Sounds like NFS is a way to go in your case. Longhorn adds for your setup unnecessary resource overhead and complexity.

I’m using step-ca. Its running on dedicated SBC. ACME certs created for each service renewing automatically daily. Honestly this setup wouldn’t be worth it if it wasn’t for daily cert rotation. I’m not using wildcard certs with own CA as it’s bad practice and defeats the purpose. There are bunch of different ACME renewal scripts/services. K8s cert manager handling kubernetes services automatically. Opensense has ACME cert plugin, nginx proxy manager is using external cert managed by script. I’m validating certs with DNS using TSIG. Step-ca have several integrations with different DNS services. I chose TSIG because it’s universal. There is pi-hole integration if you using that. Buying valid domain is not needed as long as you have internal DNS. You need to Install root Ca on every machine that will be connecting to services. If you have many VM’s configuration management is the way to go.

How about MikroTik CRS310

https://www.servethehome.com/mikrotik-crs310-8g-2s-in-review-8-port-2-5gbe-and-2-port-10gbe-switch/

Luks full disk encryption and encrypted offsite backups. This protects from most common smash and grab scenario.

I had issues where system upgrades would loose encryption keys and full restore from backup was my only option. Nextcloud have issues with encryption, some features are not available if you enable it (don’t remember which ones now).

Generally speaking if someone has physical access to your system you’re screwed. There are many ways that physical access can be used to get access to your data including denying you access to your data.

You can get license for free. Read licensing guide. All info still relevant in 2023.

https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/

I think it only make sense if you have resource constraints. Consolidation databases would free up some RAM and CPU cycles.

From perspective of maintenance and security it’s a nightmare. Depending how many services you have and what’s their migrations strategy most setups require full admin to DB some will try to create DB. You would have to tweak db scripts for those deployments. Performance wise it would put load on single DB process so you would have to inspect queries to figure out what is causing performance issues if you have any.

Database upgrades would be impacting all services. If one of them uses deprecated functions or another one is requiring to upgrade to use new release you would be in trouble.

You need to have separate users and permissions. Create databases outside of normal deployment scripts.

Generally separation of databases gives a lot of flexibility for releases, isolated database activities for performance and administrative tasks, streamlines new release upgrades.

Yeah I looked at tutorial. Port 81 is only for management (NPM admin gui). Then you have your traffic ports for proxy services. Those would be 80 and 443 normally. You would need to expose those ports to the Internet if you want to access NPM/proxy your service. Port 81 shouldn’t be exposed on your public interface make sure it isn’t or at least have firewall rule to allow only local network (ideally management network/vlan)

It’s not clear what’s the purpose of NPM in your case. Do you want to serve internal network or expose to Internet. If it’s the latter, you need to see what interface you exposed NPM port on (have to be your public network - VPS IP), your firewall needs to allow incoming connections on that port. Most likely you will be using port 443 and maybe 80 for redirect (checkbox in NPM always use TLS). Use IP address first to eliminate DNS issues. Once IP is valid test DNS with nslookup/dig to see if it resolves to your IP.

OpenSSL command needs to be executed from VPS to eliminate network issues and just validate certificate setup. The IP and port would depend on what port you exposed. 127.0.0.1 should work from that context. Once you see certificate you can execute openssl command from your local and use WireGuard tunnel IP to connect to service. This is for internal network.

Can you elaborate more on what is not working? What are you testing to conclude it’s not working?

From my understanding you’re running VPS server. You have tunnel setup to connect to the server. You’re trying to setup N.P.M. with let’s encrypt certs validating via DNS.

To continue troubleshooting you should eliminate all network paths and test from the VPS (ssh to the system). Once you have NPM setup you should be able to test certificate locally connecting to NPM exposed port.

Assuming you exposed port 443

openssl s_client -connect 127.0.0.1:443 -showcerts

If you can validate that NPM is serving endpoint with the correct certificate you can move on to troubleshooting your network path.

There are many variables to consider. You want new or used, managed/smart/unmanaged, PoE, power draw and noise levels. New will be hard to find and if you need good even harder. Read good reviews on Hasivo switches (24 port version).

Used you have many options. My recommendation is bias towards managed Brocade and Arista.

Power hungry and loud but cheap and capable Brocade ICX 6610 (checkout https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/).

Arista 7050t is also great, doesn’t require fan mod as it has fan control it’s harder to find under 200$). there are other ICX series switches that you can do fan mod and keep it quiet.

