First, I would like to thank this community for being an understanding, open-minded and Novice friendly like myself. I have learned a lot in the past few weeks thanks to this community, unlike Reddit’s toxic communities where asking a question is illegal.

I have built most of my NAS; the only missing component (CPU) I will be collecting in the morning. I just wanted to ask general questions or tips. Dos and Donts. I will be using Unraid as OS.

  • Fahad@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    2
    ·
    10 months ago

    I apologise for not being clear.

    These are the specs of my NAS build:

    • Node 804 case

    • 16GB DDR4 RAM

    • Seagate IronWolf Pro 2x 4TB

    • 1TB nvme Samsung 970 evo plus

    • Gigabyte H610M S2H V2 Intel H610 LGA1200 DDR4 Micro-ATX Motherboardd

    • DeepCool GAMMAXX GT CPU Cooler A-RGB 120mm PWM Addressable RGB LED Fan Intel AMD

    • 500W EVGA Power Supply Unit / PSU VAT INC

    • Intel core i5-12400t QS 6c/12t Support ASUS ROG Strix B660-I Gaming WiFi LGA1700.

    • I want to store all data onto the NAS, past projects, pics, etc.

    • Set up automatic backups for Windows, Mac

    • Set up media server (Jellyfin) with Arr apps using a VPN (I’m not sure how to set up a VPN with torrent client)

    • Set up headscale to access my NAS from anywhere (also, I can’t find any tutorials).

    • For 3-2-1 backups, I have decided to get an external HDD and use cloud storage.

    • Self-host services such as Nextcloud, Immich and Bitwarden.

    • VMs - Future

    • Web hosting - Future

    • Home assistant - Future

    To be clear, I want to do all that; however, I have never done it before, so that any tutorials would be appreciated.

    By “Dos and Don’ts,” I’m referring to the settings that should be adjusted for optimal performance, security, and privacy.

    Also, any other recommendations would be appreciated.

    • kif@lemmy.nz
      link
      fedilink
      English
      arrow-up
      4
      ·
      10 months ago

      Sounds like you’ve done a bunch of research! Since you’re using unRAID, setting up your services shouldn’t be too difficult.

      For your torrents and VPN, there’s a few in the unRAID community store - I’d recommend qBittorrentVPN from Binhex - here’s the documentation for setting up their VPN-enabled containers.

      For Headscale, I don’t have any direct experience but unRAID has a decent Wireguard plugin, and should get you up and running in a pinch.

      And for your self-hosted services (especially Bitwarden) ensure you’re not exposing this on the net, by VPN is the only option I’d recommend. Even so, I prefer to use Bitwarden’s hosting with a family plan, for peace of mind and resiliency. It’s also much easier for my family.

      UnRAID is a great place to start - it allows you to scale cheaply as you need and is easier to fix mistakes. Good luck, and happy homelabbing!

    • HumanPerson@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      10 months ago

      Please let me know what you find for jellyfin with arrs and VPN. I have found that the VPN always interferes with jellyfin and other stuff and haven’t been able to figure out gluetun.

      • Lem453@lemmy.ca
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        10 months ago
        
        version: "3.4"
        
        volumes:
          sonarr-config:
            name: sonarr-config
            driver_opts:
              type: nfs
              o: addr=192.168.37.25,nolock,soft,rw
              device: :/zfspool1/dockerData/arr-stack/sonarr
          radarr-config:
            name: radarr-config
            driver_opts:
              type: nfs
              o: addr=192.168.37.25,nolock,soft,rw
              device: :/zfspool1/dockerData/arr-stack/radarr
          prowlarr-config:
            name: prowlarr-config
            driver_opts:
              type: nfs
              o: addr=192.168.37.25,nolock,soft,rw
              device: :/zfspool1/dockerData/arr-stack/prowlarr
          sabnzbd-config:
            name: sabnzbd-config
            driver_opts:
              type: nfs
              o: addr=192.168.37.25,nolock,soft,rw
              device: :/zfspool1/dockerData/arr-stack/sabnzbd
          qbittorrent-config:
            name: qbittorrent-config
            driver_opts:
              type: nfs
              o: addr=192.168.37.25,nolock,soft,rw
              device: :/zfspool1/dockerData/arr-stack/qbittorrent
          media-tv:
            name: media-tv
            driver_opts:
              type: nfs
              o: addr=192.168.37.31,nolock,soft,rw
              device: :/mnt/user/media/TV Shows
          media-movies:
            name: media-movies
            driver_opts:
              type: nfs
              o: addr=192.168.37.31,nolock,soft,rw
              device: :/mnt/user/media/Movies
          media-downloads:
            name: media-downloads
            driver_opts:
              type: nfs
              o: addr=192.168.37.31,nolock,soft,rw
              device: :/mnt/user/downloads
        
