this post was submitted on 13 Jun 2025
45 points (100.0% liked)

Selfhosted

46671 readers
1064 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
45
Fresh Proxmox install w/ full disk encryption—so install Debian first, then Proxmox on top? (lemmy.dbzer0.com)
submitted 4 days ago* (last edited 4 days ago) by barnaclebill@lemmy.dbzer0.com to c/selfhosted@lemmy.world
24 comments fedilink hide all child comments
 

Background: I'd like to turn an old personal laptop into a Jellyfin server so that I can stream media to my living room TV. I want to be able to expand what I use this server for over time. I'm leaning toward Proxmox as the OS so that I can spin up new containers for various services instead of installing a bunch of services on a base Debian install. I also want full disk encryption so that any data on the OS drive is less likely to be compromised by theft or Craigslist.

Question #1: I gather the general accepted approach for this is to first install Debian as a base w/ full disk encryption enabled and then install Proxmox on top because there is no option for full disk encryption in the native installer for Proxmox. Is this still the case?

Excerpt from this tutorial from November 2023 on the Proxmox Forum:

This tutorial deals with encryption of an existing installation. If you are starting fresh, my recommendation would be to install Debian with full disk encryption and then add Proxmox to it.

Excerpt from this post from February 2019 on the Level1Techs Forum:

The easiest way to do an encrypted Proxmox setup is to start with a minimal, vanilla Debian install. Set up the encrypted partition using the installer like you would with any other Debian system. Once installed, reboot. Then follow the guide for installing Proxmox on Debian.

Question #2: I don't mind entering the key manually whenever I reboot the server, but will I be able to unlock the server remotely? For example, suppose I'm tinkering in the web admin panel or an SSH session and I want/need to reboot—will I have to physically go over to the laptop and enter the key every time?

Also, I appreciate any other tips from the community to help me think about this in the right way. Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] glizzyguzzler@lemmy.blahaj.zone 1 points 9 hours ago (1 children)

https://linuxcontainers.org/incus/docs/main/howto/instances_backup/#instances-backup-export

A bit down from the snapshots section is the export section, what I do is I export to a place then back it up with Restic. I do not compress on export and instead do it myself with the —rsyncable flag added to zstd. (Flag applies to gzip too) With the rsyncable flag incremental backups work on the zip file so it’s space efficient despite being compressed. I don’t worry about collating individual zip files, instead I rely on Restic’s built-in versioning to get a specific version of the VM/container if I needed it.

Also a few of my containers I linked the real file system (big ole data drive) into the container and just snapshot the big ole data drive/send said snapshot using the BTRFS/ZFS methods cause that seemed easier, those containers are easy enough to stand up on a whim and then just need said data hooked up.

I also restic the sent snapshot since snapshots are write-static and restic can read from it at its leisure. Restic is the final backup orchestrator for all of my data. One restic call == one “restic snapshot” so I call it monolithically with one call covering several data sources.

Hope that helps!

[–] MangoPenguin@lemmy.blahaj.zone 1 points 4 hours ago

Is it all automated with versioning intervals and stuff? Or is restic required as a third party step and maintaining a duplicate of data on the server for it to grab?

Overall it sounds like a decent VM manager but is meant for enterprise stuff where they'll be building their own backup systems.