First, I would like to thank this community for being an understanding, open-minded and Novice friendly like myself. I have learned a lot in the past few weeks thanks to this community, unlike Reddit's toxic communities where asking a question is illegal.
I have built most of my NAS; the only missing component (CPU) I will be collecting in the morning. I just wanted to ask general questions or tips. Dos and Donts. I will be using Unraid as OS.
I agree Reddit is toxic. I’d argue reddit actually stopped being Reddit around 2016. But it’s posts like this that clog it all up and are partially why it is the way it is today.
I gotta agree with this. The toxicity in any reddit thread increases dramatically when the poster pre-emptively complains about all the toxicity they expect to receive. Whereas when you just ask straight without going into a whole speech about comment quality, you get much better replies. Particularly because it's hijacking your own thread; changing it from whatever question you wanted to ask into an analysis of the comments.
For Headscale, I don't have any direct experience but unRAID has a decent Wireguard plugin, and should get you up and running in a pinch.
And for your self-hosted services (especially Bitwarden) ensure you're not exposing this on the net, by VPN is the only option I'd recommend. Even so, I prefer to use Bitwarden's hosting with a family plan, for peace of mind and resiliency. It's also much easier for my family.
UnRAID is a great place to start - it allows you to scale cheaply as you need and is easier to fix mistakes. Good luck, and happy homelabbing!
Please let me know what you find for jellyfin with arrs and VPN. I have found that the VPN always interferes with jellyfin and other stuff and haven't been able to figure out gluetun.
version: "3.4"
volumes:
sonarr-config:
name: sonarr-config
driver_opts:
type: nfs
o: addr=192.168.37.25,nolock,soft,rw
device: :/zfspool1/dockerData/arr-stack/sonarr
radarr-config:
name: radarr-config
driver_opts:
type: nfs
o: addr=192.168.37.25,nolock,soft,rw
device: :/zfspool1/dockerData/arr-stack/radarr
prowlarr-config:
name: prowlarr-config
driver_opts:
type: nfs
o: addr=192.168.37.25,nolock,soft,rw
device: :/zfspool1/dockerData/arr-stack/prowlarr
sabnzbd-config:
name: sabnzbd-config
driver_opts:
type: nfs
o: addr=192.168.37.25,nolock,soft,rw
device: :/zfspool1/dockerData/arr-stack/sabnzbd
qbittorrent-config:
name: qbittorrent-config
driver_opts:
type: nfs
o: addr=192.168.37.25,nolock,soft,rw
device: :/zfspool1/dockerData/arr-stack/qbittorrent
media-tv:
name: media-tv
driver_opts:
type: nfs
o: addr=192.168.37.31,nolock,soft,rw
device: :/mnt/user/media/TV Shows
media-movies:
name: media-movies
driver_opts:
type: nfs
o: addr=192.168.37.31,nolock,soft,rw
device: :/mnt/user/media/Movies
media-downloads:
name: media-downloads
driver_opts:
type: nfs
o: addr=192.168.37.31,nolock,soft,rw
device: :/mnt/user/downloads
networks:
traefik_proxy:
name: traefik_proxy
external: true
services:
arr-stack-gluetun:
container_name: arr-stack-gluetun
hostname: arr-stack-gluetun
image: qmcgaw/gluetun
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 1G
cap_add:
- NET_ADMIN
restart: unless-stopped
env_file:
- ../stack.env #get mullvad key from here "WIREGUARD_PRIVATE_KEY", "WIREGUARD_ADDRESSES", "SERVER_CITIES"
networks:
# only this container needs access to the proxy network. It also doesn't need any ports exposed to access
# the other services like qbit, etc. Traefik points to this container and because the other services use
# the service network type they can be accessed through here.
traefik_proxy:
ipv4_address: 172.18.0.6
environment:
- VPN_SERVICE_PROVIDER=private internet access
- OPENVPN_USER=xxxxxxxxz
- SERVER_HOSTNAMES=lu.privacy.network
- TZ=America/Chicago
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_proxy"
# qbittorrent traefik labels
- "traefik.http.routers.arr-stack-qbittorrent.entrypoints=websecure"
- "traefik.http.routers.arr-stack-qbittorrent.rule=Host(`torrent.local.domain.com`)"
- "traefik.http.routers.arr-stack-qbittorrent.tls=true"
- "traefik.http.routers.arr-stack-qbittorrent.service=arr-stack-qbittorrent"
- "traefik.http.services.arr-stack-qbittorrent.loadbalancer.server.port=8085"
- "traefik.http.routers.arr-stack-qbittorrent.middlewares=authentik"
# prowlarr traefik labels
- "traefik.http.routers.arr-stack-prowlarr.entrypoints=websecure"
- "traefik.http.routers.arr-stack-prowlarr.rule=Host(`prowlarr.local.domain.com`)"
- "traefik.http.routers.arr-stack-prowlarr.tls=true"
- "traefik.http.routers.arr-stack-prowlarr.service=arr-stack-prowlarr"
- "traefik.http.services.arr-stack-prowlarr.loadbalancer.server.port=9696"
- "traefik.http.routers.arr-stack-prowlarr.middlewares=authentik"
# sabnzbd traefik labels
- "traefik.http.routers.arr-stack-sabnzbd.entrypoints=websecure"
- "traefik.http.routers.arr-stack-sabnzbd.rule=Host(`sabnzbd.local.domain.com`)"
- "traefik.http.routers.arr-stack-sabnzbd.tls=true"
- "traefik.http.routers.arr-stack-sabnzbd.service=arr-stack-sabnzbd"
