Hardware & Infrastructure Plan v3 — Point Cloud Private Cloud
Zero Trust · E2EE · CMMC 2.0 Aligned · 3-2-1 Backup · Fully Open Source Stack
Revised: March 2026 |
Prices are estimates — verify at vendor sites before ordering |
* = estimate, not confirmed |
Replaces v2 (March 2026)
3-2-1 Backup Architecture:
- Copy 1 (Local): Workstation NVMe — Samsung 9100 PRO 4TB (active projects + scratch)
- Copy 2 (Primary NAS): TrueNAS Scale on TrueNAS Mini R — 4x Seagate Exos X20 in RAIDZ2 (~40TB usable) at primary site, ZFS encryption at rest
- Copy 3 (Offsite): G758 PC running TrueNAS Scale — 3x Exos X20 in RAIDZ1 (~40TB usable) at secondary site, receiving automated ZFS replication over WireGuard tunnel
Key changes from v2: All Ubiquiti removed → Protectli VP2420 + OPNsense (open source, no cloud dependency) ·
DS925+ removed → TrueNAS Scale on dedicated ECC hardware (OpenZFS, fully auditable) ·
IronWolf Pro 16TB → Seagate Exos X20 20TB (higher endurance, more capacity) ·
Offsite NAS gap fully resolved by repurposing G758 ·
Security hardware added (YubiHSM 2) ·
All Section 6 gaps from v2 resolved
1. Professional Workstation Build Updated
GPU downgraded from RTX 5090 to RTX 5080 16GB. RAM upgraded to 192GB DDR5 RDIMM ECC (4×48GB) for expanded VM headroom. Threadripper 9970X also serves as VM host for Wazuh, Vault, Teleport, Authentik, and Headscale.
| Component | Item | Price |
|---|
| Workstation Bundle | AMD Threadripper 9970X / ASUS Pro WS TRX50-AE WiFi / 192GB DDR5 RDIMM ECC (4×48GB) | ~$5,999.99* |
| Graphics Card | NVIDIA GeForce RTX 5080 16GB GDDR7 | ~$999.99* |
| Primary Storage | Samsung 9100 PRO 4TB PCIe Gen 5 NVMe | $999.99 |
| Power Supply | MSI MAG A1200GL PCIE5 1200W 80+ Gold (Active PFC) | $199.99 |
| CPU Cooling | AW420 420mm Liquid CPU Cooler | $449.99 |
| Exhaust Fan | be quiet! Silent Wings 4 140mm PWM | $24.88 |
| Chassis | Meshify 3 XL Ambience Pro Full Tower | $289.99 |
| Workstation Total | ~$8,964.82 |
2. Secondary Systems & Infrastructure Updated
Ubiquiti UCG-Fiber gateways replaced with Protectli VP2420 running OPNsense. DS925+ removed (replaced in Section 4). G758 retained but repurposed as offsite TrueNAS NAS (see Section 6).
Removed from v2 (this section):
DiskStation DS925+ ($711.99) · UCG-Fiber Gateway #1 ($249.99) · UCG-Fiber Gateway #2 ($249.99) ·
Ubiquiti 10G SFP+ DAC x2 ($39.98) · Ubiquiti RJ45 SFP+ Module x2 ($139.98) —
Total removed: $1,391.93
| Item | Description | Price |
|---|
| G758 Gaming PC |
Ryzen 7 9800X3D / NVIDIA GeForce RTX — retained, repurposed as TrueNAS Scale offsite NAS at secondary site (additional hardware in Section 6) |
$2,199.99 |
| Protectli VP2420 — Primary Site |
OPNsense firewall/router · 4x Intel i226-V 2.5GbE NICs · fanless · Intel N6005 · 1G WAN handoff (headroom for future upgrade) · replaces UCG-Fiber #1 |
~$379.99* |
| Protectli VP2420 — Secondary Site |
Same model · OPNsense firewall/router · secondary site · replaces UCG-Fiber #2 |
~$379.99* |
| Infrastructure Total | ~$2,959.97 |
Why Protectli VP2420 + OPNsense over UCG-Fiber:
OPNsense is fully open source (BSD license), no cloud account, no subscription, no vendor lock-in.
