Raspik: budget DIY NAS that keeps data safe and secure

I had a feeling that it’s time to replace my old Synology with something bigger and more capable. I basically knew what I need from my NAS and same time I wanted to build it myself. Besides the fact that it’s great fun to do something like that, I did it in one-third of what I would pay for a ready-to-go solution. I had experience from my previous projects so I was able to bring something perfectly suited to my needs that will serve well for another four years.

But let me start from the beginning. A few years ago I bought a NAS, Synology DS216play. It’s ready to use solution, you put two drives into it, there is a short installation process and it just works. I still remember how excited I was about it. I liked the idea to have everything under my table. But there were a few drawbacks:

  • I wasn’t able to switch to Synology apps like files synchronisation, backup, photos or video manager, even when I liked the concept very much, the quality of those apps is simply not good enough,
  • the encryption is super slow (~10 MB/s) and also not so secure,
  • the UI is slow,
  • data transfers are 40 MB/s even from unencrypted volumes,
  • I found myself using only Samba shares after years of having this box.

I don’t want to say “don’t buy Synology”. Especially when UI and encryption slowness is fixed in newer models. It’s a great piece of hardware and if you buy one, it will serve you well for a long time. But I decided not going this way anymore. Simply because I don’t use stuff it offers and I would like to have control over encryption and data integrity. So I spent two weeks designing and building my own NAS based on Raspberry Pi 4 4GB version, two Seagate 6 TB IronWolf drives and parts I had experience with from previous projects.

The journey was super existing and I enjoyed every minute. Now the box is done and first terabytes of my data are sitting there. This is the result:

There are still rough edges. I wanted it nice but not too nice because it’s gonna spend its life under the table and you know that 80 % of the time takes the last 20 % of the project.

Build this cute baby is one thing and I would say that it’s much easier than the software part but I will tell you more about that one later. There is another photo from behind without any covers except one for the power socket. This is the smallest viable product:

… that would burn in a few hours because without cooling it gets high over 50 °C. There were a few constraints I wanted to follow designing this box:

  • Integrated power source,
  • pumping air from the front to back,
  • printable on Prusa Mini,
  • only one part needed to start building the project — the 300g body.

The heart of my new box is Raspberry Pi. It’s a versatile device that lacks practically every possible feature for saving power. No sleep mode or no way how to turn off parts of the board so it’s hard to use it in battery-powered projects. But there are a few types of projects where Raspberry Pi is, especially 4, the last one, the almost perfect device and one of it is to be a server. Or NAS in this case.

I don’t like power bricks. They are a convenient way how to get some heat from the device but cable management is pain with those. So I use MEAN WELL power sources in my projects including this one and I integrate them into the box with everything else. It’s easier to move or store the thing without losing anything important.

The power source, MEAN WELL RS-75–12

It’s possible I will build another one so I wanted a design that allows me to put two or more boxes next to each other and the best way is to pump the air from the front to the back of the box.

Separated sections for drives and Raspberry Pi forced me to put two fans in the front of the box. The smaller one for Raspberry Pi and the bigger one for drives and the power source. I also decided to put dust filters in front of them. Level of mess inside the box is much lower after months of running with them. I use those filters anywhere I can.

It’s possible to use any 40x40 and 80x80 fans but I decided to go with Noctua. They are a little bit more expensive but silent and reliable.

At the end of this project, I decided to put a small OLED display into the front panel that shows basic information about the system and also an error message if something is wrong with the RAID or data. OLED is not the best option here but it has the right dimensions, it looks really cool and the fading issue is not that bad as one could say.

Front view of the base printed part

I design parts in SolveSpace. It’s not the best program to design but I like how fast I can work with it and the fact that it’s open-source. It’s a perfect option for occasional hobbyists like me. Lack of some features forces me to this sharp edges design. The box is designed around the drives and power source. I left a gap for the airflow between the devices and it works great. The temperature of both drives is around 34 °C.

