Homelab Setup Guide - Proxmox / TrueNAS / Docker Services

Thanks! Glad you found it informative

Same here thanks alot for this great guide, it’s the best starting point for any beginner.
I hope there well be part 2 related to security

Man, the amount of times I have searched this exact title... Thank you so much for the content!

Thank you very much 😃

B

Thanks for the compliment Luke!

What can I say, I make videos about things I enjoy. Trying to inspire others. Thanks!

​@@matthiasbenaets Hi! I also found this via your NixOS video. Have you performed any experiments on running a NAS using NixOS?

@@gymdis Hi Chris. To be honest, no. If you are planning on purely using NixOS as a NAS, I guess it a viable options. Especially since it supports ZFS, and it will be easy to manage datasets, user and shares. But I haven't look into it too much, so I'm not sure if you can fully configure and declare everything as easily as with something like the TrueNAS WebUI. In my situation/opinion, it's definitely not an alternative for the proxmox and truenas combo. Also for running services, I would only trust software packaged by the maintainer itself, or if there is a flake available. (i've learned this the hard way about a year ago with some critical services that ran on NixOS stable that were unusable for a week without a fix and with a custom janky overlay). Since setting up a storage solution isn't an activity that I do daily, weekly or even yearly, I don't see an advantage in investing time into creating such a config. Especially since pools are easy to migrate and making a backup of the truenas install or the general settings takes no time.

@@matthiasbenaets Thank you for your thoughtful answer Matthias! Being fairly new to NixOS, the concept it presents is quite enticing. Being able to shrink down the system setup to a small collection of text files to save storage space for backups isn't really a concern though when running a NAS machine with many terabytes of space. Ease of use may be more important. "Taming" some software to work well on Nix isn't straight forward. But having a declarative configuration allows one to leave inline comments concerning why something was configured a certain way, which is maybe even more useful for storage solutions one doesn't touch very often. Really needs to have flakes enabled and be under version control though to maintain uptime as you unfortunately experienced.

@@gymdis I concur!

Thanks for the kind words!
If security is a high priority, a VPN is indeed a safe bet. Personally I also only make a few things available over the internet. Something like basic auth or a service like Authalia with 2FA can make it pretty robust as well imo.

thanks and yes, pass through the sata controller or an hba and smart test work just fine.

@@matthiasbenaets Thank you for confirming.

In the webui copy paste (to my knowledge) only work with the proxmox and lxc shells, not normal vm's. Just use the normal ctrl+shift+v (or just middle mouse on linux). For general vm's I recommend just using ssh.

Yeah, you can't really remap these ports cause they are used for the http(s) protocol. I'd just use separate machines/vm for these two services.

Hi Marco, I assume you mean docker containers (not lxc). So for my current setup i have it like this: proxmox installed on nvme 128gb with truenas in local-lvm. All my lxc containers are stored on a second nvme 128gb. This already separated them from the boot drive. The lxc containers (and thus the docker containers) have a frequent backup to my truenas zfs pool for added redundancy as you mentioned. Now for docker containers that need to always have the latest data backed up, I just set up a cron job to rsync to a very small striped pool on a slow spinning disk. I guess to make it fully redundant I might also need to set something like this up for the cloud, but haven't had any time to figure that out.

Thanks, glad to hear! I have to be honest. I haven't messed with wireguard for a while. It's something you set up and forget about (even when you use it daily). So it has been a while since i messed with the container. If i can recall correctly, the easiest way was to edit the compose file (adding a peer) and just rebuilding the container. With the docker container, I created a persistent volume where all the configs were stored and easily accessible. to connect to a PC, i pretty much just copy the .conf file (not messing with the keys). In the official gui application you can just use that. If you are using the cli tool, just follow the official guide and use the keys. if you are using a 3rd party tool, I can't really help, but you will probably just have to fill out the content of the keys as well. Note that with VPNs there are many variables that can mess with a valid connection, ip, dns, firewall, ip forwarding, etc. etc..., so you need some knowledge to get it actually running. Not something i can really all explain in a YT comment, but best of luck.

