I'm the volunteer IT coordinator for our small church. We currently use a Synology NAS as a file server, surveillance controller, web server, email server and DNS. It does a decent job with most of that but it's overmatched in the web server application.
We were using an external streaming service to live stream our Sunday services. Recently, though, our ISP upgraded us to direct fiber to the premises. I'd like to use the increased bandwidth to move the video streaming onto our own hardware, as well as upgrading the web server and DNS server (Synology's DNS package doesn't support DNSSEC).
I'm in the process of building out a compact 1U server around a recycled Supermicro X9SCM-F motherboard and Xeon E3-1230 v2 CPU. The finished system will have 16GB RAM, 240GB SSD in RAID1 and 1 TB HDD storage, also in RAID1. The balance of our installation includes a commercial-grade MikroTik router and NetVanta PoE switch, with Cat 5e through most of the facility and Unifi wireless access points where the copper doesn't run.
This will be my first time using IPMI to configure a machine headless, as well as the first time to operate a machine exposed to the Internet without built-in security features such as the Auto Block built into the Synology DSM operating system (which gets a workout, from my logs!). I'd really appreciate tips on deploying this hardware and hardening it against attacks. Currently everything is running on one subnet, but our hardware supports port-based VLAN and I'm planning to implement it when the new server goes live. I also have access to a DigitalOcean droplet for testing and practice.
It seems that quite a few of the bad guys want to hack a church, so pointers to helpful information is appreciated. Thanks in advance.
Edit To Add: I'm planning to use a Linux-based operating system on the new hardware (LAMP stack).
