Thanks a lot for your feedback, I’ll take care of it ASAP! 
PS: For now I’m going to remove everything but coder… just in case! 
Best regards,
PapaGigas
1 Like
I’ve added the Apps user, can you check again please?
user: ${PUID:-568}:${PGID:-568}
Best regards,
PapaGigas
That did tehe trick, Node Red works now. Thanks 
1 Like
I’ve added LINUXSERVER/EMULATORJS to the GAMES stack!
Do you have any more suggestions?
EDIT: I’ve added a copy button to NOTIFICATIONS stack Docker Compose and .env File!
EDIT2: I’ve also finished the installations instructions for LINUXSERVER/EMULATORJS!
Best regards,
PapaGigas
1 Like
Hmm… maybe Sonarr and Radarr for the media stack.
1 Like
I’ve added a VPN-ARR stack to the guide!
PS: The containers in VPN-ARR stack are using the network mode “container:gluetun-p2p” to connect through the VPN-P2P stack… I hope it works without any issues!
EDIT: I’ve also added steps 2-5, 9-10 and 16-17 to TrueNAS installation instructions:
EDIT2: I’ve also added MAZANOKE to OFFICE stack! 
EDIT3: I’ve also added AUDIOBOOKSHELF and CALIBRE to MEDIA stack!
Best regards,
PapaGigas
I’ve changed step 7 from TrueNAS installation instructions!
From this:
Step 7: Configure Apps' Pool - Follow the official instructions from the TrueNAS website to set up your pools and then: # Choose your fastest (especially 'low latency') pool for System/Apps
1. Navigate to "Apps > Configuration > ChoosePool" in the TrueNAS interface.
2. Select your TrueNAS Apps' pool name from the list, in most cases: # TIP: Name your System/Apps pool 'tank' (the default name used in ZFS documentation and in this guide)
tank
3. Click "Choose" to save.
To this:
Step 7: Create ZFS Pool - You'll need to create at least one ZFS pool to store your System/Apps data:
1. Navigate to "Storage" in the TrueNAS interface.
2. Click on the "Create Pool" button near the top right.
3. Type "tank" on the "Name" field. # The default name used in ZFS documentation and in this guide
4. Check "Encryption".
5. Click "Next".
6. Choose your pool "Layout". # Use at least a Mirror and prioritize low-latency, high-performance storage (e.g.: Optane, NVMe) for your System/Apps pool
7. Choose the "Disk Size".
8. Check "Treat Disk Size as Minimun".
9. Choose the "Width".
10. Choose the "Number of VDEVs".
11. Click "Save And Go To Review".
12. Click on the "Create Pool" button to create your System/Apps pool.
13. Confirm that "The contents of all added disks will be erased" and click "Continue".
14. If needed, follow the official instructions from the TrueNAS website to set up your pools.
Sample Pool Setup (based on the reference system used for this guide):
[ System / Apps ]
Name: tank
Disks: 7 OPTANE
Layout: 3 x Mirror + Spare
[ Media / Downloads ]
Name: neo
Disks: 2 HDD + 4 NVMe
Layout: 1 x Mirror + SLOG (NVMe Mirror) + Metadata (NVMe Mirror)
[ Data / Shares ]
Name: trinity
Disks: 4 SSD
Layout: 1 x RAIDZ1
[ Backups ]
Name: morpheus
Disks: 8 SSD
Layout: 1 x RAIDZ2
Step 8: Configure Apps' Pool - You'll need to configure your Apps' pool to store your Apps data:
1. Navigate to "Apps > Configuration > Choose Pool" in the TrueNAS interface.
2. Select your TrueNAS Apps' pool name from the list, in most cases:
tank
3. Click "Choose" to save.
Best regards,
PapaGigas
The TrueNAS Scale installation instructions are done!
The stacks are also done, I just have to fix some minor issues and do a network refactoring…
EDIT: One of the issues was the need for accessing TrueNAS to set the permissions every time you installed a stack… but no more, lol, I’ve removed this from all the stacks:
5 - Navigate to "Datasets" in the TrueNAS interface.
6 - Expande your Apps' pool tree, expande "docker" and click on the "container" dataset to select it.
7 - Navigate to "Permissions > Edit" to access the ACL Editor.
8 - Set the following "Access Control List": # This is the default ACL for Apps
owner@ - root Allow | Full Control
group@ - root Allow | Modify
Group - builtin_users Allow | Modify
Group - builtin_administrators Allow | Full Control
User - apps Allow | Modify
9 - Check "Apply permissions recursively" and confirm.
10 - Check "Apply permissions to child datasets".
