NAS Build - Hardware and Software Help

DingdongTP · May 27, 2022

Following this post:

I have tried to learn more and look out for solutions for my setup, and I've come to a hardware and software list that I would like help with, to sanity check my choices, and to get you guys' input on this, as this is my first NAS build.

Hardware-wise, I've selected these components (haven't bought them yet, so feel free to give advice on better component choices):

Case: E-ATX Antec P101 Silent Black (109,9€) - 8 HDD 3.5'' bays, so it helps me expand in the future;
Motherboard: MSI MAG B550 Torpedo ATX (141,9€) - 2.5Gbit LAN built in, 6 SATA ports that as far as I know don't share any bandwidth with any m.2 slots, so I would only need an HBA card if I installed 8 disks
CPU: AMD Ryzen 5 5600G (199,9€) - Built in graphics, so I don't need to have a discrete GPU if I need to troubleshoot something of if the board can't post in headless mode;
RAM: Corsair Vengeance LPX 32GB (2x16GB) DDR4-3200MHz (117,9€) - Gives me room to upgrade to 64GB in the future by just adding 2 sticks;
PSU: Seasonic Core GM 500W Semi Modular 80PLUS Gold (59,9€) - By my calculations 500W is enough to power this whole system, even if I add 8 HDDs;
OS Drive: SSD 2.5" Kingston A400 120GB TLC SATA (23,9€) - Cheapest SSD I could find to run TrueNAS on;
Cache Drive: M.2 2280 KIOXIA Exceria 250GB 3D TLC NVMe (28.9€) - Fast sequencial and random read and write speeds (should I have 2 of these in mirror for redundancy?);
Storage: 4x Seagate Exos X18 18TB (299,08€ each) - 54TB available in Raid z1, very good €/TB ratio, with room to add 4 more drives in the future if I need to increase my storage;
TOTAL COST for the Hardware (excluding drives): 629,50€.

Software-wise, this is what I'm inclined to choose:

OS: TrueNAS Core - ZFS, good performance for the storage, as I'm going to be reading and writing mainly video files to the NAS (I work in video production, said so in the post mentioned earlier);
LAN File Access: SMB share, mapped to a network drive on my editing machine;
Remote File Access: OpenVPN or Nextcloud (this is what I REALLY need help with) - I need to be able to access the storage remotely, as well as having my remote editors be able to download footage from the NAS to edit on their machines, and then upload the final exports back to the NAS.
I also need my clients to be able to upload recorded footage to the NAS, and download final exported videos from it.
I want some setup where I can configure users, each user having different permissions to access specific folders.
Example: I have access to everything; Editor has access to "raw footage" folder, "projects" folder and "final exports" folder; Client only has access to "raw footage" folder and "final exports" folder.

Do both of these solutions offer no bottleneck to speed when accessing remotely? I want the internet speed to be the only bottleneck in remote access, if possible. What are the pros and cons to OpenVPN vs Nextcloud? Is there another solution I'm not thinking of?

Sorry for the long post, hope you can give me a hand in this journey building my first NAS.

Thank you!

dbx10 · May 27, 2022

Hi, I'd replace the case with a Fractal Define R5. It's cheaper and generally better quality than Antec, and very silent. Comes with 8 bays too.

For remote file access to work safely, you need to own a domain name. I have several internet facing services and sites I host from my server / NAS. It's a tedious process but it's the best way I have found to make everything work.

My setup:

Ubuntu server in a VM on its own small SSD with Docker installed, and Portainer for easy management.
nginx proxy manager running on Linux
Nextcloud running as a TrueNAS plugin, so it can easily access storage.

Nextcloud is reverse-proxied through nginx proxy manager to a CNAME record on Cloudflare, and protected by Cloudflare's free SSL. So when I type `cloud.mydomain.com`, NPM knows to route the traffic to the correct internal IP address on the network. You will also need to correctly setup port forwarding on your router.

My ISP also happens to change my public IP address frequently, so in order for the root domain record to work, I have oznu/cloudflare-ddns set up in Docker with the correct Cloudflare API key, so it automatically changes my root domain record on Cloudflare when my IP changes.

