cross-posted from: sh.itjust.works/post/39436154

Hello everyone, I’m building a new server for the house, it will act as a NAS for everyone and host a few services like paperless, immich, baikal, jellyfin, syncthing probably navidrone, etc. The main reason I’m building a new one is that my current one is a HP prebuilt with a 3rd gen i5 and 8GB ram that is slowly beating the bucket, my 4TB HDD is completely full and there’s no more sata ports nor space in the case.

I am fully psychologically prepared to be 24/7 tech support, but after all I already am, and in this way I have to support services for which I know how they work (and that I trust!) and not some strange Big Tech service whose UI and inner workings changes every other day.

For reference my new build is:

  • CPU: Ryzen 5 PRO 4560G + stock cooler. Has integrated graphics, can use it for Jellyfin transcoding.
  • RAM: Corsair Vengeance 2x8GB (from my desktop before I upgraded to 64GB RAM. If needed in the future I will upgrade the capacity and probably switch to ECC, I’ve chosen the CPU since it has support for it)
  • SSD NVME (boot+VM storage): Verbatim VI3000 512GB
  • Storage (SATA): 4x12TB Seagate Enterprise (White label) to use ZFS and Raid Z1 + 1x512GB Samsung SSD as cache.

I’m planning on using proxmox on bare metal and spin up VM/containers as needed, for which I’m wondering:

  • I know proxmox can manage ZFS arrays, is it better to create the array via proxmox, then share it as needed via something like openmediavault in vm/container OR to create a TrueNAS VM and passthrough the SATA controller to it, then manage everything via TrueNAS? I’ve done the latter in the past on another server, it’s holding strong

  • I don’t know if exposing the server to the open internet is a good idea (of course with fail2ban and a firewall properly configured) or to just keep a VPN connection to the server always open. I think the latter would be more secure, but also less user-friendly for parts of the family. I’m using wireguard currently to remote into my server when needed, and sometimes networks like eduroam in my university block it completely.

    • Self signed SSL certificates might also be a problem in the latter case
  • Since I will experiment with this server a little bit, I was thinking of keeping:

    • One VM for services for the family (exposed to internet or VPN)
    • One VM for services I still want to expose (I currently expose a couple websites for friends with data archived in my NAS)
    • One VM for me to experiment with before going in “production” for the family

Each VM would host its services using Docker+Portainer. My question is: is this too convoluted? Should I just use proxmox’s LXC containers (which I have no experience with) and host services there?

I was also thinking of spinning up a pfsense/opnsense box and put the server into a separate VLAN from the domestic lan. But that will be a project for a second time. Unfortunately the way ethernet is wired in my house and for the physical space I have available prevent me from separating the networks by physically using another router.

Thanks!