11 - Click "Save Access Control List".
EDIT2: I’ve also added this to TrueNAS Scale installation instructions:
Step 10: Configure S.M.A.R.T. Tests - Ensure you create periodic S.M.A.R.T. tests of your Disks:
1. Navigate to "Data Protection > Periodic S.M.A.R.T. Tests" in the TrueNAS interface.
2. Click "Add".
3. Check "All Disks".
4. Select "SHORT" from the "Type" dropdown menu.
5. Select "Weekly (0 0 * * sun) On Sundays at 00:00 (12:00 AM)" from the "Schedule" dropdown menu. # Or change it to meet your needs
6. Click "Save".
Now it’s done… I promise! 
Best regards,
PapaGigas
I’ve changed the port Cloudflare Tunnels was using to connect to Traefik and added a new entrypoint to Traefik to keep your services isolated!
PS:: I’ve also added the external Traefik labels to all containers in the proxy network!
Best regards,
PapaGigas
I’ve added Gotify’s client configuration instructions!
PS: I’ve done same changes to TrueNAS installation instructions. Honestly, it’s now the best guide I’ve seen for first-time installs… not to brag too much! 
EDIT: Well, guess I jinxed it, LOL, shouldn’t have bragged that hard… the universe clearly wasn’t having it and I lost power right after I hit “reply”:
EDIT2: I’ve done a refactoring on the datasets…
EDIT3: I’ve done a refactoring on the network…
EDIT4: I’ve added this warning to the guide:
WARNING: If you installed anything before May 1, 2025, you’ll need to start over due to major changes in the dataset and network structure!
Best regards,
PapaGigas
@wendell I know you’re probably busy with more important things, but could I ask for your help in improving the security and functionality of the stacks?
PS: I’ll be adding Steam-Headless to the GAMES stack next. After that, I’ll focus on writing the instructions for setting up all the remaining programs included in this guide… unless anyone has other requests!
Best regards,
PapaGigas
1 Like
can you catch me up real quick? what if we put all the sticks on a tailnet butni show you how all the stack members can get real ssl certs even tho they’re on a tailnet?
I’ve sort of decided a transparent VPN like tsilscale or wireguard is The Way for self hosted privateNets going forward
1 Like
I’m using Tailscale as part of my home server setup as well, and I add my containers to the Tailnet using TSDProxy, as part of the TAILNET stack described in my guide. I also use a subdomain like ts.example.com, served through Traefik with valid SSL certificates, to access my services securely over the Tailnet.
My main goal is to secure and optimize the containers as much as possible. I’m not a Docker expert, but I’m doing my best to follow best practices. I’d really appreciate any input from those with more experience on how I can further harden this setup or improve the overall architecture.
EDIT: I believe the TrueNAS instructions in my guide are solid, but I’d really appreciate feedback from more experienced users. If you spot anything unclear or think something could be improved, please let me know!
EDIT2: I’m saying they “are solid” this time… because last time I bragged, everything broke spectacularly:
EDIT3: @wendell Awesome video on AMD BIOS settings… thanks!
Best regards,
PapaGigas
1 Like
I’ve added one more (optional) step to the TrueNAS installation instructions:
Step 19: Configure CPU (optional) - Ensure that your CPU latency is minimal: # Reduces latency but increases power consumption
1. Navigate to "System > Advanced Settings > Init/Shutdown Scripts" in the TrueNAS interface.
2. Click "Add" to create a script that sets the CPU governor to "performance".
3. Type "CPU governor" in the "Description" field.
4. Select "Command" from the "Type" dropdown menu.
5. Copy and paste the following command into the "Command" field:
cpupower frequency-set -g performance
6. Select "Post Init" from the "When" dropdown menu.
7. Click "Save".
8. Click "Add" again to create a second script to disable the C2 idle state.
9. Type "CPU idle-states" in the "Description" field.
10. Select "Command" from the "Type" dropdown menu.
11. Copy and paste the following command into the "Command" field:
cpupower -c all idle-set -d 2
12. Select "Post Init" from the "When" dropdown menu.
13. Click "Save".
Best regards,
PapaGigas
I’ve added the OPNsense installation instructions (step 22):
####################################################################################################
# install - OPNSENSE
####################################################################################################
1 - Download and extract the latest OPNsense "dvd" image. # https://opnsense.org/download
2 - Set up your ISP router in "bridge" mode (usually on port number 4). # RTFM
3 - Navigate to "Network > Interfaces" in the TrueNAS interface.
4 - Click on the "Edit" button of the network interface you'll use to connect to the internet (WAN).
5 - Uncheck "DHCP".