        networks:
          traefik_proxy:
            name: traefik_proxy
            external: true
        
        
        services:
          arr-stack-gluetun:
            container_name: arr-stack-gluetun
            hostname: arr-stack-gluetun
            image: qmcgaw/gluetun
            deploy:
              resources:
                limits:
                  cpus: '4'
                  memory: 4G
                reservations:
                  cpus: '2'
                  memory: 1G
            cap_add:
              - NET_ADMIN
            restart: unless-stopped
            env_file:
               - ../stack.env #get mullvad key from here "WIREGUARD_PRIVATE_KEY", "WIREGUARD_ADDRESSES", "SERVER_CITIES"
            networks:
              # only this container needs access to the proxy network. It also doesn't need any ports exposed to access
              # the other services like qbit, etc. Traefik points to this container and because the other services use
              # the service network type they can be accessed through here. 
              traefik_proxy:
                ipv4_address: 172.18.0.6
            environment:
         
              - VPN_SERVICE_PROVIDER=private internet access
              - OPENVPN_USER=xxxxxxxxz
              - SERVER_HOSTNAMES=lu.privacy.network
              - TZ=America/Chicago
            labels:
              - "traefik.enable=true"
              - "traefik.docker.network=traefik_proxy"
        
              # qbittorrent traefik labels
              - "traefik.http.routers.arr-stack-qbittorrent.entrypoints=websecure"
              - "traefik.http.routers.arr-stack-qbittorrent.rule=Host(`torrent.local.domain.com`)"
              - "traefik.http.routers.arr-stack-qbittorrent.tls=true"
              - "traefik.http.routers.arr-stack-qbittorrent.service=arr-stack-qbittorrent"
              - "traefik.http.services.arr-stack-qbittorrent.loadbalancer.server.port=8085"
              - "traefik.http.routers.arr-stack-qbittorrent.middlewares=authentik"
        
              # prowlarr traefik labels
              - "traefik.http.routers.arr-stack-prowlarr.entrypoints=websecure"
              - "traefik.http.routers.arr-stack-prowlarr.rule=Host(`prowlarr.local.domain.com`)"
              - "traefik.http.routers.arr-stack-prowlarr.tls=true"
              - "traefik.http.routers.arr-stack-prowlarr.service=arr-stack-prowlarr"
              - "traefik.http.services.arr-stack-prowlarr.loadbalancer.server.port=9696"
              - "traefik.http.routers.arr-stack-prowlarr.middlewares=authentik"
        
              # sabnzbd traefik labels
              - "traefik.http.routers.arr-stack-sabnzbd.entrypoints=websecure"
              - "traefik.http.routers.arr-stack-sabnzbd.rule=Host(`sabnzbd.local.domain.com`)"
              - "traefik.http.routers.arr-stack-sabnzbd.tls=true"
              - "traefik.http.routers.arr-stack-sabnzbd.service=arr-stack-sabnzbd"
              - "traefik.http.services.arr-stack-sabnzbd.loadbalancer.server.port=8080"
              - "traefik.http.routers.arr-stack-sabnzbd.middlewares=authentik"
        
              # sonarr traefik labels
              - "traefik.http.routers.arr-stack-sonarr.entrypoints=websecure"
              - "traefik.http.routers.arr-stack-sonarr.rule=Host(`sonarr.local.domain.com`)"
              - "traefik.http.routers.arr-stack-sonarr.tls=true"
              - "traefik.http.routers.arr-stack-sonarr.service=arr-stack-sonarr"
              - "traefik.http.services.arr-stack-sonarr.loadbalancer.server.port=8989"
              - "traefik.http.routers.arr-stack-sonarr.middlewares=authentik"
        
              # radarr traefik labels
              - "traefik.http.routers.arr-stack-radarr.entrypoints=websecure"
              - "traefik.http.routers.arr-stack-radarr.rule=Host(`radarr.local.domain.com`)"
              - "traefik.http.routers.arr-stack-radarr.tls=true"
              - "traefik.http.routers.arr-stack-radarr.service=arr-stack-radarr"
              - "traefik.http.services.arr-stack-radarr.loadbalancer.server.port=7878"
              - "traefik.http.routers.arr-stack-radarr.middlewares=authentik"
            