ICX 7250 (harder to find under 200$ ) and ICX 6450 both offer 24 and 48 port versions with and without PoE)

If you going to use this just for event you probably don’t care for noise and power draw so you could get cheaper and older enterprise gear. If you planning on using this for other things and run 24/7 you need to look at power and noise. In ideal setup you would have a pair of switches so that you have redundancy high availability specially for event.

Used: eBay, classifieds (kijiji craigslist facebook etc), electronic thrift stores (hit/miss random stuff from Goodwill)

New: Newegg, AliExpress, local computer stores (Microcenter), Amazon deals

Disks: ServerPartsDeals, Goharddrive, sales from big box stores (eg. BestBuy)

Separate device for opnsense is better. It’s more secure and you can have proper physical network segmentation. You would want to do that if your budget allows. This also allows you to have a stable network while you’re playing with proxmox. Having a solid network core is important. Everything expands and build on top of that.

You can still achieve network segmentation on proxmox but you have to careful and have enough phisical NICs. You can mess things up easily if you start using proxmox firewall. You still need to do updates on both opnsense and proxmox so reboots will be needed. I would say opnsense needs more reboots than proxmox.

As for backups snapshotting is nice to have. Opnsense allows you to backup configuration. You can setup daily backups to Git repo. As long as you restore to the same hardware (same number and order of NICs) you will be ok. Restoring to different device requires changes in config. Config is XML file.

iOS is still in beta available through TestFlight.

Not what you’re asking but want to share what I’m using with great success. Audiobookshelf has podcasts feature and it’s all in one solution for managing downloads and playing on multiple devices with sync. It has search feature so it’s really easy to add podcasts.

https://www.audiobookshelf.org/

https://github.com/advplyr/audiobookshelf

Have you tried clearing build cache? That docker compose has build init and web containers. Latest version docker compose have —no-cache option

https://docs.docker.com/engine/reference/commandline/compose_build/

There is also prune command

https://docs.docker.com/engine/reference/commandline/builder_prune/

Yes! I have a split DNS setup with technitium using advanced forwarding plugin. You can set different upstream based on client IP or subnet. So this way you can send to vpn DNS to prevent leaking.

Also you can have multiple piholes (poor mans setup) and have each configured filtering for dedicated VLAN. For instance be more strict for guest kids and less on adults net. Adguard can do that without having to have many instances but then Adguard can’t forward traffic based on origin IP. You can make any kind of logic and send different clients to different upstreams. As far as I know only BIND provides this functionality through views but it’s more complicated setup and no lovely GUI. You can always send all traffic through tunnel but then some results may be not ideal if you will be detected to be in different country and content will be served in other language. I think results will vary based on VPN endpoint. You don’t need to tunnel through vpn if you use DNS over https. It’s completely invisible to the ISP. VPN is more of a use case if you want to be consistent with your exit IP and DNS queries.

Pihole is most popular among self holsters. It has nice GUI, it’s capable and its solid. It’s basic in sense of DNS features. You need to use config files to customize from terminal and even then it’s limited.

Adguard in my experience has more advanced blocking features. DNS also allows you little more flexibility like wildcard records. You can have separate config for different clients (like guest/kids network blocking)

NextDNS is SaaS only. It has most advanced blocking features but free account only gets you limited queries monthly. You can choose to keep your logs on specific servers or not to keep at all… from privacy perspective it’s arguably worse because you have to trust another company but it’s a good middle ground. Self hosted still needs upstream DNS but it could be tunneled through VPN which would anonymize traffic. NextDNS is upstream dns and it can’t distinguish internal network source.

I would throw zenarmor to the mix https://www.zenarmor.com/. Paid home license costs 10$/month and allows 3 different profiles. It is more advanced as it sniffs all network packets and not only DNS. It’s not replacing dns. It has great reports/dashboards.

For best DNS capabilities I would recommend technitium https://technitium.com/dns/. It’s free. You have gui, dns blocking and full DNS capability with some advanced plugins. It’s not as fancy for dashboards like pihole or Adguard.

You would use combination of solutions and nextDNS could be your upstream if you don’t mind paying them. If privacy is your thing you want to have more generic upstream that everyone uses like quad9.