6 - Uncheck "Autoconfigure IPv6".
7 - Set the "MTU" to "1500".
8 - Click "Save". # Don't click on the 'Test Changes' button
9 - Click on the "Add" button to add a new network interface.
10 - Select "Bridge" from the "Type" dropdown menu to create a virtual Switch.
11 - Type "br1" in the "Name" field.
12 - Type "vSwitch" in the "Description" field.
13 - Check "DHCP".
14 - Uncheck "Autoconfigure IPv6".
15 - Select your network interface (e.g.: eno2, eth1, etc...) from the "Bridge Members" dropdown menu.
16 - Set the "MTU" to "1500".
17 - Click "Save".
18 - Click on "Test Changes" and confirm.
19 - Click on "Save Changes", followed by "Save" to confirm.
20 - Navigate to "Instances" in the TrueNAS interface.
21 - Select "Global Settings" from the "Configuration" dropdown menu.
22 - Select "tank" from the "Pool" dropdown menu.
23 - Select "br1" from the "Bridge" dropdown menu.
24 - Click "Save".
25 - Click "Create New Instance".
26 - Type "opnsense" in the "Name" field.
27 - Choose "VM" from the "Virtualization Method" menu.
28 - Choose "Upload ISO, import a zvol or use another volume" from the "VM Image Options".
29 - Click "Select Volume", followed by "Upload ISO" and select OPNsense ISO image.
30 - Wait for the download to finish and click "Select".
31 - Type "4" in the "CPU Configuration" field. # Or set it to your preference
32 - Type "8GB" in the "Memory Size" field. # Or set it to your preference
33 - Uncheck "Use default network settings".
34 - Check "br0" and "br1" from the "Bridged NICs" section.
35 - Check "Enable VNC".
36 - Click "Create".
37 - Open your VNC client and access: # Replace '192.168.1.1' with your TrueNAS IP address
192.168.1.1:5900
38 - Login using the user "installer" and password "opnsense".
39 - Select your keymap.
40 - Select "Install (UFS)" and click "OK".
41 - Select "nvd0" and click "OK".
42 - Click "Yes" to confirm and wait for the installation to finish.
43 - Select "Complete Install" and click "OK". # Don't change the root password just yet
44 - Select "Reboot Now" and click "OK".
45 - Reopen your VNC client and connect again to: # Replace '192.168.1.1' with your TrueNAS IP address
192.168.1.1:5900
46 - Login using the user "root" and password "opnsense". # Default
47 - Enter "2" to "Set interface IP address".
48 - Enter "1" to select the "LAN" interface.
49 - Enter "n" to disable DHCP.
50 - Type your OPNsense Web interface IP address, in most cases: # Replace '192.168.1.253' with OPNsense's IP address on your local network
192.168.1.253
51 - Type "24" as the subnet mask (255.255.255.0).
52 - Press "ENTER" to leave the gateway empty.
53 - Enter "n" to disable IPv6 via WAN tracking.
54 - Enter "n" to disable DHCP for IPv6.
55 - Press "ENTER" to leave IPv6 empty/disabled.
56 - Enter "n" to skip enabling the DHCP server.
57 - Enter "n" to keep the default web GUI protocol (HTTPS).
58 - Enter "n" to skip generating new certificates.
59 - Enter "n" to skip restoring default web GUI access.
60 - Open OPNsense's Web interface, in most cases:
https://192.168.1.253
61 - Login using the user "root" and password "opnsense".
62 - Click "Next" to start the Wizard.
63 - Fill out the "General Information" section: # Replace 'home.arpa' with your Top Level Domain name (e.g.: example.com)
Hostname: opnsense
Domain: home.arpa
Primary DNS Server: 1.1.1.2
Secondary DNS Server: 1.0.0.2
64 - Uncheck "Override DNS".
65 - Uncheck "Enable Resolver".
66 - Click "Next".
67 - Select you "Timezone".
68 - Click "Next".
69 - Ignore the "Configure WAN Interface" section and click "Next". # Just make sure its on
70 - Ignore the "Configure LAN Interface" section and click "Next".
71 - Change your "Root Password".
72 - Click "Next".
73 - Click "Reload" to apply the changes.
74 - Navigate to "System > Firmware > Status" in the OPNsense interface.
75 - Click "Check for updates".
76 - Click "Close".
77 - Click "Update" to apply the updates and reboot.
78 - Login using the user "root" and the new password from step 71.
79 - Navigate to "Interfaces > LAN" in the OPNsense interface.
80 - Check "Lock" to prevent interface removal.
81 - Click "Save", followed by "Apply changes".