          # _____________________________Downloaders__________________________
          arr-stack-qbittorrent:
            image: ghcr.io/linuxserver/qbittorrent:4.6.0
            container_name: arr-stack-qbittorrent
            network_mode: service:arr-stack-gluetun
            volumes:
              - qbittorrent-config:/config
              - media-downloads:/downloads:z
            deploy:
              resources:
                limits:
                  cpus: '4'
                  memory: 4G
                reservations:
                  cpus: '2'
                  memory: 1G
            depends_on:
              - arr-stack-gluetun
            environment:
              - WEBUI_PORT=8085
              - TZ=America/Chicago
              
              #file permissions need to be the same for all apps
              - PUID=1000
              - PGID=1000
              - UMASK_SET=022
            restart: unless-stopped
            labels:
            # Note 1: Default user is admin, pass is adminadmin
            # Note 2: Tools-> options-> web UI -> bypass localhost and whitelist:
            #    172.18.0.0/24, torrent.local.domain.com, arr-stack-gluetun
        
          arr-stack-sabnzbd:
            image: ghcr.io/linuxserver/sabnzbd:4.1.0
            container_name: arr-stack-sabnzbd
            network_mode: service:arr-stack-gluetun
            deploy:
              resources:
                limits:
                  cpus: '4'
                  memory: 4G
                reservations:
                  cpus: '2'
                  memory: 1G
            volumes:
              - sabnzbd-config:/config
              - media-downloads:/downloads:z
            depends_on:
              - arr-stack-gluetun
            environment:
              - TZ=America/Chicago
              #file permissions need to be the same for all apps
              - PUID=1000
              - PGID=1000
              #- UMASK_SET=022
            restart: unless-stopped
            
          # ______________________________Arrs__________________________________
          arr-stack-prowlarr:
            image: ghcr.io/linuxserver/prowlarr:1.9.4
            container_name: arr-stack-prowlarr
            deploy:
              resources:
                limits:
                  cpus: '4'
                  memory: 4G
                reservations:
                  cpus: '2'
                  memory: 1G
            environment:
              - PUID=1000
              - PGID=1000
              - UMASK=022
              - TZ=America/Chicago 
            volumes:
              - prowlarr-config:/config
            restart: unless-stopped
            network_mode: service:arr-stack-gluetun
            depends_on:
              - arr-stack-gluetun
             # - arr-stack-qbittorrent
             # - arr-stack-sabnzbd
         
            
          arr-stack-sonarr:
            image: ghcr.io/linuxserver/sonarr:3.0.10
            container_name: arr-stack-sonarr
            deploy:
              resources:
                limits:
                  cpus: '4'
                  memory: 4G
                reservations:
                  cpus: '2'
                  memory: 1G
            volumes:
              - sonarr-config:/config
              - media-tv:/media/TV Shows
              - media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
            environment:
              - PUID=1000
              - PGID=1000
              - UMASK=022
              - TZ=America/Chicago 
            restart: unless-stopped
            network_mode: service:arr-stack-gluetun
            depends_on:
              - arr-stack-gluetun
        
          arr-stack-radarr:
            image: ghcr.io/linuxserver/radarr:5.0.3
            container_name: arr-stack-radarr
            deploy:
              resources:
                limits:
                  cpus: '4'
                  memory: 4G
                reservations:
                  cpus: '2'
                  memory: 1G
            volumes:
              - radarr-config:/config
              - media-movies:/media/Movies
              - media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
            environment:
              - PUID=1000
              - PGID=1000
              - UMASK=022
              - TZ=America/Chicago 
            restart: unless-stopped
            network_mode: service:arr-stack-gluetun
            depends_on:
              - arr-stack-gluetun
        
        
        

        Stuff like this is why I moved my docker from unraid to a VM where I can use docker compose. Docker compose is really the only way to get a clean setup with complex stuff like this. That being said I recommend beginners use unraid. You don’t need a full vpn for torrents, a socks5 proxy will be fine and doesn’t require and special docker settings.

        My setup uses traefik reverse proxy. Internal HTTPS (let’s encrypte wild card) and external HTTPS depending on what I want.

        It uses authentik for single sign on and in this case provides LDAP for jellyfin and also provides web authentication for arr services.

        The glutun container can be configured with any VPN and all services can only access the internet via the VPN.

        My NAS is unraid, my docker host is a VM on proxmox. Media files are stored on HDDs on unraid and everything else is on on the docker SSD. Volumes are connected to where they need to be via NFS shares.

        There are limits for cpu and ram so one container can’t bring everything down.

        The containers themselves all communicate via their own docker network and only the reverse proxy (traefik) allows access to the UI.