@@matthiasbenaets oh man thanks for the quick reply, just as an update: I managed to understand how to copy the conf file from the remote, I didn't get at first that the scp command was to be run on the proxmox instance, then to copy stuff you need to log in either with an SSH key or the root user (which is disabled by default), then using the conf file on wireguard was actually easier than I thought. Now, I can't seem to create an nginx container because port 443 is already allocated (I guess I can't have both PiHole and nginx running on the same VM?)

@@virtualnk5825 great, an yes you are correct pinhole already uses 80 and 443 since you are routing all your traffic through it.

@@matthiasbenaets one last question if I may, would you or anyone know why our Pihole's memory usage is so high? I have added more ram to the debian container and in Proxmox it shows that it's not taking more than 25% memory, PiHole shows 83.2% and in the video it's also at something like 76%. My guess is that PiHole sees the mem usage accross the whole server? (at this point I only have wireguard installed on this container, so TrueNAS is the only thing that could affect it)

@@virtualnk5825 I think it's just a side effect of being containerized. I never had any issues with memory. memory is memory, if it needs more, it will be allocated, yet it will also take as much as possible for caching but will be freed up if needed.

When creating a privileges container it indeed checks nesting but it's greyed out. So it probably is no longer enabled. Open the VM's options, and under features enable it again. If you want to use Shares aswell, maybe also enable smb/cifs. If you still receive errors, it might be due to a lxc from a distro that need extra steps. For me debian pretty much always works.

@@matthiasbenaets thnx for the quick response and help that did it. Enjoyed following your video!

The b550 chipset isn't really ideal for this, but it should work (but the grouping might be a bit strange). I recommend that you go over the official wiki page for pci passthrough, it might be insightful. If I'd had to guess, it's probably just a setting in the bios that is either not enabled or not specifically set to enabled (not auto). Just check that SVM is enabled. On some board you migh also need to enable iommu via de nbio options under AMD CBS.

Thanks @@matthiasbenaets ! It was hidden under the AMD CBS options. I was aware that b550 isnt ideal but I had most components laying around from previous upgrades and in need of a home server.

it depends when your behind a proxy manager or not and if it's your dns or not. normally it in subdirectory /admin so: /admin . if it goes to a blank website afterwards just load the ip address.

@@matthiasbenaets I was finally able to access it using the same IP as Portainer with /admin on it. Thank you for your help. My next question is since I have specific hardware running Pfsense which hands out DHCP and DNS. So for example my SOHO looks like Internet>Pfsesne>switch>my devices, server(Proxmox). In this cases how would you set up pi-hole? Again thank you for all your help.

@@lakshya238 Personally I would set up pihole on the pfsense box (if possible, not sure, I only know opnsense which has a plugin). If it's on another machine, give that machine a static ip in pfsense or work with ddns, and point the dns server address to the pihole machine.

@@matthiasbenaets I see and agree; however, the problem I am facing is Docker is assigning its own IP (172.x.x.x) with its own DHCP which is a pain because I really do not how to assign IP to these containers and get them working. Please advise if you know what should I do.

Probably due to pi-hole not being able to bind to port 53. Check the vm if port 53 is already being used with $ sudo lsof -i :53 . I believe some linux distros come with their own resolver, which is not ideal. You can disable the service, but depending on the disto, this can cause issues. Especially with Ubuntu I believe you will have to add a couple more lines to the docker-compose file, but for that I'll refer you to the docker-pi-hole github page.

Well having a cluster set is indeed ideal. For home use with less infrastructure it depends. There are many options available. You can always just set up a Proxmox backup server and import the complete node after reinstall after adding it as a storage option. You can use TrueNas in this case, but if are good with the command line, you can also just set up a ZFS pool within proxmox with a couple extra drives. After a reinstall you can simply just search for the pool, import it, and restore all vm's.

Running a Proxmox cluster with high availability is one option, this makes sure that nothing is lost when one node goes down. This also means you don't really need to back anything up. Another option is to set up a Proxmox backup server, this way you can back up a complete node all at once. I believe it also has a few more options than just backup up individual vms to a separate storage location. I guess installing Proxmox on a mirrored ZFS is also an option.

