Yep, to add on as well as summarized this… Linux has historically had a design methodology of “everything is a file”. If your not familear with the implications of this, it means your command line tools just kind of work with most things, and everything is easy to find.

For instance, there’s no “registry / regedit” on Linux… There’s just a folder with a config file that the application stores settings in. There’s no control panel application to modify your network settings… Just a text file on your OS. Your system logs and startup tasks were also (you guessed it) sinole filea on the system. Sure there might be GUI apps to make these things easier for users, but under the hood it reads and writes a file.

This idea goes further than you might assume. Your hard drive is a file on the file system (a special file called a block device). You can do something like “mount /dev/sda1 /home/myuser/some_folder” to “attach” the drive to a folder on the system, but that special block device (dev/sda1 in this case) can be read and written to byte by byte if you want with low level tools like dd.

Even an audio card output can show as a file in dev (this is less the case now with pipewire and pulse), but you used to be able to just echo a raw audio file (like a wav file) and redirect the output to your audio device “file” and it would play out your speaker.

Systemd flipped this all around, and now instead of just changing files, you have to use applications to specify changes to your system. Want to stop something from starting? Well, it used to be that you just move it out of the init directory, but now you have to know to “systemctl disable something.service”, or to view logs " journalctl -idk something.service" I dont even remember the flags for specifying a service, so I have to look it up, where it used to just be looking at a file (and maybe use grep to search for something specific)

I run freeipa internally, which handles all internal https certs (as well as nice things like handling non sudo auth so I can just ssh to machines from an already authed machine without a PW prompt, and doing ldaps for internal things that support it)

For external web, I have a single box running nginx as a reverse proxy thats web exposed. That nginx box has letsencrypt certs for the public web stuff. The nginx rp has the internal CA on it and will validate the internal https certs (no mullet SSL here!)

I also do different domains for internal vs external, but thats not a requirement for a setup like this

Rhasspy. Idk if rhasspy3 is out fully, but I would wait for that and then set it up. (I have began to see the home assistant side being released - its supposed to tie in a lot better than rhasspy2, and even brought the dev on to the HA project)

Old PC that can be on all the time.

If you dont have one and want dedicated hardware, I would recommend a used server, or something you can whitebox (like using as asrock rack mobo that takes a desktop ryzen but supports ecc memory)

Put proxmox on as the host OS, two ssd’s in raid 1 is good for a boot drive / VM storage drive. Raid 10 if you want real high performance, but probably unneeded.

Look for a case that has a SAS backplane, and then connect the backplane to a HBA card. Pass this card through to freenas for storage shares and stuff.

I recommend not virtualizing your router. So, if you want togoet away from Soho gear, either flash a Soho router with openWRT, or build a separate box for pfsense or opnsense. If you go that route, you will need a separate switch / access point. Unifi gear has a good balance of features and affordability, and can all be managed from a single ui (let’s say you have 3 switches and 2 access points… You dont need to go to 5 web UI’s, its all in one spot - and you can self host the web ui in proxmox)