SeeJayEmm

SeeJayEmm , 1 day ago

If you want the small footprint and power costs are a concern, look for a second hand mini computer. Dell, Lenovo, Intel nuc.

Something like this as an example.

SeeJayEmm , 1 day ago

No but less power hungry than a full desktop. It's a good trade-off between power and performance.

SeeJayEmm , 1 day ago

We had those bullshit apps on PC before Android was a glimmer in its Mama's eye. Why is Microsoft pushing that crapware?

SeeJayEmm , 9 days ago

Then you didn't understand how the system uses swap.

https://chrisdown.name/2018/01/02/in-defence-of-swap.html

SeeJayEmm , 9 days ago

I think that's illegal in some places, like California and the EU.

SeeJayEmm , 10 days ago

Weird I still see the comment. I wouldn't even know it was deleted if you hadn't said something.

SeeJayEmm , 14 days ago

https://www.wireguard.com/protocol/

Looks like wireguard encrypts traffic to me.

SeeJayEmm , 20 days ago

I've been happily running Open Media Vault in a Proxmox VM for some time now.

SeeJayEmm , 20 days ago

I didn't pass any phy disks through, if that's what you mean. I'm using that system for more than OMV. I created disks for the VM like I would any other VM.

SeeJayEmm OP , 21 days ago

Kinda feel dumb that my answer is no. Let me do that and report back.

SeeJayEmm OP , 21 days ago

Short test completed without error.

SeeJayEmm OP , 21 days ago

I would start by making sure you have good recent backups ASAP.

I do.

Could be as simple as a service logging some warnings due to junk incoming traffic, or an update that added some more info logs, etc.

Possible. It's a really consistent (and stark) degradation in performance tho and is repeatable even when the opnsense VM is the only one running.

SeeJayEmm OP , 21 days ago

While you’re waiting for that, I’d also look at the smart data and write the output to a file, then check it again later to see if any of the numbers have changed, especially reallocated sectors, pending sectors, corrected and uncorrected errors, stuff like that.

That's a good idea. Thanks.

SeeJayEmm OP , 21 days ago

It's an old Optiplex SFF with a single HDD. Again, my concern isn't that it's "slow". It's that performance has rather suddenly tanked and the only changes I've made are regular OS updates.

SeeJayEmm OP , 21 days ago

I'm trying to think of anything I may have changed since the last time I rebooted the opnsense VM. But I try to keep up on updates and end up rebooting pretty regularly. The only things on this system are the opnsense VM and a small pihole VM. At the time of the screenshot above, the opnsense VM was the only thing running.

If it's not a failing HDD, my next step is to try and dig into what's generating the I/O to see if there's something misbehaving.

SeeJayEmm OP , 21 days ago

I'm starting to lean towards this being an I/O issue but I haven't figure out what or why yet. I don't often make changes to this environment since it's running my Opnsens router.

root@proxmox-02:~# zpool status
  pool: rpool
 state: ONLINE
status: Some supported and requested features are not enabled on the pool.
        The pool can still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
        the pool may no longer be accessible by software that does not support
        the features. See zpool-features(7) for details.
  scan: scrub repaired 0B in 00:56:10 with 0 errors on Sun Apr 28 17:24:59 2024
config:

        NAME                                    STATE     READ WRITE CKSUM
        rpool                                   ONLINE       0     0     0
          ata-ST500LM021-1KJ152_W62HRJ1A-part3  ONLINE       0     0     0

errors: No known data errors

SeeJayEmm OP , 21 days ago

I thought cheap SSDs and ZFS didn't play well together?

SeeJayEmm OP , 21 days ago

I may end up having to go that route. I'm no expert but aren't you supposed to use different parameters when using SSDs on ZFS vs an HDD?

SeeJayEmm OP , 20 days ago

Thanks for all the info. I'll keep this in mind if I replace the drive. I am using refurb enterprise HDDs in my main server. Didn't think I'd need to go enterprise grade for this box but you make a lot of sense.

SeeJayEmm OP , 20 days ago

This was really interesting, thanks for the info.

SeeJayEmm OP , 19 days ago

I've done a bit of research on that and I believe upgrading the zpool would make my system unbootable.

SeeJayEmm OP , 19 days ago

Proxmox is using ZFS. Opnsense is using UFS. Regarding the record size I assume you're referring to the same thing this comment is?

You can always find some settings in your opnsense vm to migrate log files to tmpfs which places them in memory.

I'll look into this.

SeeJayEmm OP , 19 days ago

I'm referring to this.