Built-in: Suricata IDS/IPS · CrowdSec threat intelligence plugin · Zenarmor deep packet inspection ·
WireGuard + IPsec VPN (site-to-site tunnel built in) · VLAN segmentation · firewall rules · traffic shaping.
WAN is 1G — VP2420's 2.5GbE ports provide full line-rate throughput with headroom.
Each site runs an independent OPNsense instance; neither depends on the other for operation.
3. UPS Protection Unchanged
UPS sizing note: The MSI MAG A1200GL uses Active PFC and requires pure sine wave output.
Simulated or stepped-approximation UPS units will cause the PSU to fail or behave erratically under battery power.
Both units below output true pure sine wave.
| Unit | Model | Specs | Covers | Price |
|---|
| UPS #1 — Primary Site |
APC Smart-UPS SMT2200C |
2200VA / 1320W · Pure Sine Wave · SmartConnect · 10 outlets · 3yr warranty · $150K CEG |
Workstation (Threadripper + RTX 5080 + NVMe) ~810W peak |
~$499.99* |
| UPS #2 — Secondary Site |
CyberPower CP1500PFCLCD |
1500VA / 1000W · Pure Sine Wave · AVR · LCD · 10 outlets · USB/Serial mgmt |
G758 NAS + OPNsense + switch + UPS mgmt (~600W peak = 60% load) |
$239.99 |
| UPS Total | ~$739.98 |
4. Primary Site NAS — TrueNAS Scale Replaced
Replaces DS925+ ($711.99) + 4x IronWolf Pro 16TB ($1,319.96) + Synology 10G NIC ($109.99) from v2.
Total replaced: $2,141.94. TrueNAS Mini R has dual 10GbE built in — no add-on NIC required.
Why TrueNAS Scale over Synology DSM:
Fully open source (Debian Linux + OpenZFS) · per-block checksumming detects and corrects silent corruption ·
native ZFS encryption for auditable at-rest E2EE · RAIDZ2 tolerates 2 simultaneous drive failures ·
immutable locked snapshots (WORM via zfs hold) · full REST API for scripting and automation ·
runs Docker/Kubernetes apps natively (MinIO, Authentik, Tailscale, etc.) ·
ECC RAM standard on server hardware — critical for irreplaceable point cloud archives ·
no drive vendor restrictions · no proprietary OS · no subscription.
| Item | Description | Qty | Unit Price | Total |
|---|
| TrueNAS Mini R |
iXsystems — 8-bay hot-swap · ECC RAM · IPMI out-of-band management · dual 10GbE built in · diskless · verify current config at ixsystems.com |
1 |
~$1,999* |
~$1,999* |
| Seagate Exos X20 20TB |
7200 RPM · SATA III 6Gb/s · 3.5" · CMR · Enterprise-rated ·
5yr warranty · 550TB/yr workload rating — replaces IronWolf Pro 16TB |
4 |
~$199.99* |
~$799.96 |
| Primary NAS Total | ~$2,798.96 |
RAIDZ2 with 4 drives: ~40TB usable · tolerates 2 simultaneous drive failures · recommended for irreplaceable point cloud archives.
Expansion path: TrueNAS Mini R has 8 bays — 4 bays remain. Add drives without rebuilding the pool (expand existing RAIDZ2 vdev on TrueNAS Scale, or add a second vdev).
Why Exos X20 over IronWolf Pro: 20TB vs 16TB per drive at same price tier · 550TB/yr vs 300TB/yr workload rating ·
higher MTBF spec (2.5M hrs vs 1.2M hrs) · designed for continuous 24/7 NAS load.
5. Network Infrastructure Updated
All Ubiquiti/UniFi ecosystem removed. MikroTik switches pair naturally with OPNsense — no controller required, no licensing, fully open.