Thanks! Nothing special due to budget constraints, ryzen 9 5900x (12c/24t), 64GB ECC RAM, 250GB boot nvme, 2x1.6TB SATA SSD (mirrored for vm's) and 3x8TB HDD (raidz for proxmox backups and general storage), RX580 for passthrough for adobe cc. A few more cores, ram would be great. Also maybe a SAS HBA and 10G NIC would be useful in the future. But you can already do a lot with way less then this.

@@matthiasbenaets Sweet I have 32gb of RAM and Ryzen 7 so I’m been debating about upgrading

QEMU/KVM

try allocating less cores to the vm. 20cx40tx1cpu=800 vCPUs.

If anyone is having this issue, change the ports on pihole to 8080:80 and 4443:443

If you are having an issue w/ NPM reaching your proxmox installation and throwing 401, it's because of the certs. Navigate to /etc/pve/local in your PVE installation and grab the .pem and .key files. A simple cat and copy/paste to your desktop is fine. Then navigate to SSL Certs in NPM and add custom certs using the files you just grabbed. Then navigate back to proxy hosts and assign the SSL cert you just created to your proxmox proxy host! Should work now!

This is impossible to say. I cannot help you with this, sorry. It mostly depends on your personal devices, setups and config. More likely than not, this is just dns or ip leaking, either with your pc or with your router (and only if your setup is actually correct). To start debugging this, you should first disable ipv6 on your pc and directly use the dns of pihole. if you have a pihole dns record for port.lan pointing to npm, and a proxy host to the correct ip:port on npm, it should work. if it does, you should evaluate the network traffic using something like traceroute. If it does not work, check your record and check if the ip's are actually correct.

@@matthiasbenaets hey I resolved the issue by installing pihole on an LXC container (without docker) and it's now working super smooth, only thing I'm having a hard time with is getting the reverse proxy with nginx and pihole's address with the /admin at the end. Thank you again for the help and Merry Christmas!

hehe good catch, luckily I only used it for like 2 or 3 locally hosted services that require only a password. Everything public or requiring a full login I use vaultwarden. I do appreciate the heads up though!

browser addon: Dark Reader

The initial install in vm is purely because I don't have a system available nor am able to capture the video output while doing it. For a video, this is more user friendly to follow. I never recommend visualizing proxmox unless it's in proxmox itself for testing reasons. Proxmox is type 1 hypervisor ie bare mental hyprvisor.

Hi, Thanks for the feedback. I tried to fit as much info as possible in as little time as possible. My aim in these guides is not a hand-holding experience rather a teaching one. uid's and such are just one google search away and this is not a Linux tutorial. All the services presented here are some you and others might find useful in their homelab, that does not mean all of them will have a full blown tutorial but rather some tip and trick, especially since not everyone will use them. Care to elaborate on the portainer and nextcloud issue? I can't recall that you need an extra account for portainer, unless you want to use the EE version (which again, is not really too relevant for starting out). If you're only issue with nextcloud was mounting of the smb in the lxc, you could have also used the Dockerfile instead (from the github repo), this will install nextcloud with the needed samba packages. Alternatively you can also just install them manually in the docker container. The smb option should then become available. My method maybe wasn't too clear since the uid might not be the same depending on the vm/lxc used, but this way it does not require people to learn how to use custom dockerfiles or run the same commands every time you pull the latest image. If you don't understand the usage, here's a quick explanation as to why it's uid 33. The persistent data generated by the nextcloud container is made by user "www-data" (atleast in my case). To prevent any future permission issues, I mount the smb shares as this user. To find this uid and gid I can simply run $ id -u www-data, or with flag -g for group.

hi, thanks for the kind words. I did not go into this futher because imo it's only relevant for people who want to access it over the internet. This is only 1 out of 3 possible scenarios, the other being using a local ip or setting up the container with the pihole network and using a local dns. In most situations both of these don't need the extra security. You did remind me to re-enable this for my personal setup so thanks! Of course this is highly recommended when making it available to the internet. For anyone else intrested and reading this, I'll add a short explanation in the description under notes.