To be honest I don’t really know, but I know that what you want can easily be solved with SOCKS5 proxy. I think Wireguard and other VPNs are added to encrypt the traffic. There are also other alternatives to SOCKS5 proxy adding encryption.

In Wireguard you have those Allowed IPs, you can allow only those IPs to be reachable from outside and you can configure them per client if I am not wrong. I think the easiest way would be for you to run those services over Docker, that way each server will have an IP from your docker network and you can isolate the traffic. https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

My personal suggestion is to spin up a VM, install Debian, Ubuntu, or whatever your poison is, run docker compose or podman compose, spring up a Docker or two and Wireguard and try to achieve what you want. Heck you can even run Wireguard from a container. Once confident with your setup you can migrate it to Nix.

There is no need to have them on separate VMs, as containers are already isolated and additional VMs will add more overhead.

It is worth exploring the LXC containers too, even though I prefer Docker with compose for its declarativeness.

Yes, I also heard that he passed, and I really feel bad for the guy, he did an amazing job. Thanks for the link, I didn’t know there was a new place.

Check this project https://github.com/whyvl/wireproxy

I would suggest giving Proxmox a go and virtualise your VMs, as you can easily make snapshots and recover if something goes south.

You can also check https://tteck.github.io/Proxmox/ containing easy deployable scripts to make your life easier.

I would also try to run everything out of Docker compose and create a repo containing all configuration files.

Yes, would be nice to post a follow up post with your setup once you build it.

I went that route two three months ago and eventually bought a second hand Lenovo Thinkcentre PC. Installed two NVMe SSDs for VMs , 1 SATA SSD for booting Proxmox and a single 12Tb HDD for media storage and one of the VMs is TrueNAS.

I played in the BIOS to enable everything possible to lower the power consumption and disabled some interfaces I am not going to use. So overall I paid a bit over 400 Euro for everything with 2x32GB RAM and the CPU is 8th gen, meaning I can use it for hardware encoding and decoding of h265.

The problem with my setup is that it is not much more extensible than that, as it had only one m2 slot, so I bought a PCIe to m2 extension card to fit the second m2 SSD.

The data I will store on the HDD is mostly media, that’s not critical, and I have a cloud backup for my more important documents automated with an rsync job. But I was also playing with the idea to build a proper NAS for a while.

There are plenty of Chinese manufacturers that are manufacturing NAS-centric motherboards that come with built-in processors, like Topton, etc, just search AliExpress for them. You might also consider buying a motherboard with ECC support.

Regarding the case Jonsbo has really nice cases, but they are a bit on the more expensive side. But there are plenty of no name brands also on AliExpress offering sturdy NAS cases, one example https://a.aliexpress.com/_mqCnPiL. The Pico PSU is great, and very power efficient, but ultimately what PSU you pick would depend on your case choice. Personally, I wouldn’t go with the case from your link and the outside drive bay.

Some inspiration for you: https://youtu.be/Jr5MjhgPz_c?si=PGh3Yyjwk8JiiHao

I mean you can exchange the network card with at least 2.5Gbps of your Intel computer, install Linux and create a share and use the Ryzen mini PC for managing and transcoding media files, but it will complicate your setup and won’t be very energy efficient.

No, by CPU is an odd choice, I meant for the i7-6700K. The Ryzen CPU is quite recent and very powerful, and energy efficient. Again, for a multimedia system you need a big case like the Define one and lots of SATA ports and bays. The Intel one checks the boxes, but you need a better processor or alternatively an external GPU, like the Intel Battlemage to have hardware encoding acceleration.

The mini PC is nice but not suitable for multimedia machine, as it lacks the SATA ports and bays. You can use it as a router, like OPNSense.

Why are you buying a rack when neither of your machines are rack mountable?

What is your use case, what are you using the big PC and the small one? Why Unraid and not TrueNAS Scale for example.

If you are planning on using the big machine for multimedia, be aware that the i7-6700K doesn’t support hardware encoding/decoding of HEVC and the CPU is not powerful enough for live 4K software transcoding.

This CPU is quite an odd choice though, it is 10 years old and in my opinion extremely outdated. Get at least 8-9 gen, that at least have this running.

If you don’t need public access you can create an A-name record pointing to your private IP. This way you will still be able to use SSL certificates but still route your traffic using the internal network.

I am probably going to install an arr stack on the docker containers, but they will write to the HDD. What file systems shall I use for the drives? This topic seems to be quite the rabbit hole and I simply want to properly build this system, as I am planning to leave it running in a remote location so reliability is a very important factor.

They require you to buy a minimum of 800Gb, which for most people is an overkill

And Ubuntu is based on Debian. What’s your point?

https://distrowatch.com/dwres-mobile.php?resource=origin

And you are very wrong.

The whole idea of self-hosted is to build something yourself and learn your way around some new technology or software. Plus building something yourself allows you to change and upgrade it down the path, while Synology doesn’t provide any of the sort.

Obsidian is amazing, though it isn’t FOSS but your notes are saved in Markdown, so even if something happens with the app, they will remain yours.

Another alternative may be Joplin and AnyType, but I think AnyType is also not 100% FOSS.

You are increasing the attack vector immensely, and it is up to you to ensure that it is well protected and up to date. The attack effort won’t be high though and most of the attacks would be pretty basic, still I wouldn’t risk something so personal, like your image library.

I would suggest for you to look into Wireguard or Tailscale for accessing your personal Immich instance.

Obsidian? Saves everything in Markdown. It is offline but you can sync things with syncthing. Has a great app on mobile too. I run syncthing on my phone too and sync everything between my devices.

That’s true, but they also seem to be very power hungry and noisy. I built a fanless server which is consuming 11-12 Watts in idle.