Removed from v2 (this section):
UniFi Switch Aggregation 8-Port 10G SFP+ ($269.99) · 10G SFP+ DAC Cables x2 additional ($39.98) —
Total removed: $309.97
| Item | Description | Price |
|---|
| MikroTik CRS312-4C+8XG-RM — Primary Site |
8x 10GbE RJ45 + 4x combo SFP+/RJ45 · fully managed L2/L3 · 1U rackmount · no subscription or controller required ·
handles workstation 10G RJ45 and NAS 10G SFP+ natively · replaces UniFi Switch Aggregation |
~$299.99* |
| MikroTik CSS610-8G-2S+IN — Secondary Site |
8x 1GbE RJ45 + 2x SFP+ · smart managed · compact desktop form factor ·
adequate for secondary site (G758 NAS + OPNsense + any local devices) |
~$99.99* |
| SFP+ DAC Cables x2 (generic) |
1m SFP+ Direct Attach Copper — TrueNAS Mini R → CRS312 SFP+ combo port (FS.com or 10Gtek) |
~$19.99 |
| Network Total | ~$419.97 |
Primary site 10G topology:
Workstation (ASUS TRX50 built-in 10GbE RJ45) → CRS312 10G RJ45 port via Cat6A ·
TrueNAS Mini R (dual 10GbE) → CRS312 SFP+ combo port via DAC ·
Protectli VP2420 → CRS312 2.5GbE RJ45 port ·
All 10G internal links run natively without transceivers.
6. Offsite NAS Build — G758 Running TrueNAS Scale New
Resolves v2 Section 6 gap (offsite NAS). G758 hardware cost accounted for in Section 2.
Replaces proposed DS223 offsite Synology (~$959 including 2x IronWolf Pro) with a more capable,
open, and zero-trust-aligned solution at lower cost.
| Item | Description | Qty | Unit | Total |
|---|
| PCIe SATA HBA |
Used LSI 9207-8i or 9217-8i — adds 8x SATA 6Gb/s ports via PCIe x8 slot in G758 · IT mode firmware for pass-through to TrueNAS ZFS |
1 |
~$59.99* |
~$59.99 |
| Seagate Exos X20 20TB |
Same drive family as primary NAS · RAIDZ1 pool = ~40TB usable for ZFS replication from primary |
3 |
~$199.99* |
~$599.97 |
| Offsite NAS Total | ~$659.96 |
Replication mechanism: TrueNAS native ZFS send/receive · scheduled automated replication ·
incremental after initial seed (only changed blocks transmitted) · encrypted in transit via OPNsense site-to-site WireGuard ·
encrypted at rest via ZFS native encryption · immutable via ZFS locked snapshots on receiving end.
ECC RAM note: G758 runs on AM5 (Ryzen, consumer platform) — ECC RAM is not supported.
This is acceptable for a backup target: data integrity is guaranteed at the primary TrueNAS Mini R (ECC).
ECC is a hard requirement for the primary NAS only, which is why those roles are intentionally separated.
7. Security Hardware New
Required for CMMC 2.0 alignment, zero trust key management strategy, and hardware-backed cryptographic operations.
| Item | Description | Price |
|---|
| YubiHSM 2 |
Hardware Security Module · hardware root of trust for HashiCorp Vault unseal keys ·
tamper-resistant · USB-A form factor · supports RSA-4096, ECC P-256/P-384, AES-256, HMAC-SHA2 ·
hardware key custody for CMMC audit trail · from Yubico (yubico.com) |
~$649.99* |
| Security Hardware Total | ~$649.99 |
Role in the stack: HashiCorp Vault (open source) manages all secrets, encryption keys, PKI, and certificates.
The YubiHSM 2 stores Vault's root key in tamper-resistant hardware — unseal operations require physical HSM presence.
This moves key custody from software into hardware, satisfying CMMC key management requirements and
protecting against extraction even if the host OS is compromised.
8. Server Room — Infrastructure Additions New
| Item | Description | Price |
|---|
| 12U Open Frame Rack — Primary Site |
Houses TrueNAS Mini R (2U), CRS312 switch (1U), Protectli VP2420 (1U shelf), APC UPS (2U), patch panel.