82 - Navigate to "Interfaces > WAN" in the OPNsense interface.
83 - Check "Lock" to prevent interface removal.
84 - Click "Save", followed by "Apply changes".
85 - Navigate to "Interfaces > Settings" in the OPNsense interface.
86 - Uncheck "Allow IPv6".
87 - Click "Save".
88 - Navigate to "System > Settings > Administration" in the OPNsense interface.
89 - Select "LAN" from the "Listen Interfaces" and click "I know what I am doing" to confirm.
90 - Click "Save".
91 - Navigate to "System > Settings > General" in the OPNsense interface.
92 - Check "Prefer IPv4 over IPv6".
93 - Change the DNS servers "Use gateway" option from "None" to: # For both '1.1.1.2' and '1.0.0.2'
WAN_GW - wan -
94 - Type "." in the "DNS search domain" field.
95 - Click "Save".
96 - Navigate to "System > Firmware > Plugins" in the OPNsense interface.
97 - Add the following plugins:
os-crowdsec
os-tailscale
98 - Navigate to "Power > Reboot" in the OPNsense interface.
99 - Click "Yes" to reboot.
100 - Login using the user "root" and the new password from step 71.
101 - Navigate to "System > Configuration > Backups" in the OPNsense interface.
102 - Click "Download Configuration".
103 - Navigate to "System > Shell" in the TrueNAS interface.
104 - Copy and paste the following commands into the TrueNAS shell:
sudo docker network rm home
sudo docker network create --driver=macvlan --subnet=192.168.1.0/24 --ip-range=192.168.1.0/24 --gateway=192.168.1.253 -o parent=br0 home
NOTE: If needed, replace the "home" network's subnet, ip-range and gateway (OPNsense) to match your TrueNAS network's settings!
105 - Navigate to "Network > Global Configuration > Settings" in the TrueNAS interface.
106 - Replace your router's IP address with your OPNsense IP address in the "Default Gateway" field, in most cases:
192.168.1.253
107 - Click "Save".
108 - Navigate to "System > General Settings" in the TrueNAS interface.
109 - Click on the "Manage Configuration" dropdown menu and select "Download File".
110 - Check "Export Password Secret Seed".
111 - Click "Save" to confirm.
112 - If everything went well, reboot your TrueNAS system.
Congratulations on successfully installing OPNsense in TrueNAS Scale! :)
####################################################################################################
# EOF - TrueNAS-Compose - URL: https://www.truenas-compose.com
####################################################################################################
EDIT: I hope I didn’t forget any step…
Best regards,
PapaGigas
I’ve added one more step to the TrueNAS installation instructions:
Step 13: Configure Users - You'll need to create a user account to access and manage your TrueNAS system:
1. Copy and paste the following command into your terminal (on your local computer):
ssh-keygen -t ed25519
2. Press "Enter" to accept the default location:
%USERPROFILE%\.ssh\id_ed25519 (Windows)
~/.ssh/id_ed25519 (macOS/Linux)
3. Enter a passphrase for extra security. # This will secure your private key
4. Re-enter the same passphrase to confirm.
5. Navigate to "Credentials > Users" in the TrueNAS web interface.
6. Click on the "Add" button.
7. Type your username on the "Full Name" and "Username" fields.
8. Type your secure password on the "Password" and "Confirm Password" fields.
9. Type your email address on the "Email" field (optional).
10. Uncheck "Create New Primary Group".
11. Type "builtin_administrators" on the "Primary Group" field.
12. Type "/mnt/tank/users" on the "Home Directory" field. # Replace 'tank' with your Data/Games' pool name
13. Check "Create Home Directory".
14. Under "Upload SSH Key", click "Choose File" and select your public key file: # id_ed25519.pub
%USERPROFILE%\.ssh\id_ed25519.pub (Windows)
~/.ssh/id_ed25519.pub (macOS/Linux)
15. Change the "Shell" to "bash".
16. Check "Allow all sudo commands".
17. Check "SMB User".
18. Click "Save".
19. Log out, then log back in using your new "Username" and "Password".
20. Select your "truenas_admin" account.
21. Click on the "Edit" button.
22. Check "Lock User".
23. Click "Save".
PS - Now I think it’s finally done…
Best regards,
PapaGigas
@wendell I know the Docker section of the guide might not be the most exciting thing to waste your time on, but if you get a chance, could you take a look at the “Setting Up TrueNAS Before Using Docker Stacks” section? I’d really appreciate any feedback you have!!
EDIT: Btw, the “forbidden router” instructions are included at the end as an optional step!
