cross-posted from: https://sh.itjust.works/post/39436154
Hello everyone, I’m building a new server for the house, it will act as a NAS for everyone and host a few services like paperless, immich, baikal, jellyfin, syncthing probably navidrone, etc. The main reason I’m building a new one is that my current one is a HP prebuilt with a 3rd gen i5 and 8GB ram that is slowly beating the bucket, my 4TB HDD is completely full and there’s no more sata ports nor space in the case.
I am fully psychologically prepared to be 24/7 tech support, but after all I already am, and in this way I have to support services for which I know how they work (and that I trust!) and not some strange Big Tech service whose UI and inner workings changes every other day.
For reference my new build is:
- CPU: Ryzen 5 PRO 4560G + stock cooler. Has integrated graphics, can use it for Jellyfin transcoding.
- RAM: Corsair Vengeance 2x8GB (from my desktop before I upgraded to 64GB RAM. If needed in the future I will upgrade the capacity and probably switch to ECC, I’ve chosen the CPU since it has support for it)
- SSD NVME (boot+VM storage): Verbatim VI3000 512GB
- Storage (SATA): 4x12TB Seagate Enterprise (White label) to use ZFS and Raid Z1 + 1x512GB Samsung SSD as cache.
I’m planning on using proxmox on bare metal and spin up VM/containers as needed, for which I’m wondering:
I know proxmox can manage ZFS arrays, is it better to create the array via proxmox, then share it as needed via something like openmediavault in vm/container OR to create a TrueNAS VM and passthrough the SATA controller to it, then manage everything via TrueNAS? I’ve done the latter in the past on another server, it’s holding strong
I don’t know if exposing the server to the open internet is a good idea (of course with fail2ban and a firewall properly configured) or to just keep a VPN connection to the server always open. I think the latter would be more secure, but also less user-friendly for parts of the family. I’m using wireguard currently to remote into my server when needed, and sometimes networks like eduroam in my university block it completely.
- Self signed SSL certificates might also be a problem in the latter case
Since I will experiment with this server a little bit, I was thinking of keeping:
- One VM for services for the family (exposed to internet or VPN)
- One VM for services I still want to expose (I currently expose a couple websites for friends with data archived in my NAS)
- One VM for me to experiment with before going in “production” for the family
Each VM would host its services using Docker+Portainer. My question is: is this too convoluted? Should I just use proxmox’s LXC containers (which I have no experience with) and host services there?
I was also thinking of spinning up a pfsense/opnsense box and put the server into a separate VLAN from the domestic lan. But that will be a project for a second time. Unfortunately the way ethernet is wired in my house and for the physical space I have available prevent me from separating the networks by physically using another router.
Thanks!
To expose your services easily and securely look up tailscale it’s completely free and is setup per device, ex download on your moms phone and you can manage that phones access.
Tailscale uses wiregaurd and some weird ass NAT magic to make every device have direct connections to each other creating a “tailnet”
It’s a zero trust architecture so you have to whitelist every device on it. What that means practically is it’s very difficult to compromise and that’s by it’s nature. You don’t have to have a high technical level to be very secure using tailscale.
There is also twingate which I think is similar but I’m not as familiar with twingate
I had thought of that, I didn’t really like the idea of using a third party service to access my machines.
Also I didn’t mention in the post, but, while my ISP gives me a public IP, I only use port forwarding to wireguard into my home networks. My services are exposed via a vps hosted on oracle cloud free tier free, which forwards public traffic to my server via another wireguard connection
Headscale is a locally hosted version. You can also just manually do wire guard. But tailscale is just a management tool for setting up an overlay network using wire guard.