Migadu micro tier is $19/year. Great service and has a great privacy policy. Basically unlimited domains. Ive been very happy with them.

https://www.migadu.com/

Ah ok. I’ve done opnsense and pfsense both virtualized in proxmox and on bare metal. I’ve done the setup both at two work places now and at home. I vastly prefer bare metal. Managing it in a VM is a pain. The nic pass through is fine, but it complicates configuration and troubleshooting. If you’re not getting the speeds you want then there’s now two systems to troubleshoot instead of one. Additionally, now you need to worry about keeping your hypervisor up and running in addition to the firewall. This makes updates and other maintance more difficult. Hypervisors do provide snapshots, but opnsense is easy enough to back up that it’s not really a compelling argument.

My two cents is get the right equipment for the firewall and run bare metal. Having more CPU is great if you want to do intrusion detection, DNS filtering, vpns, etc. on the firewall. Don’t feel like you need to hypervisor everything

So you’re planning to reuse the same hardware that the firewall is running on now, by installing a hypervisor and then only running opnsense in that?

Did you expose your router login page to the open internet? How’d they get access? Why are you chmoding anything to be 777?

They are decommisioned datacenter drives, this could be for a variety of reasons (including errors). There are many discussions online about them wiping smart data.

It depends on your use case, I have a few of their drives in a nas specifically for media. I received one bad drive that failed my burn in tests, which they exchange without issue. All of my important files are stored on a seporate ssd based store.

All depends on your risk tolerence and needs.

Serverpartdeals is good. https://www.goharddrive.com/ is another option. Generally slightly more expensive than serverpartdeals, but with better warranty. Both are reputable options

Have you considered making your own firewall running opnsense? You could toss in a 10g nic or two

Maybe you’d be interested in https://wazuh.com/

Proxmox has a virtual monitor in its web interface, so you can access the desktop of a virtual machine that way. It’s a little clunky but works ok for quick configuration. Alternately you could remote desktop into the virtual machine.

Quicksync is a little more tricky. GPU pass through is a pain, and I’m not sure off the top of my head about that. You can Google “proxmox quicksync passthrough” and see if any solutions will work for you. There’s a chance that all you would need to do is set the processor type correctly in the virtual machine settings, but I’m not sure.

Have you considered replacing the OS with proxmox and running everything in virtual machines?

What no one else has touched on is the protocol used for network drives interferes with databases. Protocols like SMB lock files during read/write so other clients on the network can’t corrupt the file by interacting with it at the same time.

It is bad practice to put the docker files on a NAS because it’s slower, and the protocol used can and will lead to docker issues.

That’s not to say that no files can be remote, jellyfin’s media library obviously supports connecting to network drives, but the docker volume and other config files need to be on the local machine.

Data centers get around this by:

• running actual separate databases with load balancing
• using cluster storage like ceph and VMs that can be moved across hypervisors
• a lot more stuff that’s very complicated

My advice is to buy a new SSD and clone the existing one over. They’re dirt cheap and you’re going to save yourself a lot of headache.

I definitely recommend you do your own research into this. Brute forcing ssh keys should be practically impossible. Is it necessary to install fail2ban with password login disabled? Not sure, I’m of the opinion that it won’t hurt, just one more line of defense. It’s pretty easy to setup.

Security through obfuscation is never a good idea. Best practices for exposing ssh (iirc):

• disable root login (or at least over ssh)
• disable password login over ssh, use key pairs instead
• use fail2ban to prevent brute forcing
• install security updates frequently

All of those are pretty easy to do, and after that you’re in a really good place.

I don’t see a problem with ssh tunneling to access services, as long as the ssh server is secured correctly