F in the chat for your savings, least you’ve got the peak of home NASes. Pretty fuckin cool and I hold out hope when the drop comes in a… 6 months to 3 years…? that I’ll be able to afford full SSD NAS life. The power savings, the speed, the no worries of shock or vibrations, the silence - jealous

It is a gamble, fuck the AI bozos for speculating us into economic uncertainty

For power on and off automatically, I just rely on Linux’s spin down timer. Which I guess is built in - not sure of anything more specific!

Backup drive doesn’t need to be anything more than holding your (ideally daily) backup of your main drive(s). It doesn’t need to be powered up and spinning all the time, it can be in the same computer. Spinning up and down causes major wear on hard drives, but I think spinning up once a day for backups is fine and won’t stress it.

For example, have 3 used enterprise drives in my computer case: 2 in BTRFS RAID1 (mirror) as a data drive and 1 with BTRFS as a backup drive. I use snapshotting to mirror the data drive to the backup drive. I then use restic to copy essential data from the backup drive to a remote cloud location (friend’s house with a 4th smaller hard drive - if I did not have a friend with a hard drive I would use hetzner most likely). My Linux ISO’s don’t go remote, but my photos do.

Thus I have immediate redundancy (and bit rot protection) from the BTRFS RAID1 data drives, I have a local full backup with the BTRFS backup drive, and I have my essential stuff far away if the computer explodes or something.

Edit: again, if I was going to save cash I would drop the RAID1 from the data drives and just get 1 data drive and 1 backup drive. RAID1 is never as good as an independent copy.

I got several from them and they’ve been fine for a year now - and theoretically have a 5 year warranty from them too. So worked out for me to save some cash! Buuuut if they do end up failing, it’s gonna be a hassle to get replacements for sure

Consumer is fine then, cheapest you can. Edit: I did see people mention SMR drives, get cheapest CMR drives. SMR is not worth the money saved for usual use cases.

You can def wait, but do the over-under with what you can pay. External drives, even if shucked, seem to be the lowest quality drives and die earliest. May be better to get real drives now, even with inflated costs.

Make sure you get a drive for backup. Extra layout up front but worth it. I’d recc 1 data drive + 1 backup drive over just 2 raid1 data drives any day.

Now is a bad time to buy hard drives price-wise. Massive price gouging going on with all storage pre-sold based on IOUs to “AI” companies.

If you must…

Buy used enterprise drives with a ~5 year warranty. In US there is serverpartdeals and goharddrives. I am not sure of the Europe equivalents but I am sure they exist. The enterprise drives should be cheaper than new drives and will last longer; they’ve been used out of their early failure bathtub curve but they’re young enough to be given a 5 year warranty. Make sure to get ones with SATA connectors not SAS, you’ll need a PCIe card to talk to the SAS ones, and maybe something for power idk.

They should be cheaper - I am not sure if price uncertainty has upended that.

Enterprise drives are louder, I have them in a quiet case with sound dampening padding (fractal define) and I do not hear them 5 feet away.

I have heard bad things about consumer drives longevity. I used several 1 TB barracudas for years with no issues in a server setting, I used 3 TB barracudas in a server setting and one failed early. I used a 4 TB Toshiba that failed early and I used an 8 TB blue that is fine in a personal computing setting. I have bought enterprise drives and none have an issue yet.

It seems luck of the draw, so the thing to maximize is cheapest per GB.

King, simply neg your collaborators into using overleaf

King, all you must do is set up root ssh access with a short password and port forward port 22 to it. Super easy, super quick!

For extra spice, I’d recommend also hitting your hard drives with a hammer once or twice a day. They just don’t like vibrations; you’ve gotta weed out the weak ones. Only the strong data will survive.

Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?

I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?

If you feel up for answering, what is your use case for wanting to manage your own mTLS?

I am loving OIDC giving a single login for all the things I’ve got going, I see it as a near-essential for adding new services!

