Home Server Setup and Management help needed.

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

vl1969

Active Member
Feb 5, 2014
634
76
28
Hello everyone.
I am in need of some pointers and guidance on best way to setup and manage my Prioxmox VE 5.1.xx based home setup.

for better help here is my setup and needs over all...
I have a single SuperMicro server with dual hexacore Opterons (12 cores total) with 49GB RAM.
Proxmox is installed on 2x120GB SSD in ZFS raid-1(mirrored) setup.
I also have additional zfs mirror pool of 2x1TB HDD to store my backups and possibly run some low priority VMs from it. this 2 pools (rpool on SSD mirro and pvstore pool on HDD mirror) is all the local store for Proxmox use.

I have 2 data pools in the machine tank0 and tank1 both are ZFS mirrored setup
one is based on 6x2TB HDD(3 devices of 2x2TB disks in mirror , 6TB total) and other on 2x3TB(1 device of 2x3TB disks in mirror 3TB total) HDD. this will be expanded as soon as I can free 2 other 3TB drives and add them to the pool.

all of that is working well.

now I am trying to have a FileServer, Media Server and Downloader Server setup on this
all data will be served and used from tank0 and tank1 using a bind-mounts to all three VMs

I found a TurnKey FiuleServer LXI container and TurnKey MediaServer LXI which esentially the same thing but with Emby installed on MediaServer.
I bindmount tank0 media store and tank1 media store folders to mediaserver and all seams to work but I have a lot of isues with users and permissions , especially when I install torrent and usenet clients and coach potato etc.

QUESTIONS:

I do not download much but it is nice to have a ready setup if I need to have something downloaded.
should I setup a separate container with all downloaders in it and bind mount my folders there as well as to the Media server ?

I like the TurnKey setup as it has a lot of things done and very nice setup especially the main log in screen where I can add links to all my other apps to call from. but user permissions are a strange.

should I use a bare distro container instead?


How do I manage users and user permissions on shared locations (i.e. my data and media folders on bind mounted zfs folders) so I have a user for administration and a user for read/view only?
the TurnKey Media server comes setup with Emby user.
my current setup I tried to use only one LXI container and added a plexadmin user which all of the downloaders use for processing. BUT now all relative folders must have plexadmin/users permission set
which prevents Emby from adding metadata to the locations.
also if I have an HTPC with it's own user, how do I let it access the remote shares properly?

if I will have multiple PC and VMs with multiple users do I need to setup an LDAP server as well to have local domain ?

I have a stand alone machine running Proxmox VE with a pfSense VM as my firewall/router
can I use that to mange my credentials/users ?

at work I used to run a MS domain controller with AD but Linux is different a bit.

what are my best options for manage this setup?

Thanks Vlad.
 
Last edited:

Continuum

Member
Jun 5, 2015
80
24
8
47
Virginia
For authentication and credentials, you could look into freeipa. It provides authentication, user management, and, optionally, dns for your network. As freeipa is an enterprise designed system to bring several tools together to provide a AD-esque features to Linux, it is a bit of overkill for home purposes You can find out more information here: FreeIPA

A few things to consider: First, last I knew, TurnKey containers are based on Debian. Although the freeipa client is not included in the debian repositories, the debian freeipa clients can be found at apt.numeezy.fr. Second, I do not know how freeipa integrates with webmin, the web management feature for TurnKey containers. I basically run bare distro containers for my services. Third, you will need to choose a domain name for freeipa. Fourth, using freeipa with unprivileged containers is a little more involved. While integrating freeipa with unprivileged containers is not hard, one cannot simply install the freeipa client in an unprivileged container and expect authentication to work. Some minor editing of the container configuration file is necessary. This editing can be scripted. If you decide to use freeipa as your authentication service and use unprivileged containers, I would be happy to share the script that I run after container creation and installation of freeipa.
 
  • Like
Reactions: whitey

vl1969

Active Member
Feb 5, 2014
634
76
28
thanks Continuum, I have already read up on FreeIPA. and it does seams a bit overkill for home user. but so is setting up LDAP server, don't you think? :)

I am a little new to containers and such complicated setup. in the past I used full VMs and I know what to expect in that scenario.
But using containers helps me now since I can not bind-mount my zfs sub-volumes to VM I have to pass-through the disks and it is a pain, especially on older hardware such as mine.

let me try to rephrase my questions a little.

Since TurnKey MediaServer comes with Emby installed and configured, and from what I read up on it even if self installed I still need "emby" user anyways,
#1. can I simply add other containers for Downloading and whats not, and simply create "Emby" user in them.
#2. Is there a way to clone a user and all setting from one vm/container to several others? so I can run the media apps under the same user in all containers with same bind-mount locations loaded in each of them and keep all the rights permissions the same.

when I was setting up my current configuration I had issues with Emby user login so I just created new user of my choice and manually set all the groups and such for it mirroring emby user settings. but it was a mistake, I forgot that Linux is way to literal in all assumptions and permissions are trickier than windows.
so now most of my media files and folders are tide to the new user "plexadmin" and it is not good.

is there a way to set things up in a way that would allow me to have 2 users i.e. "emby" and "htpc" point to the same location(s)
i.e. my bind-mounted sub-volume(s) "/mnt/tank1/media" and "/tank1/downloads" but where "emby" will be the full admin and could read and write any and all files and folders etc... and any app running under emby user do the same , but htpc user would only be read-only so I can use it on my HTPC clients guests to read stream files only?

also want to add a new question: is there a way to setup my download apps to work anonymously, VPN or Proxy ? I made a mistake when setting coach potato and it started downloads everything randomly and hit a copy protected file. got a notice from my ISP about it. would like to prevent that in the future.
 

