Meanwhile I’m hoping for the technology to get more efficient and require less compute to achieve worthwhile results.
I’d rather have a small specialised local language model that knows everything about a small field, f.e. vegetarian cooking recipes or maintenance and repair of <specific car model>, but nothing about anything else.
I’m just not comfortable with giving all my data to a generalised large language model running on someone else’s computer.

I hope you find out that it’s a not very necessary service that is the culprit, so that you can simply skip it. :)

Is it your cpu or your ram that hits the roof? Is it the host OS/Portainer or the services you run on it?
Here’s how to check container usage in Portainer: https://docs.portainer.io/user/docker/containers/stats

https://github.com/jgraph/drawio-desktop

https://www.drawio.com/ could probably work

Replace NAS drives with larger ones and then repopulate data from your backup? That way you get to test your recovery and restore procedure at the same time.

For WebDav I would look at https://github.com/sabre-io/Baikal
Unless you want all the other parts of Nextcloud and need the big package.

Just like navidrome it seems like Jellyfin reacts to failed mounts by emptying libraries.
https://forum.jellyfin.org/t-solved-network-not-mounted-before-jellyfin-starts

With version 10.11.0 they offer a built in backup system for db/metadata/subtitles though so once access is restored it’s easy to restore any metadata changes you’ve done to your library. (As long as you got a backup since before that is)
https://jellyfin.org/docs/general/administration/backup-and-restore/#create-a-backup

Nothing is hard when you know what you’re doing. :)
Being able to completely wipe your compute machine and not worry is nice and imo easier.

For only Jellyfin, then I agree - if that is where it stops you could run it all on an N100 integrated motherboard and have a lean sleek system that hosts your files and your streaming server. But when your services starts being too much for the N100 then it’s nice to separate it a bit and for me it feels natural to split it between compute/storage.

Separating your services from your storage makes things a lot easier in my opinion.
Setup one machine as a NAS and have that manage your (preferably redundant and backuped if storing personal photos or other unique data) storage, then share it to the rest of your selfhosting over nfs and smb.
You could either go for a prebuilt NAS like Ugreen NASync DXP2800 or build your own m-itx with a Jonsbo N2 case and an N100 motherboard or whatever you’re comfortable with.

Your jellyfin server then accesses the media libraries with a simple mount (/mnt/media). Same with your tdarr server and tdarr nodes.
It’s much easier to experiment and reinstall services when you have your storage separated from them.

I can’t buy a 14tb hdd for that price here in Sweden, but I have no idea about your local prices. Is it new or refurb?

I mean driving without your safety belt works great until something happens. Doesn’t make it a good idea.

Or swedes

Update 22:51h: The vote originally scheduled for 14 October will not take place because there is no majority for the proposal. It is likely that the EU Commission will now propose to extend the Chat Control 1.0 regulation currently in force that permits providers to scan our messages (if they choose). An extension of this indiscriminate bulk scanning regime is not acceptable. Scanning under this regulation needs to be targeted and limited to suspects where requested by a judicial authority.

• https://www.patrick-breyer.de/en/citizen-protest-halts-chat-control-breyer-celebrates-major-victory-for-digital-privacy/

Made a screenshot of https://app.smartdraw.com/editor.aspx?templateId=384d7d86-2472-4f4d-b80f-224189376dc3&flags=128

Does this example match your network?

From your description it already sounds like all of it is in the same network?
That cabling you have in the house doesn’t split your network, Router -> CAT6 - CAT6 - CAT6 -> Switch is the same as Router -> CAT6 -> Switch as far as your equipment is concerned.

This is oversimplified but catches most network topologies (including yours it seems):
Internet -> Router -> Switches -> Client Devices

That and also man hour costs versus hardware costs. It’s often cheaper to buy some extra ram than it is to pay someone to make the code more efficient.

Isnt opnsense only for bsd? I am running linux.

opnsense is bsd based yes, you can either run it on it’s own hardware in front of your server or you can run it as a virtual machine and passthrough your hosts network ports to it for WAN/LAN.

When using a vpn server, only I could access the services right?

You can easily setup vpn users for friends/family but a random person on the internet won’t reach your services if you block access from WAN and forces everyone to go through the vpn server.

Your services would first of all need some sort of integration to report failed authentication attempts to your firewall or you wouldn’t have anything to act on to start the block. Sounds complicated edit: and also what fail2ban does by reading logs it seems.

If I were you I would ponder if it wouldn’t be easier to just setup a headscale/wireguard/openvpn server and connect to your other services through that.

My favourite home firewall right now would be opnsense