The fact that it's all reverse proxied behind cloudflare's IP masking and SSL certs makes this way of doing things reasonably secure.

btw I run all this, emby server, and dozens more docker containers on a Ryzen 2600X and 32GB of ram. Rarely is my system ever taxed. It's a super lightweight build in terms of how much resources this needs, and it's been rock solid for me so far.

Lastly, do setup a periodic cloud sync task on TrueNAS, they have b2 cloud storage integration directly in the UI. It's super easy.

GL!

DingdongTP · May 28, 2022

18 hours ago, dbx10 said:

Hi, I'd replace the case with a Fractal Define R5. It's cheaper and generally better quality than Antec, and very silent. Comes with 8 bays too.

For remote file access to work safely, you need to own a domain name. I have several internet facing services and sites I host from my server / NAS. It's a tedious process but it's the best way I have found to make everything work.

Thank you so much for taking the time to help!

I already have a domain name registered, because I have a Squarespace website for my work. I was currently trying to understand how to configure it for a scenario like this one with a DDNS.

I can safely say my networking/Linux knowledge is severely underdeveloped, so I'm trying to learn new stuff bit by bit to try to make it right. I would say the most I've done is setup a DDNS service with duckdns or some other free service for a Minecraft server when I played with my friends in middle school . I understand DHCP, port forwarding, static IPs, MAC binding to a local IPV4 address, but that's mostly it.

18 hours ago, dbx10 said:

My setup:

Ubuntu server in a VM on its own small SSD with Docker installed, and Portainer for easy management.

nginx proxy manager running on Linux

Nextcloud running as a TrueNAS plugin, so it can easily access storage.

Nextcloud is reverse-proxied through nginx proxy manager to a CNAME record on Cloudflare, and protected by Cloudflare's free SSL. So when I type `cloud.mydomain.com`, NPM knows to route the traffic to the correct internal IP address on the network. You will also need to correctly setup port forwarding on your router.

I don't understand anything regarding VMs or Docker containers, so I'll have to try to learn to be able to work with them. I just came out of 2 straight weeks reading and watching videos about TrueNAS Core, so I haven't had the time to explore those subjects further ahah.

If I am understanding correctly, you're using Nextcloud, instead of a VPN. How would these suggestions help security-wise, compared to having OpenVPN access enabled with client certificates for each user that is accessing remotely? Or am I misunderstanding the purpose of what you said?

Once again, thank you very much for the help, and I'm sorry for being such a noob regaring these subjects.

dbx10 · May 28, 2022

6 hours ago, OvrilPT said:

I already have a domain name registered, because I have a Squarespace website for my work. I was currently trying to understand how to configure it for a scenario like this one with a DDNS.

If I recall correctly Squarespace retains control of everything regarding your domain name, I'd check with support.

6 hours ago, OvrilPT said:

If I am understanding correctly, you're using Nextcloud, instead of a VPN. How would these suggestions help security-wise, compared to having OpenVPN access enabled with client certificates for each user that is accessing remotely? Or am I misunderstanding the purpose of what you said?

I use NC as a google drive replacement, as it's easy to share files to people online via webdav. What makes it secure is reverse proxying the access to it via cloudflare's SSL. OpenVPN is a good solution too, but you still need a way to present the files you want to share to individual customers. NC has account management and access settings per account already built in.

You can disable all the plugins you don't need like calendar, contacts, and all the "office" stuff

DingdongTP · May 28, 2022

25 minutes ago, dbx10 said:

If I recall correctly Squarespace retains control of everything regarding your domain name, I'd check with support.

I will, thanks!

26 minutes ago, dbx10 said:

I use NC as a google drive replacement, as it's easy to share files to people online via webdav. What makes it secure is reverse proxying the access to it via cloudflare's SSL. OpenVPN is a good solution too, but you still need a way to present the files you want to share to individual customers. NC has account management and access settings per account already built in.

So it's easier for the end user to interface with a "cloud" ui, rather than with SMB network drive mapping and all that, I think I get it. And probably has the advantage of being easier to setup if the other users use a Mac computer by any chance probably.

You've been a great source of help, I will try to understand if I can do all that security stuff and try to set this up ASAP, I've ordered all the parts today!

Thanks once again!