... using grub to directly boot from ZFS - such setups are in general not safe to run zpool upgrade on!

$ sudo proxmox-boot-tool status
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with legacy bios
8357-FBD5 is configured with: grub (versions: 6.5.11-7-pve, 6.5.13-5-pve, 6.8.4-2-pve)

Unless I'm misunderstanding the guidance.

SeeJayEmm OP , 19 days ago

That cheat sheet is getting bookmarked. Thanks.

SeeJayEmm OP , 19 days ago

Media should exist in its own with a tuned record size of 1mb

Should the vm storage block size also be set to 1MB or just the ZFS record size?

SeeJayEmm OP , 17 days ago

Thanks I may give it a try if I'm feeling daring.

SeeJayEmm , 21 days ago

That very much depends on what you want to do.

The self hosted mailing list has a directory of apps they track.

There's also the Awesome Self hosted.

SeeJayEmm , 21 days ago

Zabbix & Grafana for supervision

@foremanguy92_ personally I prefer CheckMk over Zabbix. I found Zabbix to be an absolute pig. Both are on the complex side. But really, you probably just need something like Uptime Kuma.

SeeJayEmm , 21 days ago

Yes. That's why it's called the Internet of things. Every "smart", wifi connected, device you have uses that connection to communicate with a remote server. The app on your phone does the same to control the light.

Check out Zigbee for an example local control.

SeeJayEmm , 23 days ago

I wish I'd seen this before the minor hell I went through learning how to geoip block via iptables. 😁

It looks interesting. I think my only real concern is security. There's a lot of people using and working on nginx so, presumably, more people to identify bugs and squash them.

SeeJayEmm , 23 days ago

I'm still curious tho. I'll probably set it up for some internal only sites to test.

SeeJayEmm , 23 days ago

Nightly backups to a repurposed qnap running pbs. I'm fully aware it's overkill but it gives me some peace of mind.

SeeJayEmm , 23 days ago

I've got PBS setup to keep 7 daily backups and 4 weekly backups. I used to have it retaining multiple monthly backups but realized I never need those and since I sync my backups volume to B2 it was costing me $$.

What I need to do is shop around for a storage VM in the cloud that I could install PBS on. Then I could have more granular control over what's synced instead the current all-or-nothing approach. I just don't think I'm going to find something that comes in at B2 pricing and reliability.

SeeJayEmm , 23 days ago

A newbie should be running AIO in docker, which in my experience, has been pretty solid.

SeeJayEmm , 25 days ago

And even if you do everything 100% right, your emails will mostly get flagged as spam if not outright blocked anyway. Esp. if you're using a residential IP.

SeeJayEmm , 1 month ago

Alternatively, I could have a reverse proxy in the DMZ only for the public service and another reverse proxy on the LAN for internal services.

I do exactly this now. Public facing services sit in a dmz vlan with a rev proxy. I almost did a 2 tiered dmz but decided it was overkill.

Private services sit on an inside vlan.

SeeJayEmm , 1 month ago

Plus, the internal and external services are running on the same box. Is that where my real problem lies?

It's one of them, yes.

If you want to limit exposure in the case of a compromise you need to put everything public facing in it's own vlan that cannot initiate traffic into your lan.

SeeJayEmm , 1 month ago

I agree with everything everyone else has said here but if you looking for the most basic solution it's already in NPM. You can configure basic auth in an access list and apply it to the site.

SeeJayEmm , 1 month ago

Nah. Your question was fine. The person who responded to you was just wrong. Hopefully you've seen the other replies to their comment.

SeeJayEmm , 1 month ago

Redundancy is really important when it effects other people, IMO. Personally I use 2 piholes kept in sync with gravity-sync.

SeeJayEmm , 1 month ago

Route 53 does. I've got a couple there now.

SeeJayEmm , 1 month ago

You can do most of not all of this with CheckMk but it's probably overkill.

SeeJayEmm , 1 month ago

I'm not having issues that I'm aware of, but that site always returns Network Request Failed and I haven't figured out why.

SeeJayEmm , 1 month ago

I'm sorry I don't have a suggestion but have you checked the Awesome Self Hosted list?

SeeJayEmm , 1 month ago (edited 1 month ago)

Id like to centralize auth but I haven't dug into it yet. My concern is, can it be distributed? I have services spread across my homelab and multiple vpses. I don't want to lose auth if any of those is down.

SeeJayEmm , 2 months ago

Would you believe a social network?

SeeJayEmm , 2 months ago

I've been using nearlyfreespeech.net for a very long time. They're a small, reliable, outfit that's been around forever and definitely respects your privacy.