Keeps server room organized and airflow managed. |
~$179.99* |
| Cat6A Patch Cables — 10x assorted |
Required for all 10GbE RJ45 runs. Cat5e/Cat6 is insufficient at 10GbE beyond ~3m.
Mix of 0.5m, 1m, 3m lengths. Cat6A rated to 10GbE at 100m. |
~$49.99 |
| Server Room Total | ~$229.98 |
Budget Summary — v3
| # | Category | Subtotal | Notes |
|---|
| 1 | Professional Workstation Build | ~$8,964.82 | GPU downgraded to RTX 5080 16GB · RAM upgraded to 192GB DDR5 RDIMM ECC |
| 2 | Secondary Systems & Infrastructure | ~$2,959.97 | 2x Protectli VP2420 OPNsense · Ubiquiti fully removed · DS925+ removed · laptop removed |
| 3 | UPS Protection (2 units) | ~$739.98 | Unchanged from v2 · pure sine wave at both sites |
| 4 | Primary NAS — TrueNAS Scale | ~$2,798.96 | Replaces DS925+ + IronWolf Pro + Synology NIC ($2,141.94 total replaced) |
| 5 | Network Infrastructure | ~$419.97 | MikroTik CRS312 (primary) + CSS610 (secondary) · replaces UniFi Switch Aggregation |
| 6 | Offsite NAS Build — G758 | ~$659.96 | Resolves v2 Section 6 offsite gap · G758 hardware accounted in Section 2 |
| 7 | Security Hardware | ~$649.99 | YubiHSM 2 — hardware key root of trust for Vault · CMMC key custody |
| 8 | Server Room Infrastructure | ~$229.98 | 12U rack + Cat6A cabling |
| REVISED TOTAL (v3) | ~$17,424 | Before taxes · all v2 Section 6 gaps resolved · fully open source stack |
Remaining optional items (not priced in above):
Monitors 2x 27" 4K: ~$600–$900 |
Additional NVMe scratch drive: ~$500–$1,000 |
KVM switch: ~$50–$150
Fully loaded with optionals: ~$18,600–$19,500 before taxes.
v2 → v3 comparison:
v2 revised total was $18,826.64 (Section 6 gaps unresolved, no security hardware, Synology/Ubiquiti).
v3 is ~$17,424 — ~$1,400 less than v2 — with all gaps resolved, security hardware added, and entirely open source stack.
Savings vs v2 come from GPU downgrade to RTX 5080 16GB, laptop removal, and Ubiquiti/Synology replacement.
Delivers vs v2: open firewall hardware at both sites · enterprise ZFS NAS with ECC ·
offsite NAS fully built out · hardware HSM for key management · 10G-capable switching at primary site ·
192GB RDIMM ECC RAM for expanded VM headroom · server rack. No ongoing licensing or subscription costs for any component.
Appendix A — Open Source Software Stack
All software is free and open source. Zero licensing fees. All self-hosted with no cloud dependency. Runs on existing hardware — no additional servers required.