One of the decisions I had to made was if I go with one 120x120 fan or 80x80 and 40x40 fans. Unfortunately, without legs, the vertical length is 116 mm which is not enough and I didn't want to add extra ~10 mm just because of the fan. On the other hand, cooling of Raspberry Pi would be better same as the noise level and amount of wires. I think I will consider updating the front panel in the next iteration of the design to support 120x120 fan.

Fans without covers

Cooling of Raspberry Pi is limited by the size of the fan but also the number of wires between the fan and Raspberry. I thought about some kind of pocket for the wires so the air has a clear way inside the box but I found out it works fine even now.

The only way how to connect SATA drives to Raspberry Pi is via USB. That takes us into the 12V problem. If you want to use more than one 2.5" drive, you have to feed it externally. Raspberry Pi won’t have enough power to support it. If you want to use one or more 3.5" drives, you need to buy USB-SATA adapters that allow it or you can buy cheaper 2.5" adapters that can be hacked into 3.5" compatible parts. I decided to go with the first option and use the external power source connector to feed it with electrons but today I would choose smaller and cheaper 2.5" adapters and solder 12 V into it. If you go the same way just don’t forget to solder GND too, otherwise the current will go via GND of Raspberry Pi.

USB-SATA adapters from Axagon

A huge disadvantage of USB-SATA adapters is USB cables. They are big and you cannot avoid them so the only way is to try to find the shortest ones. Not every chipset used in those adapters is working with Linux and Raspberry Pi flawlessly. I have a great experience with ASM1153. It runs in one of my projects for more than 4 months without any problem. The performance is not an issue anymore with USB 3.0, especially with UASP it will support anything you can throw at it via gigabit ethernet or WiFi.

The box is screwed together with a single type of screws — 3x16. There are three exceptions. Raspberry Pi needs 2.5mm screws and back panel for SATA adapters needs 3x25. Luckily if you decide to build it you won’t need that one. It’s designed for my adapters from Axagon and it won’t fit any other adapters. On the other hand, it’s not that important, especially if you put the NAS on a shelf and forget about it. The last screw type is for the drives.

The best thing about this NAS is that next time there is a new version of Raspberry Pi, I can simply replace the board and I have a more powerful machine without changing anything else. Other parts like the power source or USB-SATA adapters are also off-shelf pieces of hardware that can be bought anywhere.

The last thing I want to mention about the hardware is the price. I expected that my new NAS will be cheaper than similarly tuned Synology or QNAP but I didn’t think it will be that good. It can be built for $100 if you are lucky about the prices of some parts and mine build was around $150. If I bought comparable Synology or QNAP NAS I would have to pay ~$400.

The software

With my wife, we don’t generate much data, just a few hundreds of GB every year. I knew the performance won’t be a problem for me but there are other things, maybe more important. Based on the usage of my Synology, I wrote down this list:

  • I really need full disk encryption,
  • data safety is number two,
  • I use only Samba shares,
  • RAID1 is must-have,
  • I need to know if the data is ok and when a drive starts failing,
  • it would be nice to have access there from anywhere.

When I mentioned full disk encryption on Facebook I was asked why I am scared of feds. I don’t live in the US so we have no feds and I am not scared of our police either. I simply don’t want other people looking at my data if the box is somehow stolen. The same thing is a problem with all of my computers. The house is not a vault, encrypting my data doesn’t cost anything and in certain situations it’s priceless.

Another thing is data integrity and data safety. NASes are hardly 100 % reliable machines so you need to know when something goes wrong and by wrong, I mean failure of one or both drives, file system issues or simply a transfer problem that leads to damage the data. Even if everything is perfectly ok your hard drive can write something slightly different than you wanted.

To cover data integrity I bet on Btrfs and S.M.A.R.T. capabilities of my hard drives. Check this image:

At the bottom, there are two physical and separated block devices. They store the data. Above those, there is an encryption layer and above that, there is a single Btrfs filesystem that makes sure that all data is written on both drives.

Btrfs has its own error stats so if you check numbers in these stats and it’s not zero you have a problem. Btrfs stores checksum of every chunk of data it holds so you can check if the data is still stored correctly. It’s called scrub and it simply reads the data, creates a checksum and compares this checksum with what’s stored in the metadata about the same chunk. If it’s same you are good, if not, you again have a problem.