- "traefik.http.services.arr-stack-sabnzbd.loadbalancer.server.port=8080"
- "traefik.http.routers.arr-stack-sabnzbd.middlewares=authentik"
# sonarr traefik labels
- "traefik.http.routers.arr-stack-sonarr.entrypoints=websecure"
- "traefik.http.routers.arr-stack-sonarr.rule=Host(`sonarr.local.domain.com`)"
- "traefik.http.routers.arr-stack-sonarr.tls=true"
- "traefik.http.routers.arr-stack-sonarr.service=arr-stack-sonarr"
- "traefik.http.services.arr-stack-sonarr.loadbalancer.server.port=8989"
- "traefik.http.routers.arr-stack-sonarr.middlewares=authentik"
# radarr traefik labels
- "traefik.http.routers.arr-stack-radarr.entrypoints=websecure"
- "traefik.http.routers.arr-stack-radarr.rule=Host(`radarr.local.domain.com`)"
- "traefik.http.routers.arr-stack-radarr.tls=true"
- "traefik.http.routers.arr-stack-radarr.service=arr-stack-radarr"
- "traefik.http.services.arr-stack-radarr.loadbalancer.server.port=7878"
- "traefik.http.routers.arr-stack-radarr.middlewares=authentik"
# _____________________________Downloaders__________________________
arr-stack-qbittorrent:
image: ghcr.io/linuxserver/qbittorrent:4.6.0
container_name: arr-stack-qbittorrent
network_mode: service:arr-stack-gluetun
volumes:
- qbittorrent-config:/config
- media-downloads:/downloads:z
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 1G
depends_on:
- arr-stack-gluetun
environment:
- WEBUI_PORT=8085
- TZ=America/Chicago
#file permissions need to be the same for all apps
- PUID=1000
- PGID=1000
- UMASK_SET=022
restart: unless-stopped
labels:
# Note 1: Default user is admin, pass is adminadmin
# Note 2: Tools-> options-> web UI -> bypass localhost and whitelist:
# 172.18.0.0/24, torrent.local.domain.com, arr-stack-gluetun
arr-stack-sabnzbd:
image: ghcr.io/linuxserver/sabnzbd:4.1.0
container_name: arr-stack-sabnzbd
network_mode: service:arr-stack-gluetun
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 1G
volumes:
- sabnzbd-config:/config
- media-downloads:/downloads:z
depends_on:
- arr-stack-gluetun
environment:
- TZ=America/Chicago
#file permissions need to be the same for all apps
- PUID=1000
- PGID=1000
#- UMASK_SET=022
restart: unless-stopped
# ______________________________Arrs__________________________________
arr-stack-prowlarr:
image: ghcr.io/linuxserver/prowlarr:1.9.4
container_name: arr-stack-prowlarr
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 1G
environment:
- PUID=1000
- PGID=1000
- UMASK=022
- TZ=America/Chicago
volumes:
- prowlarr-config:/config
restart: unless-stopped
network_mode: service:arr-stack-gluetun
depends_on:
- arr-stack-gluetun
# - arr-stack-qbittorrent
# - arr-stack-sabnzbd
arr-stack-sonarr:
image: ghcr.io/linuxserver/sonarr:3.0.10
container_name: arr-stack-sonarr
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 1G
volumes:
- sonarr-config:/config
- media-tv:/media/TV Shows
- media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
environment:
- PUID=1000
- PGID=1000
- UMASK=022
- TZ=America/Chicago
restart: unless-stopped
network_mode: service:arr-stack-gluetun
depends_on:
- arr-stack-gluetun
arr-stack-radarr:
image: ghcr.io/linuxserver/radarr:5.0.3
container_name: arr-stack-radarr
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 1G
volumes:
- radarr-config:/config
- media-movies:/media/Movies
- media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
environment:
- PUID=1000
- PGID=1000
- UMASK=022
- TZ=America/Chicago
restart: unless-stopped
network_mode: service:arr-stack-gluetun
depends_on:
- arr-stack-gluetun
Stuff like this is why I moved my docker from unraid to a VM where I can use docker compose. Docker compose is really the only way to get a clean setup with complex stuff like this. That being said I recommend beginners use unraid. You don't need a full vpn for torrents, a socks5 proxy will be fine and doesn't require and special docker settings.
My setup uses traefik reverse proxy. Internal HTTPS (let's encrypte wild card) and external HTTPS depending on what I want.
It uses authentik for single sign on and in this case provides LDAP for jellyfin and also provides web authentication for arr services.
The glutun container can be configured with any VPN and all services can only access the internet via the VPN.
My NAS is unraid, my docker host is a VM on proxmox. Media files are stored on HDDs on unraid and everything else is on on the docker SSD. Volumes are connected to where they need to be via NFS shares.
There are limits for cpu and ram so one container can't bring everything down.
The containers themselves all communicate via their own docker network and only the reverse proxy (traefik) allows access to the UI.
The spirit of Self-Hosting is trying things and then asking specific questions when you get stuck (stuck includes having no luck using a search engine).
To your point, I clicked on this post hoping to see what OP was going to use and why because I would like to build my own NAS some day. But like you said, this post is a waste of everyone's time.