Since you are talking mismatched disks, I have gone to unraid after running a ceph cluster. I found it easy to keep adding and upgrading disks in unraid where it made more sense than maintaining or adding nodes. While I like the concept of being able to add nodes for very large storage arrays. My current unraid server is 180tb.
It is super simple to add/upgrade the storage one disk at a time.
Regrettably, there is currently no substitute product offered.
I really don’t think you regret a God damn thing broadcom.
As you’ve found, proxmox isnt an application that runs on windows or Linux. It’s an OS that you can install. And yes, you can configure bit to auto start the VMs when the machine boots.
It’s designed to run headless, so you’ll do all your configurations from a web browser. If you want to go crazy, I’m sure that raspberry pi can be configured as KVM for it (though piKVM is a bit of extra hardware.)
If you have something like tailscale or wireguard to a machine in the house, you can easily reach the web gui from any other machine on the VPN network and reboot the VMs that way.
You can even build monitoring that reboots the pihole VM of it stops responding to DNS queries.
Why are you wanting to move the VM to a bare metal install?
In my experience, I would think the more efficient method is to install a hypervisor like proxmox and move the VM and there. And then run another VM for pihole, and maybe even a third for tailscale. It lets you have the ability to expand as you need and to better manage backups and services easier.
Otherwise, if you are determined to go from VM to bare metal, you want to find a backup solution that can backup the whole machine and restore it with a recovery disk. I think veeam and Acronis would work. There are tons out there.
Consider power line adapters instead of wifi.
Fair enough, just throwing that out there as an option to move DNS somewhere that does have API access for certbot to use.
Is there a particular reason you are keeping your DNS there?
I thought acme or certbot could handle the DNS entries with an API call to your DNS provider.
It may require another plugin though. Googling some variation of certbot acme automate DNS challenge will give you a dozen tutorials.
This is how I feel.
I would much rather have a single machine running vms which I can easily snapshot and back up rather than a dozen small machines I have to deal with power supplies and networking.
SBCs have specific use cases, usually where they need to interact with hardware. That’s what made the rpi so great with it’s GPIO and hats. But that’s a rather small use case.
I’ve pared mine down a lot. The biggest hurdle for me has been storage.
It used to be 5 2u servers running a ceph cluster, but that got to be expensive and unruly.
Now it’s mainly a small half depth supermicro for my firewall, a half depth supermicro for home assistant, a 2u Dell for unraid, and a small NAS.
Unraid houses Plex and the *arrs. Along with a handful of other useful services like immich.
I do colo a 1u HP though that houses my pbx, web server, unifi controller, jirai server, nextcloud, email, and a bunch of other servers that I run.
Now, I’ve got a lot of spare hardware though. 7 Dell 1u servers, 2 Dell 2u, a supermicro 3u, an HP 2u and a bunch of things clients that I might turn into replacements for my rokus.
This comes into the design and requirements for your services.
If they need to be public ally available to more than just you, you’ll want a reverse proxy and appropriate firewall rules. You’ll also need to make sure things stay updated and security hardening is done on the servers and the proxy.
If you just need yourself to access things and they don’t need full access from public internet, you want a VPN. Tailscale is pretty easy. Wireguard is a bit of work to set up, but can make for a good always on VPN for your devices to connect back into your home network to access what you want.
There are certain things like SSH that you really don’t want publically accessible over the internet. Even with fail2ban and all the security hardening, it’s just a headache and pointless traffic you’ll deal with as people try to get in anyway.
Honestly, I am just so curious about your threat model that you are considering this for self hosting.
My more recent experience has been this comes from using residential ISP IPs or cloud provider IPs. These are almost always just permanently in a grey list because AWS, Google Cloud, Azure, and digital ocean instances are so quick, cheap, and easy to setup and cycle through IPs on.
My colo provided IP block hasn’t had any issues sending emails.
Full disk encryption. It wnt do anything if the server is powered on and they plug in a flash drive, but if it were to have the physical disks taken out or the server is powered down and moved.
Disable removable media. Might be able to do it in the bios, but I’d not, you should be able to in the OS.
Easiest one though is to lock the door to the room. Or to the rack if you have it in a rack.
Not the docker container IP. The IP of the machine you are running docker itself on. Nginx is running in a container, it’s not allowed to talk to the other docker container IP directly and it has a separate network stack from the listmonk container, so 127.0.0.1 only goes back to nginx.
Say your machine that you are running docker on is 192.168.0.67, the listmonk docker container is 172.16.0.89, and nginx container has an IP of 172.16.0.34.
Your nginx config would need the proxy to point to 192.168.0.67:5870.
Then make sure you don’t have ufw or some similar firewall blocking the connection from nginx to listmonk.
I wrote this a while back. Maybe it can help https://www.reddit.com/r/homelab/comments/arx2qe/tutorial_reverse_proxy_with_nginx/
502 usually means it’s having a hard time hitting the service on the back end. Are you able to access listmonk directly without the reverse proxy? What is the URL I. The browser when you do that?
Is listmonk on the same server as nginx? Is nginx running in a container? If nginx is running in a container, 127.0.0.1 would try to load from inside the nginx container which isn’t where listmonk is. Use the LAN IP address of the docker host listmonk is on instead of 127.0.0.1.
Enter-pssession gives you powershell on a remote windows machine. Might take some setup to configure the local firewall and enable access. But once you have powershell you have plenty of options.
Not to knock on the security, but what is the threat model you are protecting against?
I see people harp on about security and you can do X or you need to do Y as if they hold a million bucks in Bitcoin to protect.
We make concessions every day with security for convenience. Most people’s threat model doesn’t include wire guard might respond to connection attempts without the proper key AND this will somehow allow an attacker to leverage a vulnerability in wire guard to gain access. However, I admit that some people’s paranoia makes them want to add every bit of security they possibly can even if it’s the most frustrating day to day usage.
Self hosting individuals aren’t a lucrative target for ransomware. Nor is it for most targeted hacking attempts.
Because no one needs access externally. Overseerr is public facing and passes the requests to the arrs.
It’s not about secure access, it’s that no one outside my house, me included, really needs access to them at all.
It has parity disks, which always need to be the largest disks in your array. You can run with either a single one double parity disk.
It seems to work well, as that’s how I’ve had to replace a dozen disks in the last year upgrading from 8tb disks to 18 or 22tb disks.