Probably it would be much easier for you to setup tailscale. Just install it on the system you host the other services, install on the other end and use the tailscale ip. It should require minimal effort to set up with the added benefit of not having ports open, and way easier maintaining.

As for wireguard, the allowed up section tells what ips should be routed through the tunnel, it's not that difficult, but hard to wrap your head around at first. A friend of mine also used to use the Fritzbox Implementation of wireguard and I remember you need to specifically setup what clients you want the tunnel to have access to.

Have a look at tailscale.

Maybe have a look at urbackup. Gui, "centrally managed", free...

And please, as mentioned in another comment, have a look at Borgmatic. It makes Borg really easy to use and has some super handy features. Super easy backups to multiple locations by just adding a line in the config... And I just love the healthchecks integration. Set and forget until either healthchecks notifies you of a problem or you really need to recover data.

Out of curiosity, why would that be a problem?

Can confirm Borg/Borgmatic. Was looking for something good also and Borg is hands down the best. Borgmatic is kind of a wrapper for Borg which makes things even easier. One thing that makes Borg awesome is it's excellent documentation. Maybe give cli tools a try ;)

I am very happy with my Omada setup. It's an ecosystem, not a single device. I use an er605 as router and eap610 as AP. I also have a switch, probably you don't need that, and I now have an Omada controller (you can also host that in as a docker container, so not strictly needed). For wifi you can simply throw another ap somewhere and have excellent Mesh wifi. It's more complex than a simple consumer router, but also has a lot more functionality.

And how do you disable the editing/configuration in Heimdall?

I tried fenrus before, kinda liked it, but I remember it to be not so performant.

I had authentik before but I found it to be unnecessarily complicated. Its really a nice one stop shop, doing authentication, authorization, even reverse proxing, but the setup/UI is just ... Not very well designed. Or it's so advanced that it's very far from the no it background hobbyist user

How I'd go above this is dependent on how much storage you expect to be using mid term/until you want/can buy another drive.

Must have 7TB ? Swap the 10tb for 2x4TB, then do 4TB parity 4+2+1TB as Data drives.

Is 3TB enough for the time being? Keep the 10TB and use as parity, 1+2TB as Data drives. When full, go for up to another 10TB as Data.

That second option is more upgradable in the future.

I'm guessing everyone meant Data drives by saying "pool". In unraid, Data drives are the ones protected by parity, in the array. Pools are "out of the array", not protected by parity.

It really does look cool. It can be deployed using Docker. I'll have a look at it.

To follow up on this: I now use a combination of caddy as reverse proxy and authelia for authentication. In my opinion caddy is the best reverse proxy, it's super lightweight and the caddyfiles are super easy to read. Authelia is surprisingly easy to get setup. I was a bit hesitant because it looked a little overwhelming in the beginning. When you sit down for half a day and dig into it, it's really surprisingly straightforward.

container is mkv, codec says AVC

Checked on transcoding, it happens on direct streaming....

tried with transcoding disabled, no joy, still freezes. Subtitles were also disabled, I rarely watch with subtitles. Edit: I just noticed, when forcing transcoding by limiting the quality (Bitrate) on the client to lower values, it does not freeze

The controller does not need to run 24/7. The controller configures the devices and the config remains on the devices. Though, when your devices are adapted by a controller, you cannot access any settings on the devices themselves, only via the controller.

Maybe should add: depending on the network set-up, I'd strongly recommend getting a hardware controller. For me, I have one server hosting all my stuff. I also hosted the controller with docker in this server. Which ends up being a single point of failure, and no way to look into your routing if your server is down/unreachable. I got a hardware controller (oc200) eventually just to separate my interner and network infrastructure from my hosting and service infrastructure.

I found that before and it's really interesting. I didn't really find it easy to understand, though. Maybe I'll look into it again. As I understand it, you wouldn't even need caddy, oauth2-proxy itself can act as reverse proxy, right?

This would tell the peer with this configuration to send all traffic for the whole 192.168.1.0/24 through the tunnel, not sure that is what OP wants. (Didn't look at the link though)

I just played around a little, and even got it playing nice with authelia quick. But I find it to loaded for me. No bad, it's looking awesome, but I really just want a few nice looking bookmarks for when the wife forgets what that one service was called again ;)

Would be nice if each user could add their own bookmarks so they could use the dashboard as new tab default.

When I got started I preferred GUI apps too. The more you use them, the more you get to appreciate cli tools. Meanwhile I find cli tools better, they are just more precise and have a good way to push you to use them correctly. Also they are mostly well documented and even offer "on the fly" help with -h flags or alike.... also the get started page of Borgmatic is really well written. Just play around with it ;)

Bitrate varies, some files work, some don't. Even in one season of a show episode 1 streams perfectly fine, episode 2 freezes every 2 mins.
Bitrate of a file is around 8Mbps, local bandwidth is 1Gbps.

Well yeah, basic auth is surely the easiest method ... though I rather like to go the oauth2/OIDC route.