Y’all, this is gonna be super broad, and I apologize for that, but I’m pretty new to all this and am looking for advice and guidance because I’m pretty overwhelmed at the moment. Any help is very, very appreciated.

For the last ~3 years, I’ve been running a basic home server on an old computer. Right now, it is hosting HomeAssistant, Frigate NVR, their various dependencies, and other things I use (such as zigbee2mqtt, zwave-js-ui, node-red, mosquitto, vscode, etc).

This old server has been my “learning playground” for the last few years, as it was my very first home server and my first foray into linux. That said, it’s obviously got some shortcomings in terms of basic setup (it’s probably not secure, it’s definitely messy, some things don’t work as I’d like, etc). It’s currently on its way out (the motherboard is slowly kicking the bucket on me), so it’s time to replace it, and I kind of what to start over (not completely - I’ve hundreds of automations in home assistant and node-red, for instance, that I don’t want to have to completely re-write, so I intend to export/import those as needed) and do it “right” this time - at this point, I think this is where I’m hung up, paralyzed by a fear of doing it “wrong” and winding up with an inefficient, insecure mess.

The new server, I want to be much more robust in terms of capability, and I have a handful of things I’d really love to do: pi-hole (though I need to buy a new router for this, so that has to come later on unless it’d save a bunch of headache doing it from the get-go), NAS, media server (plex/jellyfin), *arr stuff, as well as plenty of new things I’d love to self-host like Trilium notes, Tandoor or Mealie, Grocy, backups of local PCs/phones/etc (nextcloud?)… obviously this part is impossible to completely cover, but I suspect the hardware (list below) should be capable?

I would love to put all my security cameras on their own subnet or vlan or something to keep them more secure.

I need everything to be fully but securely accessible from outside the network. I’ve recently set up nginx for this on my current server and it works well, though I probably didn’t do it 100% “right.” Is something like Tailscale something I should look to use in conjuction with that? In place of? Not at all?

I’ve also looked at something like Authelia for SSO, which would probably be convenient but also probably isn’t entirely necessary.

Currently considering Proxmox, but then again, TrueNAS would be helpful for the storage aspect of all this. Can/should you run TrueNAS inside Proxmox? Should I be looking elsewhere entirely?

Here’s the hardware for the recently-retired gaming PC I’ll be using:
https://pcpartpicker.com/list/chV3jH
Also various SSDs and HDDs.

I’m in this weird place where I don’t have too much room to play around because I want to get all my home automation and security stuff back up as quickly as possible, but I don’t want to screw this all up.

Again, any help/advice/input at all is super, super appreciated.

  • Malice@lemmy.dbzer0.comOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 months ago

    You make a very good argument for Tailscale, and I think I’ll definitely be looking deeper into that.

    I like your suggestion to map out functional requirements, and then go from there. I think I’ll go ahead and start working on a decent map for that.

    As far as the new router for pi-hole… my super-great, wonderful, most awesome ISP (I hope the sarcasm is evident, haha; the provider is AT&T) dictates that I use their specific modem/router (not optional), and they also do not allow me to change DHCP on that mandated hardware. So my best option, so far as I’ve seen, is to use the ISP’s box in pass-through with a better router behind it that I can actually set up to use pi-hole.

    Thank you for your thoughts and suggestions! I’m going to take a deeper look at Tailscale and get started properly mapping high-level needs/wants out, with options for each.

    • terminhell@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      Ya don’t need ATT’s modem. Some copy pasta I’ve put together:

      If it’s fiber, you don’t need the modem. You’ll still need it once every few months.

      Things you’ll need:

      1. your own router
      2. cheap 4 port switch (1gig pref)

      Setup: Connect gpon (the little fiber converter box they installed on the wall near modem) wan to any port on 4port switch. Then from switch to gpon port of modem (usually red or green port). Make sure modem fully syncs. Once this happens, you can move the cable from the modem to your own routers wan port. Done! Allow router a few moments to sync as well.

      Now, every once in a while they’ll send a line refresh signal that will break this, or if a power outage occurs. In such case, you’ll just plug back in their modem, move cable back to gpon port of modem, wait for sync. Move cable back to router.

      Bonus: Hook up all this to a battery backup and you’ll have Internet even during power outages, at least for a while.

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        11 months ago

        Since their modem is handing out DHCP addresses, is there any reason why you couldn’t just connect that cable to your router’s internet port, and configure it for DHCP on that interface? Then the provider would always see their modem, and you’d still have functional routing that you control.

        Since consumer routers have a dedicated interface for this, you don’t have to make routing tables to tell it which way to the internet, it already knows it’s all out that interface.

        Just make sure your router uses a different private address range for your network than the one handed out by the modem.

        So your router should get a DHCP and DNS settings from the modem, and will know it’s the first hop to the internet.

        I do this to create test networks at home (my cable modem has multiple ethernet ports), using cheap consumer wifi routers. By using the internet port to connect, I can do some minimal isolation just by using different address ranges, not configuring DNS on those boxes, and disabling DNS on my router.

        • Malice@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          11 months ago

          Their modem is my router; it’s both. That’s why I need a new one, to do exactly as you’re describing (is my understanding, although another post here suggests otherwise).

          • BearOfaTime@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            You should still be able to run your own router with it treating their router as the next hop.

      • Malice@lemmy.dbzer0.comOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        Huh, this is interesting, I’ll have to take another look into this. Thanks for the lead!
        And I do have a UPS, and it is, indeed, pretty glorious that my internet, security cameras, and server all stay online for a good bit of time after an outage, and don’t even flinch when the power is only out briefly. Convenience and peace of mind. Well worth a UPS.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      Lol, sarcasm received, loud n clear!

      Yea, they all suck that way. I still use my own router for wifi. It’s just routing, and your own router will know which way to the internet, unless there’s something I don’t understand about your internet connection. See my other comment below.

      Yea, requirements mapping like this is standard stuff in the business world, usually handled by people like Technical Business/Systems Analysts. Typically they start with Business/Functional Requirements, hammered out in conversations with the organization that needs those functions. Those are mapped into System Requirements. This is the stage where you can start looking at solutions, vendor systems, etc, for systems that meet those requirements.

      System Requirements get mapped into Technical Requirements - these are very specific: cpu, memory, networking, access control, monitor size, every nitpicky detail you can imagine, including every firewall rule, IP address, interface config. The System and Technical docs tend to be 100+/several hundred lines in excel respectively, as the Tech Requirements turn into your change management submissions. They’re the actual changes required to make a system functional.