A big differentiator in how you might want to tackle this depends on one question, are you planning on getting into Linux systems administration, like for work? Because if you actually really want low level Linux skills then that’s a whole slew of things you’ll need to learn from scratch. And it’s not just your Windows-only experience that’s holding you back, managing a server is different from managing your desktop.
But if you’re not really interested in working in IT or all you really want to learn how to self host, you’re probably better off with an appliance, like UnRAID. These OSs abstract away much of the low level stuff so you don’t have to worry about it. Not the best way to learn how Linux works really well, but the easiest way to manage your self hosted environment.
https://ghost.org/ would probably work pretty well for you.
The best proof would be to just try it yourself and see what happens. Load up Wireshark, make a query, and look at your traffic. Because the problem is there isn’t a single technical article I can point you to that details exactly how DNS resolution works on every device running any given operating system. “Network attached devices” could be anything and so you can’t be certain exactly how each device will operate.
I’ll give you that in the case of Windows devices specifically, Microsoft isn’t good at keeping documentation up to date, and on older version of windows it used to work the way you describe. It would send the request to your first DNS server, wait one second for a response, and only if it didn’t get one would it move on to your next one. However in Windows 10 today if I edit my configuration so that I use a local DNS server located at 192.168.69.210 as my “Preferred” DNS server and 1.1.1.1 as my “Alternate” DNS server look what happens:
It sends the same request out to both without waiting and the response from Cloudflare actually comes in before the one from my local DNS server. So if this were a request for a blocked domain, the client would accept the response from Cloudflare because it was received first and so the request wouldn’t be blocked.
Actually they do know what they’re talking about. Configuring DHCP with multiple DNS servers isn’t for failover, it’s for redundancy. The result is ultimately operating system dependent, but modern Windows operating systems will query all configured DNS servers in parallel and will accept the first answer it receives. So if you configure your Pihole as one DNS server and a public DNS server as a second, a lot of your traffic will just bypass your Pihole ad filtering entirely.
No I would love to switch to Jellyfin. I ditched Plex after some of their more recent shenanigans but Jellyfin is just so vastly inferior on almost every front that it’s difficult to even compare the two. For now I’m using Emby which is another fork of the same project Jellyfin is and it’s a lot closer to feature parity with Plex. And I’ll gladly pay money for a quality product over settling for a free product that doesn’t really get the job done.
I just hope that one day Jellyfin reaches a maturity that it’s actually worth switching to.
If it’s double NAT where you have control over both boxes, it’s not that big a deal. First of all, it only matters at all if you’re trying to forward ports for remote access to your services, in which case you just need to add two port forwarding rules for each service, instead of one, one in each firewall. Alternatively if the ISP router allows it, see if it has a 1:1 NAT feature, this way it forwards ALL the ports to your private router, where you can then be selective about which ports to allow.
Alternatively, if you’re not trying to host services on your LAN for public access and consumption (Which would be a bad idea at this point in time anyway given your level of knowledge) don’t worry about the NAT or port forwarding at all and just use a mesh VPN like Tailscale (Optionally with the self hosted control application Headscale) and use that to access your services which outside home securely.
I’ve been using Kopia which runs in a docker container and backs up my data to B2. It does daily, weekly, monthly, and yearly copies. You can browse your backups on a file level inside the UI and redownload just what you want or do a full restore. It’s all encrypted in B2 as well. I’ve had to use it to download backups of corrupted SQLite files and I haven’t had a single issue with it yet.
I’m a fan of Zabbix. I’ve used it in a datacenter environment but it’s much easier to configure than Icinga/Nagios and not as hackey as Prometheus/grafana.
Homebox is an inventory management system in the same vein as Snipe-IT, but purpose built to be simpler and cause less friction so that you’re more inclined to enter things and keep them up to date. You can use it for things like storing user guides, warranty contracts and expirations, and even expense tracking related to the maintenance and repair of any home items, like appliances and electronics. I use it to store warranty expirations for things like game consoles and TVs, as well as remind me to order new air filters for the home.
Calibre is great but it’s not a server based program, it’s just a desktop client. There is Calibre-web which you can host which kinda turns it into a server but it does that by exposing a website you connect to that shows you the Calibre interface via VNC, so it’s a bit hackey.
I haven’t tried it but https://www.kavitareader.com/ might be a good alternative if you end up not liking Calibre.
Just a side note that “not opening firewall ports” is not inherently a security benefit if you’re exposing the same service on the same port on the same host anyway via your reverse proxy setup.
If you were to measure your level of “security” on having ports open or not alone, then using Cloudflare tunnels could be considered worse, since an outbound VPN connection to Cloudflare is essentially circumventing your firewall’s protection entirely, meaning you’re effectively opening all 65,535 TCP and UDP ports instead of one, albeit only to Cloudflare.
There are benefits to using Cloudflare tunnels but “not opening firewall ports” is not one of them. And you could just as easily accomplish the same thing without Cloudflare by using a VPS and Tailscale with the selfhosted Headscale coordinator.
The point of paid SSL at this stage in the game are the higher tiers of verification. Instead of just verifying that you own the domain, you can verify that you are who you say you are. These are called Extended Validation and Organizational Validation certificates. This has historically been desirable by businesses. It used to be that these higher tier certs would not only give you a lock icon in the address bar of a web browser, but also a little blurb confirming your organization is legit. Not sure if this is still the case though. You will see the extended validation when you check the sites certificate though for sure.
As far as encryption and security, there’s no difference. Also side note, the Comodo brand still technically exists but it was bought by Sectigo like 7 years ago.