EDIT2: I’ve added this steps to the OPNsense installation instructions:
101 - Navigate to "Lobby > Dashboard" in the OPNsense interface.
102 - Copy your "WAN_GW" IP address from the "Gateways" widget.
103 - Navigate to "Services > Intrusion Detection > Administration" in the OPNsense interface.
104 - Toggle the "advanced mode" option to "ON".
105 - Check "Enabled".
106 - Check "IPS mode".
107 - Check "Promiscuous mode".
108 - Select "Hyperscan" from the "Pattern matcher" dropdown menu.
109 - Paste the "WAN_GW" IP address from step 102 into the "Home networks" field.
WARNING: You'll need to update this field everytime your public IP address changes!
110 - Click "Apply".
111 - Switch to the "Download" tab and select the following "Rulesets": # https://docs.opnsense.org/manual/ips.html#available-rulesets
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist
abuse.ch/ThreatFox
abuse.ch/URLhaus
112 - You may also select the "ET Open" ruleset (optional). # For guidance, visit the Emerging Threats Community at: https://community.emergingthreats.net
113 - Click "Enable selected".
114 - Click "Download & Update Rules".
115 - Navigate to "Services > ClamAV > Configuration" in the OPNsense interface.
116 - Check "Enable clamd service".
117 - Check "Enable freshclam service".
118 - Click "Save".
119 - Click "Download signatures" (on the top right corner of the page).
EDIT3: I can’t make the installation persist if I try to use any other volumes than the “incusroot”!
EDIT4: SOLVED!
EDIT5: I’ve also added this steps, but I need some help on tuning ZFS in 2025:
Step 21: Disable NVMe Power Savings (optional) - Ensure that your high-performance storage (e.g.: Optane, NVMe) latency is minimal: # Reduces latency but increases power consumption
1 - Navigate to "System > Shell" in the TrueNAS interface.
2 - Copy and paste the following command into the TrueNAS SHELL: # These changes will only take effect after the system is rebooted
midclt call system.advanced.update '{"kernel_extra_options": "nvme_core.default_ps_max_latency_us=0 pcie_aspm=off"}'
Step 22: Tune ZFS (optional) - Ensure that your high-performance storage (e.g.: Optane, NVMe) settings are optimized for ZFS performance:
Work in progress... please be patient! :)
Best regards,
PapaGigas
I’ve added this to the TrueNAS installation instructions:
Step 22: Tune ZFS (optional) - Ensure that ZFS is optimized for your high-performance storage (e.g.: Optane, NVMe): # Maximizes IOPS and reduces I/O bottlenecks
1. Navigate to "System > Shell" in the TrueNAS interface.
2. Copy and paste the following command into the TrueNAS SHELL: # These changes will only take effect after the system is rebooted
midclt call system.advanced.update '{"kernel_extra_options": "zfs_vdev_def_queue_depth=128 zfs_dmu_offset_next_sync=0 zfs_vdev_async_read_max_active=12 zfs_vdev_max_active=4096"}'
WARNING: If you previously configured Step 21, combine those options with these in a single command to avoid overwriting settings!
PS - I used the ZFS tunables from this thread:
Best regards,
PapaGigas
I’ve added this to the TrueNAS installation instructions:
Step 13: Configure ZFS Record Sizes - Ensure that the record sizes are optimized for each dataset based on its specific workload: # Adjusting the 'recordsize' helps improve performance
1. Navigate to "System > Shell" in the TrueNAS interface.
2. Copy and paste the following commands into the TrueNAS shell: # Replace 'tank' with your Apps' pool name
zfs set recordsize=16K tank/docker
zfs set recordsize=128K tank/incus
3. Copy and paste the following commands into the TrueNAS shell: # Replace 'tank' with your Media/Downloads' pool name
zfs set recordsize=16K tank/downloads
zfs set recordsize=1M tank/media
4. Copy and paste the following commands into the TrueNAS shell: # Replace 'tank' with your Data/Games' pool name
zfs set recordsize=1M tank/data
zfs set recordsize=1M tank/games
zfs set recordsize=1M tank/users
5. If needed, refer to the official OpenZFS documentation for detailed guidance on workload tuning. # https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Workload%20Tuning.html#dataset-recordsize
PS - I still hope I can get some help optimizing the record sizes and the ZFS tunables…
Best regards,
PapaGigas
1 Like
Thanks!
Just be aware that those settings can thrash hdds if there is no SLOG, ZIL or low memory. They are geared towards 100gbe systems that will have 96gb+ RAM. Best used for systems where primary workloads are served via nvme or ssd and hdd is archive or low intensity. Ymmv.
1 Like