As others said, spin down the drives when they’re not in use. Make sure power saving is enabled on the drives and tune them to spin down after some appropriate amount of time. (hdparm lets you customize it on Linux)

Consider also sleeping the NAS when not in use. You can try using Wake-on-LAN to remotely wake it up when you need to use it. Saves on electricity and heat! You could also sleep it on a schedule, in case you need to be online for backups to run at particular times.

Licensing representation matters

It doesn’t, because they’re the copyright owners. Think of their software as dual licensed: They run it themselves under a proprietary license, under which they reserve all rights. That has nothing to do with the AGPL version that they license to you. The AGPL doesn’t take away the rights they have as copyright owners, nor does it preclude dual licensing.

(Are you a bot? Your reply is written like ChatGPT, and it has that self-defeating logic that ChatGPT has sometimes… eg. you wrote that you disagree with me, but then parroted the exact thing that I said.)

This is flat out wrong. If you’re the copyright owner, you’re not licensing the code to yourself. The AGPL is the license under which they’re making the open source version available to YOU. The version they run themselves is proprietary.

Wrapping up this thread, I really appreciate all the opinions and experiences everyone shared! Gave me lots of new perspectives to think about.

Thanks, this is good data!

How fast is your internet?

Do a speed test and run htop… you’ll see CPU usage only on one core spiking. Not a big deal if your CPU can handle it, but the AMD GX-412TC in the APU2 I was using is too slow.

Even if the virtualized router is down, I’ll still have access to the physical server over the network until the DHCP lease expires. The switch does the work of delivering my packets on the LAN, not the router.

Thanks for the tip about the pfSense limit. After running pfSense for like 8 years, my opinion is that is flush with features but overall, it’s trash. Nobody, not even Netgate, understands how to configure limiters, queues, and QoS properly. The official documentation and all the guides on the internet are all contradictory and wrong. I did loads of testing and it worked somewhat, but never as well as it should have on paper (ie. I got ping spikes if I ran a bandwidth test simultaneously, which shouldn’t happen.) I don’t necessarily think OpenWRT is any better, but I know the Linux kernel has multithreaded PPPOE and I expect some modern basics like SQM to work properly in it.

The other thing to keep in mind is to pass through physical nics. Using just the vnics will potentially lead to security risks. That’s the reason I went back to physical fws.

I could throw an extra NIC in the server and pass it through, but what are the security risks of using the virtualized NICs? I’m just using virtio to share a dedicated bridge adapter with the router VM.

If you just use 2 nodes, you will need a q-device to make quorum if you have one of the nodes down

I could just use VRRP / keepalived instead, no?

I should try Proxmox, thanks for the suggestion. I set up ZFS recently on my NAS and I regret not learning it earlier. I can see how the snapshotting would make managing VMs easier!

That is pretty sweet. I have a second server I could use for an HA configuration of the router VM. I’ve been meaning to play around with live migrations (KVM) so this could be a cool use case for testing.

I appreciate the advice. I have like 3 spare routers I can swap in if the server fails, plus I have internet on my phone lol. It’s a home environment, not mission critical. I’m glad you mentioned this though, as it made me realize I should have one of these routers configured and ready-to-go as a backup.

My logic is partly that I think a VM on an x86 server could potentially be more reliable than some random SBC like a Banana Pi because it’ll be running a mainline kernel with common peripherals, plus I can have RAID and ECC, etc (better hardware). I just don’t fully buy the “separation of concerns” argument because you can always use that against VMs, and the argument for VMs is cost effectiveness via better utilization of hardware. At home, it can also mean spending money on better hardware instead of redundant hardware (why do I need another Linux box?).

There are also risks involved in running your firewall on the same host as all your other VM’s

I don’t follow. It’s isolated via a dedicated bridge adapter on the host, which is not shared with other VMs. Further, WAN traffic is also isolated by a VLAN, which only the router VM is configured for.

Whisper is the way to go for speech to text (edit: had that backwards). Whisper.cpp is decently fast too: https://github.com/ggerganov/whisper.cpp/releases/tag/v1.7.1 Get the binaries from the link that’s on that page (god GitHub usability sucks)

How are the alternatives any better? Download a DEB that executes arbitrary code, signed with some .asc that’s sitting in the same webserver? Download an EXE?

Your comment is so rambley that I can’t understand whether you’re criticizing the distribution method or the packaging. Both of those are very different in terms of attack surface, if you’re talking about supply chain attacks.

I haven’t tried it personally, but Mox looks like a nice modern mailserver. It might do what you want.

Every time I look at this, the value proposition makes no sense to me. The DIY V1 and V2 only have instructions for adding a single HDMI input port (??), and the V3 and V4 are like $350 CAD, which is way more expensive than buying a used KVM on eBay. What am I missing?

I don’t want to dox myself so I’d rather not say, but it was some time ago and I’m no longer leading that project. I do still do development in the same field though!

Your post couldn’t be more true. Decades ago I was sold on MythTV, this PVR software but it only ran on Linux and you had to compile it yourself. So I gave Linux and MythTV a shot. As it turned out, both MythTV and early desktop Linux were a buggy, frustrating mess. X broke all the time. Incomprehensible, ungoogleable compile errors all the time.

I spent so much time troubleshooting MythTV and compilation problems that I ended up learning Linux inside and out and the C programming language to be able understand the compile errors. I went on to lead a major open source project and have had a long career as a programmer, using all the knowledge I gained that started with fighting MythTV.

I don’t see anyone else actually telling you how to figure out if you’re being DoSed, so I’ll start:

Check your logs. Look at what process is eating your CPU in htop and then look at the logs for that process. If it’s a web application, that means the error and access logs for it. If you see a flood of requests to a single URL, or some other suspicious pattern in the log, then you can try blocking the IPs associated with them temporarily and see if it alleviates the load. Repeat until the load goes down.

If your application uses a database, check your database logs too. IIRC postgres logs queries that take longer than 5 seconds by default, which can make it easy to spot a slow query especially during a time of high load.

I don’t think DNS amplification attacks over UDP are likely to be a problem as I think most cloud providers filter traffic with forged src addresses (correct me if I’m wrong). You can also try blocking all inbound UDP traffic if you suspect a UDP flood but this will likely break DNS lookups for you temporarily. (your machine should not have any open UDP ports in any case though if you’re just running Lemmy).

If you want to go next level, you can use “perf” to generate a system-wide profile and flamegraph which will show you where you’re burning CPU cycles. This can be extremely useful for troubleshooting performance or optimizing applications. (you’ll find that even ipfilters takes CPU power, which is why most DDoS protection happens on dedicated hardware upstream)