Hard drives are not stupid either and they have their S.M.A.R.T. It’s a system for drive’s self-testing and it can find issues with the hardware because something important is lost. Part of S.M.A.RT. there are stats about the drive including a number of problematic sectors or communication errors. In my project, I am interested only in the number of somehow bad sectors. Another feature of S.M.A.R.T. is self-test that checks the surface of the platters and probably other parts of the device and updates the stats mentioned above accordingly.

To make sure that the data is ok I regularly:

  • Run S.M.A.R.T. long self-testing on both drives,
  • run scrub,
  • read the S.M.A.R.T. and filesystem’s failure stats.

All of this is returned by my API including information if the disk is OK or not based on this data. If it’s ok, it sends a message into healthchecks.io. If not it reports it to the same place. The reason why I use healthchecks.io is that it will notify me if the message hasn’t come in a defined period of time so you know there could be something totally broken that the box is not able to report itself.

HealthChecks.io interface
Part of the response from the API returning info about storage status

Part of data safety is also a backup strategy. We are in home environment so there doesn’t have to be a huge backuping and archiving plan. But you should make sure there are at least two places with your data as I did.

In my case, I mirror important stuff from my notebook into my NAS but they are almost next to each other. Also, there is data that is unique to just my NAS. In this case, I can say that my notebook and my NAS is the place where my data live and I need another copy. For me, that’s BackBlaze, a service, that stores data for a very reasonable price. Of course, the data is encrypted.

If my house burns down I still have the data in BackBlaze but what happens if something destroys the NAS and backups in BackBlaze? That’s the place where archiving comes. My data is not changing often, especially the most important one like our family photos and videos. I simply bought an external hard drive, encrypted it and every few months I bring it home from my office and copy what I can there. It’s a manual process but it will save me in case of total disaster.

How the operating system is configured

One of the important parts of the system is Ansible. It’s a tool that allows me to install a server based on a predefined plan. Basically, I have a few roles, one for Samba, one for backup and so on and all those roles are configured via a single config file. The config file defines what volumes I have, what users I have and what Samba shares and services I need for each of them. Based on that it installs the whole system. It’s super flexible and it allows me to restore the system in no time.

Part of the installation process is a configuration of Samba, Syncthing and Restic. You probably know Samba, it serves your files over a network. Syncthing is used to synchronizing files between your computers and servers. I use Syncthing for the most sensitive data because I can even destroy one of my computers with a hammer and I know it’s still somewhere. It’s a true mesh design that doesn’t care about what’s a client what’s a server, it syncs the files everywhere equally. Restic is a great tool to backup your files. It has its limitation but you won’t probably hit them, I didn’t in my case.

A not long time ago my friend showed me Node-RED and it turned out to be a perfect tool for personal scripting. I use it to check backups and to show information on the OLED display based on the API that returns info about filesystem and drives health.

Flow to show health info on the OLED display
The OLED display when everything is fine

Systems like home NASes should be automatically updated. It’s true that every update can break something but in 99.99 % of cases, it will be fine and even if it won’t it’s better to have a secured system that doesn’t work than an unsecured system with 100 % uptime. We are in the home environment and the only call that will come will be from your wife or kids.

The last thing I added at the end of the project is WireGuard. The new silver bullet in the VPN world. It allows me to connect into my home network. I don’t need it much for accessing the data inside the NAS but I need my home IP address to access the work stuff. It’s super frustrating when I am on my phone, something needs to be fixed and I can’t even get there. WireGuard is super simple to configure, my Ansible roles do it for me automatically and I just download a generated file for my WireGuard client.

I am gonna end it here. It was just a glance over my Raspik project and how I solve some problems I had. I would like to take it to another level and have it more ready for anybody who wants to build it too. You don’t have to use the same software I did, there are more user-friendly projects like OpenMediaVault that can be used on this box too. Don’t forget to visit the GitHub repo where you can find STLs and other related stuff.

I am a DevOps engineer