| Strategy Pillar | Software | Runs On | Purpose |
|---|
| Firewall / Routing / IDS |
OPNsense + Suricata + CrowdSec + Zenarmor |
Protectli VP2420 (both sites) |
Stateful firewall, IDS/IPS, threat intelligence, deep packet inspection, VLAN enforcement, WireGuard site-to-site VPN |
| Storage OS + ZFS |
TrueNAS Scale (OpenZFS) |
TrueNAS Mini R (primary) · G758 (offsite) |
ZFS encryption at rest, RAIDZ2/RAIDZ1, per-block checksums, snapshots, automated replication, Docker/K8s app hosting |
| Immutable Backup (WORM) |
MinIO with Object Lock + ZFS locked snapshots |
TrueNAS Scale app (primary) |
S3-compatible WORM object storage, immutable retention policies, ransomware-resilient, auditable — satisfies CMMC immutable backup requirement |
| 3-2-1 Offsite Replication |
TrueNAS native ZFS send/receive |
Primary NAS → G758 over WireGuard tunnel |
Scheduled incremental replication, encrypted in transit (WireGuard) and at rest (ZFS), fully automated |
| Key Management / PKI |
HashiCorp Vault (OSS) |
VM on Threadripper |
Secrets management, encryption key storage, internal certificate authority, PKI for all services |
| Hardware Key Root of Trust |
YubiHSM 2 (hardware) |
Physical USB on Vault host |
Hardware-backed Vault unseal, tamper-resistant key storage, hardware key custody for CMMC audit |
| SIEM / Compliance Logging |
Wazuh |
VM on Threadripper (~8 vCores, 24GB RAM) |
NIST 800-171 and CMMC framework mappings built in, log aggregation from all hosts, alerting, compliance reporting and evidence generation |
| PAM / Session Recording |
Teleport Community Edition |
VM on Threadripper (~2 vCores, 4GB RAM) |
SSH, RDP, and database access proxying with MFA, time-limited credentials, full session recording, audit log — every privileged action recorded and replayable |
| SSO / MFA / Zero Trust Identity |
Authentik |
VM on Threadripper or TrueNAS app |
Self-hosted SSO with MFA in front of every service — LDAP, SAML, OIDC, OAuth2. No service is reachable without identity verification. |
| Zero Trust Remote Access |
Headscale (self-hosted WireGuard mesh) |
VM on Threadripper |
Self-hosted controller for WireGuard-based zero trust network access — per-device, per-service ACLs, full audit log, replaces traditional broad-access VPN |
| Cloud / File Sync Layer |
MinIO (S3 API) or Nextcloud |
TrueNAS Scale app |
Self-hosted S3-compatible object storage for applications (MinIO), or Nextcloud for team file sync with client-side E2EE |
Threadripper VM resource allocation:
Wazuh (~8 cores, 24GB RAM) · Vault (~2 cores, 4GB RAM) · Teleport (~2 cores, 4GB RAM) ·
Authentik (~2 cores, 4GB RAM) · Headscale (~1 core, 1GB RAM) ·
Total service overhead: ~15 cores, ~37GB RAM.
Remaining: ~17 cores + ~155GB RAM free for point cloud processing workloads. Substantial headroom.
Appendix B — Site Architecture Overview
| Layer | Primary Site | Secondary Site (Offsite) |
|---|
| WAN / Firewall |
Protectli VP2420 · OPNsense · 1G ISP · WireGuard site-to-site tunnel out · Suricata + CrowdSec |
Protectli VP2420 · OPNsense · 1G ISP · WireGuard site-to-site tunnel in · Suricata + CrowdSec |
| Switching |
MikroTik CRS312-4C+8XG-RM · all-port 10G · 1U rackmount |
MikroTik CSS610-8G-2S+IN · 8x 1G + 2x SFP+ · desktop |
| Compute |
Threadripper 9970X workstation · 192GB DDR5 RDIMM ECC · RTX 5080 16GB · also VM host for all services |
G758 (Ryzen 7 9800X3D) — TrueNAS Scale NAS only, no active compute workloads |
| Storage |
TrueNAS Mini R · 4x Exos X20 RAIDZ2 · ~40TB usable · ZFS encryption · ECC RAM · IPMI |
G758 TrueNAS · 3x Exos X20 RAIDZ1 · ~40TB usable · ZFS encryption · receives automated replication |
| Immutable Backup |
MinIO + Object Lock (S3 WORM) · ZFS locked snapshots on primary NAS |
ZFS locked snapshots on offsite pool (replicated, cannot be deleted) |
| Services |
Wazuh · HashiCorp Vault + YubiHSM 2 · Teleport · Authentik · Headscale · MinIO |
TrueNAS Scale only — backup target, no additional services |
| Power |
APC Smart-UPS SMT2200C · 1320W · pure sine wave |
CyberPower CP1500PFCLCD · 1000W · pure sine wave |
| Rack |
12U open frame · TrueNAS Mini R + CRS312 + VP2420 + UPS |
No rack needed · G758 tower + VP2420 shelf-mounted |