You ever see those Wired videos where they talk about a concept on five different levels ranging from beginner to expert?

The first level answer is likely that, yes, you’re reasonably secure in your current setup. That’s true, but it’s also really simplified and it skips a lot of important considerations. (For example, “secure against what?”) One of the first big realizations that hit me after I’d been running servers for a little while and trying to chase security is the idea of a threat model. What protects me from a script kiddie trying to break into one of my web servers won’t do much for me against a phishing attack.

The more you do this, though, the more I think you’ll realize that security is more of a process than an actual state you can attain.

I think it sounds like you’re doing a good job moving cautiously and picking up things at each step. If the next step is remote access, you’ve got a pretty good situation for a mesh VPN like Tailscale or Netbird or ZeroTier. They’ll help you deal with the CGNAT and each one gives you a decent growth path where you can start out with a free tier and if you need it in the future, either buy into the product or self host it.

Keep an eye on lowendbox.com’s hosting offers. There’s some junk to wade through, but it sounds like exactly what you’re after.

It sure will handle a remote VPS, it’s just not as automatic to set up as it is with PVE.

I put this off for a long time, but I finally did it this weekend.

Basically, you install the proxmox-backup-client utility and then run it via cron or a systemd timerto do the backup however often you want.

You’re responsible for getting the VPS to communicate with your backup server (like pretty much any self-hosted service), so some sort of VPN between them would be good. I used NetBird for that part and I have a policy that allows access from the client to PBS only on TCP port 8007.

I’ve been quite happy with Proxmox Backup Server. I’ve had it running for years and it’s been pretty solid for all my VMs/containers. There’s also a bare metal client, which I’m adding to a couple cloud VPS machines this weekend. We’ll see how that goes.

Also, since it’s just Debian under the hood, I also use the PBS host as a replication target for my ZFS datasets via sanoid/syncoid.

I just had to do this. Don’t skip the release notes. They’re really good at highlighting potential pitfalls, just scroll back through and look for the heading “Breaking Changes.”

In my case there were a few, but they were only for API calls I’m not using, so I just did the update in one go and it worked out great. (Of course, I made sure to take a backup first.)

Oh! Also, try posting this here: https://practicalzfs.com/. That’s a discourse forum really focused on ZFS. Jim Salter runs it and Alan Jude often contributes advice. There are some folks there who know ZFS inside and out.

Checksum errors can often mean a failing component. It could be the other drive or maybe a sata cable. Is the original pool mounting correctly? If so, you should be able to do a simple rsync to move it to the new pool.

A hybrid is probably a good way forward. I had a career as a photographer for a while and I learned from that: going through 1000 photos takes very little time, but going through 10,000 takes an eternity. If you can star or mark your obviously important photos as you go along, it’ll take very little to print them at the end of the year.

This was a recent point of discussion on the 2.5 Admins podcast (https://2.5admins.com/2-5-admins-228/). Some good discussion on there.

My own thought is the best way to handle your family-member-finding-your-old-photos problem is the analog way: make some prints. It’s absolutely idiot proof, the methodology of keeping paper goods is well understood, and the technology is platform independent.

I do this with HAProxy and keepalived. My dns servers resolve my domains to a single virtual ip that keepalived manages. If one HAProxy node goes down, the other picks right up.

And this is one of the few things I’ve got setup with ansible, so deploying and making changes is pretty easy.

I can’t think of anything that specifically uses ssh, but Syncthing would do this, though for passwords I’m more inclined towards bitwarden.

With this concept in mind, I recently put together a VDI setup for a person who’s in one location for half of the year and another the other half. The idea is he’ll have a thin client at each location and connect to the same session wherever he is.

I’m doing this via a VM on Proxmox and SPICE. Maybe there’s some idea in there you could use.

In that case, I’m sure you’ll enjoy it. I’ve been reading a little bit before I go to bed and learning a lot that I glossed over when I set up my own mail server years ago. He and Alan Jude wrote some ZFS books as well that I keep coming back to and picking up new tricks each time.

I get pretty much anything Michael Lucas writes. The information is always great and his writing style is fun to read.

Important to note: it’s not a step-by-step guide to copy and paste and have a mail server running. It’s all about understand all the stuff that goes into it.

Hey, sorry for the late response—I missed the reply coming in.

I like docker volumes for multiple nodes because there’s no guarantee that multiple systems will have the same directory structure to bindmount, but moving volumes between nodes is relatively straightforward config-wise, which is a reason you’d use them in k8s.

As for latency in streaming: I think of latency sensitive operations as mostly things that need two-way communication. So, for example, if you wanted to play a game over a network, you’d need the controls to respond to your input immediately. Or if you’re making a voip call, you’d want the two sides of the conversation to be in sync. On the other hand, a video stream doesn’t typically download in real-time. The file fills a buffer on your computer ahead of you watching it. So the downloading isn’t happening synchronously with you watching it unless there’s a serious network bottleneck.

Take this with a grain of salt, the more I re-read, the more I realize I’m making assumptions about your setup that may or may not be true. First, I’m making an assumption that you’re doing ACLs for samba shares (and I know that system better on FreeBSD than Linux). I’m also assuming based on your description you want everyone to have access, but not write access.

I think you could do an officewide group with read-only permissions on all of the shares and then set the unix group to the department.

So, for your HR team you’d do chgrp -R hr /path/to/parent/shares/hr and setfacl -m d:g:rwx /path/to/parent/shares/hr and add the officewide group’s read-only perms: setfacl -m d:g:officewide:rx /path/to/parent/shares/hr. Rinse and repeat for each share.

Not sure if this is what you’re after, but maybe it’ll help lead in a good direction.

I can’t think of a way off hand to match your scenario, but Ive heard ideas suggested that come close. This is exactly the type of question you should ask at practicalzfs.com.

If you don’t know it, that’s Jim Salter’s forum (author of sanoid and syncoid) and there are some sharp ZFS experts hanging out there.

I’ve only ever tinkered with openmediavault, so I’m by no means an expert, but there is a ZFS plugin available. Here’s a forum post that may help: https://forum.openmediavault.org/index.php?thread/7633-howto-instal-zfs-plugin-use-zfs-on-omv/

That fruit argument is so that samba plays nicely with Apple’s SMB client implementation.

I don’t think there’s a right answer for most of these, but here are my thoughts.

Data: I almost always prefer bind mounts. I find them easier to manage for data that I’ll need to deal with (e.g. with backups). Docker volumes make a lot of sense to me when you start dealing with multiple nodes and central management, where you want to move containers between nodes (like a swarm).

Cache: streaming video isn’t super latency sensitive, so I can’t think of a need for this type of caching. With multiple users hitting the web interface all the time it might help, but I think I’d do that caching in my reverse proxy instead.

User: I don’t use the *arr stack, but I’d imagine that suite of applications and Jellyfin all need to handle the same files, so I’d be inclined to use the same user (or at least group) on all of them.

DLNA: this is a feature I don’t make much use of, but it allows for Jellyfin to serve media to devices that don’t run a Jellyfin client. It’s an open standard for media sharing among local devices. I don’t think I would jump through any hoops for it unless you have a use, but the default setup won’t get in your way.

Hope that helps a little.