I keep landing back to Proxmox, My primary use is to run the Home Assistant OS VM which is quite fantastic there. And also, I have NFS sharing setup on the Proxmox server so I can share it between my machines and my home Linux boxes. I’m on Proxmox 8 though and not 9. Debian 13 with Proxmox 9 it turns out at least when I tried it, is really locked down now for running Docker via the host. (Proxmox machine) With Proxmox 8, I can still install Docker and run my containers there, then use Portainer to manage them sometimes, but rarely now days. You can also probably do it the “Correct way” as some may believe by setting up a VM or LXC in Promox to host docker containers. I do that with one subset of containers but not all.

Another option you may want to consider is XCP-NG, which is another hypervisor and IMHO ran Home Assistant a tad bit faster for me, but it will not allow you to mount existing drives without erasing them (I can’t do that with my disks). Additionally,  it seems to be on an out of date CentOS build which is no longer updated. (My notes from this are from a year ago when I tried it and I think some of it has changed, but for storage: https://docs.xcp-ng.org/storage/) You can see what’s going on there.

Most people will say to host Truenas or something like that in a VM via Proxmox but honestly, it isn’t too difficult to set up with a tool like Cockpit to manage the shares. I’ve played with most of the setups recently and recently tried going with a Debian 12 install on bare metal with the Home Assistant VM running which I could, but I had more crashes with the server and it never started the VM in spite of being told to do so. I honestly didn’t stick around though, so YMMV if you go that route.

I have been using Proxmox VE with Docker running on the host not managed by Proxmox, and then Cockpit to manage NFS Shares with Home Assistant OS running in a VM. It’s been pretty rock solid. That was until I updated to Version 9 last night, it’s been a nightmare getting the docker socket to be available. I think Debian Trixie may have some sort of extra layers of protection, I haven’t investigated it too much, but my plan tomorrow and this week is to migrate everything to Debian 12 as that’s the tried and true OS for me and I know it’s quite stable with Cockpit, docker and so forth with KVM for my Home Assistant installation.

One other OS for consideration if you are wanting to check it out is XCP-NG which I played with and Home Assistant with that was blazing fast, but they don’t allow NFS shares to be created and using existing data on my drives was not possible, so I would’ve had to format them .

Cloudflare tunnels support higher port numbers. I’ve done it in the past with Portainer. Also Proxmox which listens on 8006. Portainer on 9443.

If your router supports Freshtomato firmware, it also has adguard you can enable too.

You could always use ntfy.sh if you are wanting to keep it light weight, I know there seems to be a heavy following and happy community with it. I personally use Gotify which has been nice and easy to use and just works for my needs. :) I looked at the shoutrrr repo and it seems to be either abandoned or just no longer updating maybe because their is no need to in the Dev’s eyes. They also develop Watchtower which hasn’t been touched in about 2 years ago. I have never had any issues with Watchtower so I think it may not need much maintenance. I do see though that they are working on a new project: https://github.com/containrrr/shepherd but it’s also a bit stale.

To make it seamless so you can still Thunderbird, someone made a Docker image of it here: https://hub.docker.com/r/kebles/wanderbird But, you can probably find a newer release somewhere newer than 4 yrs old like this one. :) The point is, if you are wanting to keep it in the Thunderbird umbrella, then it’s most likely been Dockerized.

I’ve Tried Cypht recently, but if you are using Gmail, it has a conflict there so it won’t work out of the box without some extra work I think.

I can see them doing that, I use a DNS ad-block (Adguardhome) with plenty of filters and last night, I spotted that they were able to inject two ads (standard one to the right of the channels and one at the bottom below the menu for the new Minecraft movie when they changed my background. So, they are finding ways around this stuff. I simply disabled the Sponsored themes. We are on the fence about replacing the TV later this year but not 100% sure just yet. It’s been quite buggy randomly rebooting when switching sources and other things.

Not related to the server, but I was very happily surprised with the latest Roku Jellyfin channel. A complete refresh of everything and it’s great to see it.

Thanks for sharing this! I used it today to resize my Very large phone selfie I had to do for a profile image update at work and it did very nicely! Much faster for me to do that then load it in Gimp and scale it down since I was running late for work. : )

Hmmm… Interesting! I didn’t realize there was a fork, but then again, this is one of those tools I’ve had running for several months close to a year or so and never thought about it. The original dev, Corentin, has been working on many more new projects: https://bsky.app/profile/corentin.tech .

I have several services. Home Assistant is not one as it’s still a WIP for the person who’s developing a solution. It works, but I’m sort of holding off until I can test it more with the mobile app.

https://github.com/christiaangoossens/hass-oidc-auth

But, to answer your question: I log into Tailscale with it. I also have it connected to Proxmox and Portainer Additionally, I have it connected to Pomerium so I can log into my FreshTomato Router with a fingerprint :) I also have a self hosted PasteBin connected to it.

I just tested my version of Firefox (Fresh from Play Store) and it worked without issues on my end to login to the server.

The only browser I’m aware of which doesn’t support it is the Duck Duck Go Browser which is a shame. They don’t seem to care about enabling WebAuthn support.

Pocket id is my go to. I used to use Authentik, but it was overkill for us. Pocket ID is pretty simple to use and has a very nice interface to add your users and clients. Uncluttered and straight and to the point. Pocket ID doesn’t use UN/PW Combos. Instead, you use Passkeys as in webAuthn devices to log in, which IMHO is one of the better security paths.

https://github.com/pocket-id/pocket-id

I work from home, however my two systems (home and work) are on the same LAN, they don’t see each other for file sharing. I get paid via direct deposit like everyone else which means my pay stubs are all electronic. I print those out and then use WinSCP to copy those over to my desktop. No other files are ever sent.