If your goal is to improve security you would have to look into e2e encryption. This means network traffic needs to be encrypted both between client and proxy as well as between proxy and service. Your volumes should be also encrypted. You didn’t elaborate on your proxmox/network setup. I will assume that you have multiple proxmox hosts and external router perhaps with switch between them. Traffic this way flows between multiple devices. With security mindset you’re assuming network can’t be trusted. You need to apply layered approach and use sparation of physical devices, VLANs, ACLs, separate network interfaces for management and services for respective networks. Firewall rules on router, proxmox and VM.

Some solutions

• separate network for VM/CT. Instead of using network routable IP going to your router you can create new bridge on separate CIDR without specifying gateway. Add bridge to every VM that needs connectivity. Use new bridge IPs to communicate between VMs. Further you can configure proxmox to communicate between nodes in ring network P2P instead using switch/router. This requires at least 2 dedicated NICs on Proxmox host. This separates network but doesn’t encrypt.

Encryption:

• You could run another proxy on same VM as service just to encrypt traffic if service doesn’t support that. Then have your proxy connect to that proxy instead of service directly. This way unencrypted traffic doesn’t leave VM. Step up would be to use certificate validation. Step up from there would be to use internal certificate authority and issue certificates from there as well as validate using CA cert.
• Another alternative is to use overlay network between proxy and VM. There are bunch of different options. Hashicorp consul network could be interesting project. There are more advanced projects combining zero trust concepts like nebula.
• if you start building advanced overlay networks you may as well look at kubernetes as it streamlines deployment of both services and underlying infrastructure. You could deploy calico with wire guard network. Setup gets more complicated for a simple home lab.

All boils down to the question why you do self hosting? If it’s to learn new tech then go for it all the way. Experiment and fail often so you learn what works and what doesn’t. If you want to focus on reliability and simplicity don’t overcomplicate things. You will spend too much time troubleshooting and have your services unavailable. Many people run everything on single node just running docker with networks between services to separate internal services from proxy traffic. Simplicity trumps everything if you can’t configure complex networks securely.

If you want to look into enterprise grade equipment I recommend Ruckus with unleashed firmware. You can get older models r510 r610 from eBay for around 100-150 then flash unleashed by downloading it from official ruckus website. R610 requires more power so if you do PoE you need a switch that supports 802.3at 30w. R510 is less power hungry and suites most setups. You can do all sorts of network configurations with them. Meshing with other ruckus unleashed is supported. Guest portal, VLANs and client isolation. They are not the newest and don’t support wifi6 but are rock solid, support hundreds of devices and perform well in high congestion places. There are newer models but they are expensive r550 and r650. I used to recommend ubiquity equipment in the past but they are not the best for privacy focused deployment. Arguably the hardware of ubiquity AP’s are far inferior to enterprise gear like Ruckus or Aruba.

If terrain is mostly flat and your antenna is somehow elevated you should be good. If you have more friends in neighborhood it will help as every radio relays messages in mesh by default. Ideal setup would be to have base station at home (terminal) and a handheld device connected to your mobile phone. So 2 devices per person. This way it’s more reliable. If you have HAM license you can use higher power device like this G1 https://meshtastic.org/docs/hardware/devices/station-g1/ The only thing is that you can’t legally use encryption with higher power transmission. In my experience the reliability of this setup varies. It works when users actively maintain and check Meshtastic app. If you have less technical users or users that just want things to work all the time, it may not be the best solution. I found sometimes radios disconnect from Bluetooth, specially when charging. Radio works but Bluetooth connection isn’t established. If you send message it will be received by radio and ACK’ed but person will not get it until connects to Meshtastic app and reestablish Bluetooth connection. Messages are visible on radio if they have display and are not in relay mode. This means that you don’t know for sure if message was read. For day to day use in normal urban setting I find it little finicky and not reliable enough. You have to carry additional device with you and antenna needs to be in good position. Some radios have built in antennas optimized for on body carry. This is just my experience and it will vary on people and situation. There is Nano explorer radio with dedicated notification bell that could be useful https://meshtastic.org/docs/hardware/devices/Nano Series/

This solution works best if you don’t have cellphone network reception and all users are actively checking status of their radios (charge, messages, connection to app). This fits perfect with recreational outdoor activities in remote areas. Search and rescue is very niche and unless you engage in such activities on regular basis it’s not something you need. It can also serve as a backup solution for emergencies (neighborhood watch/ prepping).

If you also considering Wi-Fi/intranet solution I recommend looking into Mikrotik wireless wire products. There is more equipment cost involved and it’s completely different use case as it’s stationary solution. https://mikrotik.com/products/group/60-ghz-products