your new lab's IP set in your hosts file, you can head to https://manage.homelab.express, set up a password, and explore portainer.
you can also head to https://monitor.homelab.express to view the traefik dashboard.
if you prefer not to use the script, you can replicate its functionality by running the following commands:
when standing up additional services, all you need to do to have them served correctly by traefik behind our certificate is to ensure the service is on the same network as traefik and add the traefik labels:
here is an example with the whoami container, which stands up a lightweight demo server:
adding additional nodes to the swarm comes with a challenge: namely, how to managed shared data. you have a few options for how to go about this: you can create global volumes, have copies of the relevant data on every node, or use placement constraints to keep services that rely on certain data deployed only to the nodes that contain that data.
once you've solved the data problem, you can add a node to your swarm by getting a join token from a manager node already in the swarm:
run the returned join command on the node you want to join to the swarm. you can continue managing the swarm and its services from a manager node or from within portainer.