Continuum

Member
Jun 5, 2015
80
24
8
47
Virginia
thanks Continuum, I have already read up on FreeIPA. and it does seams a bit overkill for home user. but so is setting up LDAP server, don't you think? :)
I would agree. I briefly looked at TurnKey's OpenLDAP appliance, but opted for FreeIPA because I thought it would be easier to setup and integrate into other containers. (Most of my containers are Ubuntu LTS or CentOS based.)

Since TurnKey MediaServer comes with Emby installed and configured, and from what I read up on it even if self installed I still need "emby" user anyways,
#1. can I simply add other containers for Downloading and whats not, and simply create "Emby" user in them.
#2. Is there a way to clone a user and all setting from one vm/container to several others? so I can run the media apps under the same user in all containers with same bind-mount locations loaded in each of them and keep all the rights permissions the same.
For #1, you could do this. You would just need to ensure that the user id is the same across all the containers. Although the username is listed as the owner of a file or directory, Linux actually compares the user and group ids of the user to determine permissions. Thus, if the emby user has an id of 1000, you would need to ensure that the emby user is assigned the user id of 1000 across all of the containers. Additionally, if you have a mixture of privileged and unprivileged containers, you will have to modify the container configuration to map certain users. Unprivileged containers use an offset for all users ids. For example, in proxmox, the default offset is 100000. Thus, the user of id of "1000" is mapped to "101000" on the host and any privileged container. The proxmox wiki contains information on how to preserve user ids across the host, unprivileged containers, and privileged containers.

For #2, I can think of one method. You could copy or have access to a master /etc/passwd and /etc/shadow files across all the VMs and containers. For containers, you might be able to bind mount those files too, though I've not tried. I can think of two downsides if those files are copied across all the containers and hosts. First, anytime a password is changed or a user is added, both of those files would copied again to keep a coherent user map across all the containers and VMs. Second, for any environment with mix of unprivileged containers and VMs or privileged containers, you still need to modify the container's config. Again, modifying the config is not hard and easily scriptable.

when I was setting up my current configuration I had issues with Emby user login so I just created new user of my choice and manually set all the groups and such for it mirroring emby user settings. but it was a mistake, I forgot that Linux is way to literal in all assumptions and permissions are trickier than windows.
so now most of my media files and folders are tide to the new user "plexadmin" and it is not good.

is there a way to set things up in a way that would allow me to have 2 users i.e. "emby" and "htpc" point to the same location(s)
i.e. my bind-mounted sub-volume(s) "/mnt/tank1/media" and "/tank1/downloads" but where "emby" will be the full admin and could read and write any and all files and folders etc... and any app running under emby user do the same , but htpc user would only be read-only so I can use it on my HTPC clients guests to read stream files only?
Groups and acls are your friends here. Actually, I accomplished this on my server. I have a group called "media". The "media" group has rw access to the entire media directory. The emby user, the mythtv user, and two local users are members of the "media" group and have access to the media folder and can upload any files with any other user in the "media" group having access. You just need to set the group id to be sticky for all files under the "media" or "download" directory. You can accomplish this by first setting the group for "media" or "downloads" using "chgrp [groupname] [dir]". If you already have files in the directory structure, you may want to use "chgrp -R [groupname] [dir]. You then use "chown -R g+s [dir]" to ensure any files created in the future will have the appropriate group owner. After changing the groups, you will have to restrict the group to just r access, performing "chmod -R g-w [dir]", making the files read only to group members. To ensure future files have the appropriate rwx permissions, take a look at the umask command. (You could also use acls, but that is more involved as you may need to add additional packages to the containers to read and set acls.)

Hope this helps.
 

K D

Well-Known Member
Dec 24, 2016
1,439
320
83
30041
Not really. Depends on what you need. I use a Windows 2012r2 VM with 512mb ram and 1 vcpu as a DC. It also provides dns to my home and lab. Unless I replied into it, the cpu and members utilization don't even register a blip. However being windows, it takes up almost 20 gb of disk space. I looked into moving to the turnkey appliance and tested it with 1vcpu, 256mb ram and it took about 1.3 gb disk space. But since I'm more comfortable with windows and I have a bunch of windows servers that I experiment with, I decided to leave it alone.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
If licensing isn’t an issue for you then I am with @K D here in thinking if you don’t mind windows a DC is not the worst idea.
I have done a project with all the free/cheap tools like the appliances mentioned and it worked really well but was pretty complicated to get it all working it the way we wanted.

What I really wanted to say is it’s so useful to have some central user admin function, it just makes so many things easier if you want to get into any kind of restrictions by user also on your firewall etc
 
  • Like
Reactions: K D

vl1969

Active Member
Feb 5, 2014
634
76
28
Well windows server is not an option. First I have no licenses for it and most of the clients are linux based.
I run a pfsense machine that handles my firewall and routing as well as dhcp and dns.

Sent from my LG-TP450 using Tapatalk