At home, depending on the amount of files, I either use SFTP via Filezilla, or if the mood strikes me and for a single file, I will just use SCP if I’m already on the cli which is most of the time it seems anymore doing work on my personal servers. I’ve found that SFTP is faster at transferring than doing a copy/paste to the NFS share to the same drive.

I have AdguardHome on my RPi4 (4GB) model, and it works perfectly fine. I have also hosted Pi-Hole v.5 and even their recent Pi-Hole v6 they just released on it and have even at times run TechnitiumDNS on it. Not all at once of course, but I wanted to let you know you can host any of these on a RPi without issues.

One think you get with the Pi-hole is you can set up a DNS entry where you could for example, set up “laptop” and any time you want to access it or ping it, anywhere on your network, you can simply just enter in http://laptop or ping laptop. With both AdguardHome and Technitium, you need to append the .local or .internal or .home subdomain to make it work. It’s not really an issue for me since I just modify my hosts file on my computer to do the same thing, but is sort of cool when you use a system on the network to just go to http://homepage to reach your dashboard like Homarr or Flame on your phone where you can’t adjust the hosts file as easily.

TechnitiumDNS is what you want if you are wanting to dive deep into your world of DNS configurations, from there, I was able to set up a redirect to my PXE boot server so when devices would grab their IP from the DHCP server, if they queried for a boot device, it would tell the device where to boot from. I’m pretty sure you can do that with PiHole, but I may be wrong. Additionally, with TechntiumDNS, I was able to set up an adblock for my IoT’s VLAN network. without the need to add a second one to the network. As far as I can tell, with the other solutions, this is not as easy to do.

If you are wanting to determine which would be easier to run, I would say AdguardHome for the easiest. Next in line is PiHole v6. and lastly TechnitiumDNS if you really want to dive into the complexities. It is a good business class DNS server. The reason I’m on AdGuardHome right now is for as others stated simplicity. TechnitiumDNS is overkill for my home network, PiHole V6 took forever for them to release, but was a major re-write and if you want to set up your DHCP static mapping like I do, they kneecapped the entry a bit. It’s still there, but not as easy to find and more of a thing like (I don’t recall the order it goes on) MAC;IP;HOSTNAME or something like that instead of the easier method of just clicking in a row and entering those data points one per field like AdGuardHome, and TechnitiumDNS do. Pihole V5 included.

My Network pretty much has 3 layers of DNS filtering active, The first layer is on my router which has built in adblock (FreshTomato), then AdGuardHome, and finally, browser level blocking. I don’t get Youtube Ads on my computers, but on the phones and TV I do. In the browser, I use U-Block Origin which is in the cat and mouse game with Youtube ad-blocking.

Maybe your own adblocker, I thought about doing that myself, I use the public one from adguard on my phone (dns.aguard-dns.com) but having it on your own device would be pretty slick perhaps. But thinking about it more, Google wouldn’t just let you use an internal IP for the private DNS. I have tried it with my locally hosted adblocker and it rejects it.

Or you could set up a dashboard like Homepage or Dashy, or Flame or ? Ultimately, your imagination would do! :)

NFS4 I don’t think its obsolete.

I use it for my Desktop computers to connect to the server. All of my systems use Linux so that’s my primary use. They backup to the server nightly.

I discovered about a few months ago that XCP-NG does not support NFS shares which was a huge dealbreaker for me. Additionally, my notes from my last test indicated that I could not mount existing drives without erasing them. I’m aware that I could have spun up a TrueNAS or other file sharing server to bypass this, but maybe not if the system won’t mount the drives in the first place so it can pass them to the TrueNAS . I also had issues with their xen-orchestra which I will talk about below shortly. They also at the time, used an out of date CentOS build which unless I’m missing something, is no longer supported under that branding.

For the one test I did which was for a KVM setup, was my Home Assistant installation, I have that running in Proxmox and ccomparativelyit did seem to run faster than my Proxmox instance does. But that may be attributed to Home Assistant being the sole KVM on the system and no other services running (Aside from XCP-NG’s).

Their Xen-Orchestra for me was a bit frustrating to install as well, and being locked behind a 14 day trial for some of the services was a drawback for me. They are working on the front end gui to negate the need for this I believe, but the last time I tried to get things to work, it didn’t let me access it.

Pushed Wireguard back onto my network. I’ve been a Tailscale user for a couple of years, but never really saw the need for it for me as I’m the only user of the service. :)

I will freely admit though, there’s nothing wrong with the service and honestly is great if you are behind a CGNAT router or don’t want to use Cloudflare for your tunneling.

You said

I’m only really running a caddy reverse proxy on the VPS which forwards my home server’s services through Tailscale. "

It seems then that you are using a Tailscale Funnel to expose your services to the public web. Is this the case? I ask because the basic premise of Tailscale is that you have to be logged into your Tailscale network to access the services and if you are not logged in, then the site you try to access won’t even appear to exist. Unless it’s setup via the Funnel.

Assuming then that you setup a funnel, then you are now 100% exposed to the WWW. AI Bots and bots in general crawl the WWW daily and eventually your site will be found. You have a few choices here, rely on a Web Application Firewall (WAF) such as Bunkerweb which would replace Caddy, but would provide a decent firewall of sorts. Or…you can use something like Config Server Firewall but I’m not sure if they have AI Bot protection. The last I used them was before AI was a thing.