Ultimately up to you, but I’d go with no GUI and just use ssh (and sftp if you need to do file transfers).
When I was using Docker, it was headless because the GUI just ate up space and resources I didn’t need. All your interaction will be in the shell anyway, launching your compose.yml files.
But, if dealing with a headless machine sounds like more trouble than you want to try, install the DE if your choice and breathe easy because it’ll still work perfectly fine.
I think you’ve put more thought into how to get started than many others would! You have a pretty good plan from what it seems. My thoughts from each section below.
Hardware: I’m partial to Crucial and Kingston for storage that is affordable and dependable
OS: I’d probably spin up a Debian install if I were in your shoes and run my services using docker-compose files. It’s a quick and easy to get up and running, and despite the ease, there is still the option to do a lot of customization when you want to, and that will make it easy to learn more at your own pace and leisure.
Services: For the CalDav portion, I’m really liking Radicale.
Security: PiVPN is what I’m running on my actual RPi along with PiHole, and it was a super simple setup. I connect via Wireguard from any of my other devices.
I just don’t want my NAS doing anything other than being a NAS, so I intentionally don’t run extra services there, but its a matter of finding what works for you. As long as you get to the destination you’re looking for, its mission accomplished
Got an old raspberry pi laying around? PiHole+PiVPN is something I run on an old 3B+ I think, so I have something dedicated running both. But otherwise, I’d probably just spin up a container on a server or cluster and I’d probably go with debian and just run the exact same PiVPN setup script I did for the pi because it was super easy.
Let it grow, let it grow
This is precisely what makes me worry it will be locked behind some fucked up subscription model.
Samsung TVs have a Plex app, but not a Jellyfin one. Lots of people have Samsung TVs. I mean lots. Other modern TVs are likely the same, like Onn (at least the Roku TVs) last time I checked, and again they are all over. The ease-of-use factor really is a huge win for Plex.
Edit: Yes, Samsung Tizen models can try and sideload an app, but that’s not something the vast majority of people are ever going to even think about, let alone figure out how to accomplish.
Edit 2: Well shiver me timbers, Jellyfin’s on those Onn TV’s. TIL.
I like radicale: https://radicale.org/
I’ve been mostly using Nginx Proxy Manager, but I recently set up Bunkerweb as a WAF for a couple of public services I’m hosting and I kind of like it. It does reverse proxy along with a bunch of other things (bad behavior blocking, geographic blocking, SSL cert handling, it does a lot).
Mentioning it because I didn’t see any other mention of it yet.
NPM is easy to use. Caddy sounds like something I’d like to try too now.
It’s buttons you click on, arranged in a grid. You can color and arrange them based on groupings. I know you can have some marked “bookmarked” and some that aren’t, and then you’ll only see the bookmarked tabs on your Dashboard’s main listing. I’m actually not sure if there are further ways to delve into grouping. I certainly never bothered. Basic, like I said, lol
I’m super basic when it comes to dashboard. Spinning up a Heimdall docker container is so insanely easy and it lets me make nice looking links to all my services. Of all the things I’ve spent energy to try and learn to be better at, my dashboard has never been one and maybe it’s time to revisit… But man, it’s just a really quick compose file and one command and it’s there.
Stringing more non-sequitors into this probably won’t make it make more sense
And the user experience I should expect depends on their stupid hierarchy for reasons I should care about, I’m sure, but still I find myself not. Choosing to enshittify is a choice. Choosing a business model that depends on coercion into an ecosystem that will become enshittified after accumulating a critical mass is another, even more evil choice. Doing it while those cheering loudest are the ones being fucked hardest (I mean, there’s still a “certain line” between how badly “certain groups” are discriminated against, but let’s keep things broad here because we all know the in-group is going to shrink… you know the poem, those that don’t speak up and all that) is yet another choice and one that I’m not willing to join. Doing it while playing monopolistic games arguably even more strongly than Microsoft did when it got hit with a Nynex-level antitrust suit is a step even further down the fuck-me-brick road. The list goes on. Have you met Android??? Google’s motto used to be Don’t Be Evil. Yeah, I’m at least that old. Fight me.
Edit: please don’t fight me. I’m in some back pain right now from some light physical engagement the other day. I’m also, at a minimum, that old…
I just ordered the bits for my future storage appliance, so I can share what I decided to roll with. I stumbled across the Fractal Design Node 804 case, which has room for 8 x 3.5" drives, and then I got 4 x 8TB WD Red Plus drives to start with, RAIDZ1, and then I can add another 4-disk pool later on down the road. The Red Plus drives run at 5400rpm instead of 7200, that’s fine for what I need and saved a few bucks while still keeping me in CMR-drive-land. I also grabbed 2 x 1TB NVMe drives to run as a mirrored pair for the OS. 64GB of RAM so I have some headroom for services I want to run. And I’m going to put TrueNAS Scale on it, which makes it really convenient to run those aforementioned services that I am wanting to run directly on the NAS, like NextCloud and my Linux ISO downloading tool.
Also now that my family has pretty much moved entirely away from using the big clouds as much as possible, I’m now reading some of the other comments here and looking into Backblaze to store my encrypted backups offsite. Not everything, mind you, there is a large percentage of my data footprint that is either easily recoverable or just simply would be non-catastrophic to lose. But the important stuff, that’s getting encrypted and put in someone else’s internet locker for safe keeping.
Edit your DNS servers in the wireguard client config file
From the comments, it seems likely this was not a nuclear test.
According to the US Geological Survey, the depth of the quake was at 10 km, which is too deep for an atomic test. https://earthquake.usgs.gov/earthquakes/eventpage/us6000nwr9/executive
I sure hope no one shares that link, leading to a subsequent spike in traffic and possibly taking the site down as a result. That would be a really shameful thing to see happen.
(If it wasn’t a Mormon joke, I might have gotten lost, sorry)
Truly one of the latter day saints
Proxmox on a Lenovo micro form factor is probably a good cost effective option. Get a business class ThinkCentre, like an M720 or something similar that’s 3-5 years old that a corpo has just upgraded away from, i5 or Ryzen 5 with however much storage and RAM you want. Spin up a container specifically and only for PiHole+Unbound (and consider adding a pi or some other dedicated hardware for DNS later on for redundancy in case your main goes down), and then the rest is however you want to build your environment.
For me, I’ve got a Pi dedicated to 3 key tasks: PiHole, Unbound, and PiVPN (edit: and Nginx Proxy Manager. It’s dedicated to 4 key tasks…). It’s basically my filtering interface between the home network the rest of the internet immediately after my router handles the frontline defenses, and then I’ve got a Proxmox cluster to run most of the rest of my internal services.