Looking Entusiasts for Secure Server creation

Hello! :slight_smile:

Me and friends of mine (in quite censored country) wish to build quite secure NAS Server

We wish to set up own self ProxMox or TrueNas Scale that we dream about, and make it more easily free-shared for anyone who want to make something private like this for anyone in the world… with quite lot services, we are still learning, but still, in lack of huge knowledge - looking people with experience, who can help to make it more stable and quite easily set up by Ansible or any other way…

We can describe our steps we need to do, and if you take a look through we would be very glad…

And if there a ways to make something like “image/backup” of that server and share it on free open source repositories

We can jump in by taking making graphical guide zine about “how to” afterwards

Thank you in advance!

Here are steps we see and ready solutions in the end:
• Make maximum protection of access to the administration and management of the hypervisor (including authentication via usb\yubikey) + split all disks (Configure RAID1 and separate it into sections: encrypted and user) including backup and backups
• Additionally protect the place where the server is located and make additional signaling and the self-destruct function? Arduino?
• Provide uninterrupted power supply and cooling + an additional communication channel in case of failure of one of the devices/services (Cluster?)
• Create a list of users who are allowed access to use the hypervisor + server inside the network and outside (Is it possible to make a “fingerprint” of hardware of each allowed user? So that could protect from strangers and hackers even they try to mask their MAC address. Or what kind of limited blockchain system) + sid phrases instead of easy passwords?
• Create a reliable database of logins and passwords of each user for each service. Store it safely and have a backup on a separate device
• Configure access to each service by address, not IP address
• Each available service is protected by the Authelia authentication system + set up a notification about hacking attempts or multiple incorrect logins. To issue postal addresses to the obminid circle of persons
• To access from outside, make the server invisible or confusing (Shadowsocks? VPN?) + configure DDNS + Lets Encrypt + RustDesk
• Exchange of files within the network over a secure channel or encryption and decryption at input-output (SFTP?)
• Protection of data from ransomware and infection with other crap
• Make it works in Tor and I2P?
• Make documentation and save copies of images made at each stage
• Availability of services from mobile devices

Ready Solutions:

• General work with documents and so on. Nextcloud or CryptPad
• Forum: Flarum
• Microblog. Diaspora
• General chat with encryption. SimpleX, Jitsi or Matrix
• Mail: Postmoogle (SMTP for Matrix server) or ? (main PGP support by default)
• Storage of user data. DataBunker:
• Media library: Plex:
• Manager-password. Passbolt or Vaultwarden
• User authentication. Authelia:
• Remote access. RustDesk or MeshCentral + DuckDNS (?)
• VPN. Wireguard (Rosenpass)
• Blockers. Pihole + Unbound
• Firewall. PfSense (can it serve as a virtual router?)
• Proxy. Nginx + Cloudflare
• DNS. Unbound:
• Protected storage. VeraCrypt Volumes + Meta Data Cleaner + Eraser (if necessary)
• Protection from brute force attacks and restrictions on incorrect login/password input. DenyHosts SourceForge + hack notification Gotify?
• Notification system. PiAlert:
• Emergency function of erasing everything and everything by type. KillUSB + ShredOS
• Protection from advertising for all devices + addressing of all services by address. PiHole:
• Certificates. Let’s Encrypt
• NAS: OpenMediaVault
• Synchronization. Syncing + GitAnnex:
• Backups. Bumpstash
• Monitoring. NetData or Listmonk
• Automatic update of containers. Watchtower (new versions - not as secure as verified previous ones)

As understandable as your desires are, if oppression in your country is life-threatening, you may want to host a server outside of your country. A VPN, or better, access via the TOR network is much preferred as it’s more difficult to intercept by your not-so-friendly authorities. That doesn’t mean they won’t try! Capturing all traffic is trivial if you control the network, and they do. That means they have the resources to register all connections to and from your PC and if the data set is big enough, AI will be used to analyse your network traffic, then it’s only a matter of time before you have some unwanted visitors in your house :frowning_face:

Anyway, you know your Gov’t better then I do and thus can better judge what you can get away with and what will land you in hot water.