Read-only is easy! You just need to confine where the writes happen. You use volumes for stuff you want to remember were written and tmpfs for stuff you don’t want to remember. Tmpfs for /tmp if needed, volume for the DB, good to go. It is super useful for security since only what is included in the container can be executed greatly reducing the attack area. No way to introduce a new excutable to the container! (you set noexec for tmpfs/volumes)

I’ve seen difficult setups like a “work directory” where key files, executables, and temp files go. That structure can’t be secured, avoid that. Basically the temp files go in somewhere that’s not a big pile of a “work directory” - like /tmp - and then that structure once again works!

Of course I wouldn’t say no to an LCARS theme either…

Any plans for OIDC and read-only/non-root/no-cap container running?

Thanks for writing this up, really highlights the effective differences.

So for the internal delegation I’d SLAAC it and let things “just work” or DHCPv6 if I cared to specify IPv6s (which I will need to to have a static IPv6 address for a server to be reached at). Thanks again!

Thanks for taking the time to go into detail on this, it helps because I just haven’t been able to put acronyms to actionable meaning from just reading blogs and posts.

How do things outside the LAN talk to things inside the LAN that have ULA addresses (which I’m assuming are equivalent of 10.0.0.0/16 idea)? Will devices that are given ULA addresses be NAT’d just like IPv4 or will they not be able to talk to the outside world on IPv6?

Edit: I am getting more what you said; you answered this: the ULA addresses will not be able to talk to the outside world on IPv6 so those devices will be IPv4-only to websites that use IPv6 too. Follow-on Q would then be, is kludging NAT for IPv6 not a better solution versus ULA addresses? Or is the clear answer just use IPv6 as intended and let the devices handle their privacy with IPv6 privacy extensions?

Mobile devices are largely IPv6-only now, messing with VPN to home. The IPv6-to-4 conversion seems to be shoddy for my mobile carrier.

Not here for what it represents, just want it to work.

I haven’t run into NAT issues that I’ve noticed, would IPv6 avoid issues with cgnat that people complain about? (If/when it happens in the future)

I see people say “not worth it” but never expound on what exactly makes it not worth it?

Most I get is a vibe (using a metaphor) “python-like judging where people prefer to do it in a ‘pythonic’ way” but of course that’s silly. There must be more to it, but I never seen interoperability issues called out

Just came back to say the same thing, I use this for geo ip blocking and it’s so well featured it’s insane. Any VPS, just make sure to clear local IPs (incl. docker range if using docker - though it’s been improving so much it may handle that automatically now)

https://github.com/friendly-bits/geoip-shell

Assuming you’re accessing the service (Peertube in this case) from a web browser and not an app - a thing I decided on “good enough” plus “easy enough” is Authentik sitting in front of the service.

Thought process is: Peertube or some other service’s first job is the purpose for the service, so security likely won’t be as good as a service who’s first job is security.

Authentik can also do stuff like OIDC if the service likes it - and you can chain them together. I’ve got services that hit Authentik 1st and then after you’re allowed to talk to service then you can log in with Authentik OIDC. Some services seem to do it seamlessly, some make you click a “log in with Authentik” again - either way painless enough. Everyone I know is haunted by the MS “remember this login y/n” page that pops up every time you log into some stupid MS thing and it never matters if you choose y or n, it’ll be back. So even 2 steps are chill in comparison for them.

Harden Authentik, and then you can apply it to any other service you want in the future too (maybe stirling PDF, don’t even need users for that). (Feel free to harden Peertube though too - just less important and likely not needed!)

Lastly: I say “not an app” because apps can’t deal with hitting Authentik 1st afaik. APIs for apps or other purposes can be cleared to go to the service directly if you’re confident that that’ll be ok (authenticated gets and limited scope of puts, etc. but I’m unfamiliar how to be truly confident in an API’s security). But like jellyfin’s api is too dangerous to expose so no go on that - it’s VPN city.