kumi

I have a few different makes of these and have been surprised by how big PSU I had to put (versus on-the-wall measured wattage) for them to not occasionally randomly fail and cutting a drive off until reboot. I guess it's spikes they don't handle well. Besides that, the cards themselves obviously add some overhead in that department. Something to consider if low-power is a priority.

There has also been one or two drives that just wouldn't work at all with either card, but were fine in individual slots. Vaguely suspecting drive firmware there.

They do serve their purpose well but just to add some catches for anyone eyeing them. Startech is the brand I had the least glitches with FWIW but keep in mind that's just one anecdote.

Also ask yourself if you really need PCIe4 because the PCIe3 models are quite a bit cheaper, cooler and more stable.

Oh, and make sure your motherboard supports PCIe bifurcation. Especially for older computers that's not always a given.

I repeat myself but check out Odroid H4+.

4 SATA ports and if you split one m2 port you can also put 3 pcie3 nvme (you could split one port up to 4 but just one lane per drive is bit sad).

Same idea as the cheapo miniPCs on Ali except you actually have a shot at BIOS upgrades and not as dodgy supply chain.

https://www.hardkernel.com/shop/odroid-h4-plus/

If you put BIOS in power efficiency mode it can run fanless as long as the ambient temperature isn't balming.

If it's really just for NAS this is still more than you really need. You could get away a lot cheaper and leaner with something like the ARM-based HC4.

https://www.hardkernel.com/shop/odroid-hc4/

Or check out Jeff Geerlings PiNAS shenanigans.

The Beelink looks all right. Personally I prefer the flexibility of non-soldered RAM but I guess it's mainly a question of how much of an out-of-box experience you are looking for.

Seeed Studio reServer is also nice, though that's on the beefier and pricier side.

https://www.seeedstudio.com/reServer-Compact-Edge-Server-powered-by-11th-Gen-Intelr-Coretm-i3-1115G4-p-5087.html

Odroid H4+ (Intel N97 4c; comparable to the CPU of that Protectli) and H4 Ultra (Intel N300 8c) also worth considering. Versatile units from a small established Korean maker.

https://www.hardkernel.com/shop/odroid-h4-plus/

https://www.hardkernel.com/shop/odroid-h4-plus/

https://www.hardkernel.com/shop/h3-h2-net-card-2/

If you plan on virtualizing or running a bunch of containers on it I think it's worth looking at the higher-core models and more RAM. If it's just for OPNSense, such 4c with 8G should be plenty.

Also, if you can afford, I strongly suggest getting two of whatever you go for and not doing anything important with the secondary. It really sucks if you have some unexpected issue (hardware failures and OS regressions can happen to anything) and don't have anything on hand to replace your main router with. Since you'll be labbing it can also be very freeing to have a testing/dev/staging/playground/debugging device with the same hardware and messing around won't take down your production network. IMO this is higher priority than higher specs if you have to do tradeoffs.

USB enclosures tend to be less reliable compared to SATA in general but I think that is just FUD. It's not like that's particularly bad for software RAID compared to running with the enclosure without any RAID.

The main argument for not doing that is I believe mechanical: Having more moving parts mean things might, well, move, unseating cables and leading to janky connections and possibly resulting failure.

You will kill your USB controller, and/or the IO boards in the enclosures

wat.jpeg

Source: 10+ years of ZFS and mdadm RAID on USB-SATA adapters of varying dodginess in harsh environments. Of course errors happen (99% it's either a jiggly cable, buggy firmware/driver, or your normal drive failure) but nothing close to what you speak of.

Your hardware is not going to become damaged from doing software RAID over USB.

That aside, the whole project of buying new 4TB HDDs for a laptop today just seems misguided. I know times are tight but JFC why not get either SSDs or bigger drives instead, or if nothing else at least a proper enclosure.

If you consider ZFS and don't mind having the machine offline for a day or two you could fill it up with real (backups!) or a bunch of representative fake data and run some tests/benchmarks before you fully commit. It depends a lot on how the data is structured and what you're running on it and it's possible it will run fine.

On nginx, most of the upstream work on new features is in Nginx Plus, not benefitting free nginx. Several nginx devs have been disagreeing with the way this has been done and the way the project is being managed and left to work on forks. Maybe people who agree with the OP sentiment should look into freenginx and angie.

https://www.phoronix.com/news/Nginx-Forked-To-Freenginx

https://mailman.nginx.org/pipermail/nginx-devel/2024-February/K5IC6VYO2PB7N4HRP2FUQIBIBCGP4WAU.html

https://en.angie.software/angie/docs/

http://freenginx.org/

Some things that happen when I go to duckduckgo.com that also go against that:

• Harvesting the third-party cookies it can (example: github.com)
• Attempting to enumerate browser extensions
• Attempting to enumerate crypto wallet addresses from extension wallets like MetaMask

It's extremely nosy. They used to do canvas fingerprinting until browsers started prompting about it.

IDK about the claim of directly selling searches to IG and likely it's a bit more convoluted than that (or OP has malware) but it's a more believable idea than that of DDG actually being respectful of user privacy. There is absolutely no legitimate reason for DDG to gather this data for the purpose of providing their search service, yet they do.

The OP is about hosting forwarding or recursive DNS for lookups, not authoritatative DNS hosting (which would be yet at least one separate server).

I count two servers (one clusterable for HA). How is that a lot for a small LAN?

More would also be normal for serving one domain internally and publicly. Each of these can be separate:

• Internal authoriative for internal domain
• Internal resolvers for internal machines
• Internal source-of-truth for serving your zone publicly (may or may not be an actual DNS server)
• Public-facing authoritative for your zone serving the above
• Secondary for the above
• Recursing resolver of external domains for internal use

Some people then add another forwarding resolver like dnsmasq on each server.

It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333. Why not just hand out the TDNS address?

You could and that should work but then it's not called forwarding anymore. It does forwarding because that's what you configured. Both approaches are valid.

I have an opnsense firewall with DNSmasq performing DHCP and DNS forwarding to the Technitium server

Your initial instinct was right, you do want to auto-apply security fixes.

unattended-upgrades does allow you to configure this somewhat.

You could try this https://feddit.online/post/1359926#comment_6688858

Doesn't sound like this is screen blanking as it happens during use but to rule it out you could temporarily disable that with xset -dpms and xset s off on X11. https://wiki.archlinux.org/title/Display_Power_Management_Signaling#Xorg

I suspect this machine might be memory constrained and if so zfs might push it to its limits if it's already close.

If it has <8G and doesn't already have decent headroom I'd think twice about ZFS depending on how its going to be used