glizzyguzzler

Arch’s design is key for user devices - it gets you the fixes you need now with good enough guard rails that usually it’s all good!

But that’s not the design you want for a 24/7 server that’s likely headless. You want that server to have the security updates and to get them installed asap without worry about stability. Literally for years now I’ve never had unattended upgrades cause any issue, and I’ve taken that system from 11 to 13 now. And I’ll look at in a month (maybe) while it continues to do DNS and serve up vidz

Debian on a laptop would be akin to a skeleton waiting on food/water; you’ll get that fix for sleep in 14 (maybe). It’s workable - just like Arch is workable for a server - but it’s just not the ideal role.

Both designs exist for a reason though, and that’s cause they both have their strengths!

Reading that is wild

Why are you doing Arch on a server? You want to tinker forever and read the update notes like a hawk lest the server implode forever?

Arch isn’t gonna be noticeably leaner than Debian.

Get Debian, install docker and/or podman, set unattended upgrades, and then install Incus if you need VMs or containers down the line. You can stick on ZFS and it’ll be fine, you already have BTRFS for basic mirrors. Install Cockpit and you’ll have a nice GUI. Try not to think you have to fiddle with settings, the maintainers for each package/service have set it so it works for most people (and we’re most people!); you’ll only need to intervene on an handful of package configs. All set and it’s not proprietary.

One of the best uses of encryption is that you can pull drives that die and not have to try to wipe them as they die or smash them. They’re encrypted so it’s just gibberish. Mostly the reason to encrypt.

I auto-unlock with two things: a USB drive I put in the computer that it looks for and another computer on the network that hosts an unlock file. I’m not defending against nation-states or the Gestapo, regular rubes won’t notice the pi zero hidden that hosts the network file. USB drive is for just-in-case so I don’t have to type that long ass password ever.

I didn’t try hard, but I’m not sure how to make auto-unlocking more secure.

I put a tiny NAS in my parents’ house (cheapest ARM synology 2-bay). It backs up their computers (a first, of course, but the photos are safe now!) and my server sends its TBs to there too. Upfront is large because you need to put in two big drives plus a lil NAS. But no $/mo, thanks parents.

For over a few TB Hetzner and the like really hit hard (€21/mo for 10TB at Hetzner storage box). Depends how much disposable income you have/want to ensure data is good. Now-a-days €21/mo is like 1 Disney/Hulu/bullshit, that price is obviously over inflated but it makes you feel less bad about spending it on cold, hard, remote backups of your big ass data.

Ignore the peeps saying not to use a regular pci-e card. Old recc, ASmedia ones are ideal good for 4-6 ports. 8+ you need to dabble in LSI shenanigans. The ASmedia ones use way less power and are worth it if you don’t need 8+ ports. You get all the features you want, they look and act like real SATA ports.

Check these guides (not just applicable to unraid, I don’t use unraid, but they cater towards a “ez straightforward” crowd so they make relatively concise and vetted info dumps):

https://forums.unraid.net/topic/102010-recommended-controllers-for-unraid/

https://forums.unraid.net/topic/41340-satasas-controllers-tested-real-world-max-throughput-during-parity-check/

I am digging this, thanks for keeping it updated and improving it!

I see that you say it’s feature complete / no user stuff; but it’d really mesh well if it took OIDC authentication. Don’t need it to make users or anything, just instead of the password popup the OIDC provider is asked for confirmation that whatever user registered with the OIDC is logged in. That’d let me leverage extra 2FA protection from the OIDC provider and juice on that one-login life.

Now I have no experience making OIDC crap work nor how it even works behind the scenes, so I can’t help :( sorry; just wishful thinking.

Also saw on your github - hope our newly shit-out gestapo don’t bother you!

If you’ve got Debian already installed, I cannot resist advocating for Incus (stable branch from Zabbly repo with web ui https://blog.simos.info/how-to-install-and-setup-the-incus-web-ui/) in lieu of proxmox. Does the same thing but you don’t have to rip out the kernel Debian uses.

With Debian 13 you have access to podman quadlets, use that for any non-vm needs. The ease of docker compose files easily removes reason for programs in LXC containers, and podman removes reason for docker in an LXC. LXC is left only for programs that aren’t containerized. VMs for security DMZ. Podman for bulk of stuff you want.

Good luck!