So I set up a new machine with ProxMox.
I want to install the following on that machine - but I am unsure of whether it should all be on a single VM or split between several VM - and which order it should be installed in to make sure that it all works together in a meaningful way…
This is in no particular order, just what I had in mind.
- Pi-Hole as Recursive DNS
- Nginx Proxy for self hosting
- VaultWarden password manager
I have no idea if these all play well together, or what sort of a nightmare I will have setting it all up and wondered if anyone had done similar and could provide some guidance or best practice or knew of any guides to setting up proxmox with this sort of stuff?
lets think through this logically.
- what will be handling DHCP?
- what of these services, interact DIRECTLY with each other? IE: are you planning to use grafana solely for pfsense logging?
- what items will be tied behind NGINX?
- should i (you) install multiple copies of services per box, (crowdsec) or try to tie all systems to 1 crowdsec vm?
- what of these services, do not rely on any other system to be online first?
virtualizing your firewall is possible, with caution. DHCP and DNS need to boot before systems that need DHCP and DNS. install order only matters if one service relies on another.
So due to another thread I had on these forums. The set up will look like this:
WAN - R.ISP -+- R.AX89X ---+- S.TrueNAS
| +- Device.A
+- S.Ubuntu +- Device.B
The S.Ubuntu machine is the ProxMox machine and will be kept entirely separate from the S.Trunas machine.
The R.ISP is my ISPs router and will be handling DHCP for the Ubuntu server.
I think for Pi-Hole, CrowdSec, Nginx and pfSense the intention is to have all of these services acting together on Ubuntu machine - there will be separate instances of these on the Truenas machine for the rest of the network.
Heimdall would be great to be an overarching system, so that I can pull up anything else that I happen to run on the server, through an interface.
Grafana will be specific to the item that I am running, but was hoping to install it in such a way as different information is sent form different locations to build different dashboards.
The end goal for this machine is to host website - so keeping it separate and protected is a high priority.
So I think having the pfSense, Crowdsec, Nginx stuff up and running prior to running those is a priority - but I was thinking about secondary services being in secondary VMs - so services that benefit or use any of those are not tied into the same VM.
Hope that helps
Sounds like Fun, so Have Fun
give Fenrus a chance instead of Heimdall, does the same but a bit more customizable and has an easy to use GUI for that.
sounds like you have a good plan in place. while that is totally different than the design i used, that is entirely acceptable in the world of tech. have fun with the build and ask if you have specific issues.
as an example i use proxmox as my core and i have pihole, a public webserver, internal active directory, and all of my services virtualized in proxmox. i do use TrueNAS but it actually is a separate physical box with a 10gb connection to proxmox. i pass real NICs into the pihole VM and the AD server to keep them outside of the VM network.