USB enclosures tend to be less reliable compared to SATA in general but I think that is just FUD. It’s not like that’s particularly bad for software RAID compared to running with the enclosure without any RAID.

The main argument for not doing that is I believe mechanical: Having more moving parts mean things might, well, move, unseating cables and leading to janky connections and possibly resulting failure.

You will kill your USB controller, and/or the IO boards in the enclosures

wat.jpeg

Source: 10+ years of ZFS and mdadm RAID on USB-SATA adapters of varying dodginess in harsh environments. Of course errors happen (99% it’s either a jiggly cable, buggy firmware/driver, or your normal drive failure) but nothing close to what you speak of.

Your hardware is not going to become damaged from doing software RAID over USB.

That aside, the whole project of buying new 4TB HDDs for a laptop today just seems misguided. I know times are tight but JFC why not get either SSDs or bigger drives instead, or if nothing else at least a proper enclosure.

The OP is about hosting forwarding or recursive DNS for lookups, not authoritatative DNS hosting (which would be yet at least one separate server).

I count two servers (one clusterable for HA). How is that a lot for a small LAN?

More would also be normal for serving one domain internally and publicly. Each of these can be separate:

• Internal authoriative for internal domain
• Internal resolvers for internal machines
• Internal source-of-truth for serving your zone publicly (may or may not be an actual DNS server)
• Public-facing authoritative for your zone serving the above
• Secondary for the above
• Recursing resolver of external domains for internal use

Some people then add another forwarding resolver like dnsmasq each server.

It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333. Why not just hand out the TDNS address?

You could and that shoukd work but then it’s not called forwarding anymore. It does forwarding because that’s what you configured. Both approaches are valid.

I have an opnsense firewall with DNSmasq performing DHCP and DNS forwarding to the Technitium server

I suspect this machine might be memory constrained and if so zfs might push it to its limits if it’s already close.

If it has <8G and doesn’t already have decent headroom I’d think twice about ZFS depending on how its gong to be used

I worry I could be risking data corruption or something swapping to this setup

I really hope this is just a turn of speech and you’re not actually planning to put swap on those HDDs

Nope but I guess a workaround would be to make a oneshot workaround-nvidia-gpu.service systemd unit file that runs the command and have the lxc autostart depend on it?

Might be something about PCI resets that running the command triggers 🤷‍♀️

Internet should work if i disable the vpn app though, so idk what’s wrong there.

I don’t suppose you enabled the kill-switch feature?

https://mullvad.net/en/help/using-mullvad-vpn-app#temporarily-blocked-internet

Operating and securing Postgres is a steeper learning curve.

You can replicate across more than one provider and do automated regular monitoring that backups are still accessible.

If one goes down you hopefully have time to figure out a replacment before the other(s) do.

Probably not worth it for a bunch of xvid dvdrips or historical archives of full system-level backups but for critical data it’s sensible.

No errors or output from the add?

I don’t see anything wrong in what you are doing assuming you have permissions but if it’s just for your user you can flatpak --user to install in your homedir instead of system-wide.

Also convenient for distro-hoppers as you can just share or copy the flatpak dirs between home directories so you don’t even have to redownload for every reinstall.

What you can do is segregate networks.

If the browser runs in, say, a VM with only access to the intranet and no internet access at all, this risk is greatly reduced.

LVM itself does not provide redundancy, that’s RAID.

I think this is potentially a bit confusing.

LVM does provide RAID functionality and can be used to set up and manage redundant volumes.

See --type and --mirror under man 8 lvcreate.

My next suspicion from what you’ve shared so far apart from what others suggested would be something out of the http server loop.

Have you used some free public DNS server and inadvertently queried it with the name from a container or something? Developer tooling building some app with analytics not disabled? Any locally connected AI agents having access to it?

You say you have a wildcad cart but just to make sure: I don’t suppose you’ve used ACME for Letsencrypt or some other publicly trusted CA to issue a cert including the affected name? If so it will be public in Certificate Transparency Logs.

If not I’d do it again and closely log and monitor every packet leaving the box.

In this case they are apparently fine with a personal computer being used

Where? Looks ambiguous. From all we know this is a work computer provided by the employer. It’s more likely to be an oversight or deprioritized/neglected.

which makes RDP actually a slightly more secure solution

I do not see how that folllows.

If both the company and employee are indeed fine with the RDP, it should be no problem to get that confimed from IT in writing.

Separate your personal and work computer

nods enthusiastically
Important for security of both the employee and the company. It’s the only thing that makes sense!

Put Windows and all work related software on a separate work laptop and use remote desktop from your Linux PC to do your job.

What? No! Keep them separate! This is how people get pwned. Don’t backdoor your employers machine from your personal PC or vice versa!

Enjoy the bots, griefers, and if there’s user-generated content, illegal stuff.

This problem comes especially as the wider network grows you get and break out of being niche, and not linearly. Trust, identity and authenticity is not a fully solved problem in a decentralized setting, especially in the implementation side. This is the wider moat of the incumbents and also a challenge for them. Look at how Signal still roots everything in SMS and are paying millions in fees for it.

This is not to say don’t have open registrations, just be prepared for handling stuff if you do. And think up a strategy on how you plan on handling liabilities.

It’s not an unsolvable problem but I think the wider FLOSS community needs to get over its blockchain/crypto aversion and be more open-minded about technology - while the wider crypto community needs to get over their NIH syndrome and come back to first principles and fundamentals - before we can get something that doesn’t fall apart when real traction hits.

dnf --cacheonly

There’s some spam and griefing happening to Debian and Arch trackers and DHT.

PeerBanHelper is like a spam filter for torrent clients.

https://github.com/PBH-BTN/PeerBanHelper/blob/dev/README.EN.md

On 1: Autoseeding ISOs over bittorrent is pretty easy, helps strengthening the commumity distribution, and makes sure you already have the latest stable locally when you need it.

While a bit more resource intensive, running a full distribution package mirror is very nice if you can justify it. No more waiting for registry sync and package downloads on installs and upgrades. apt-mirror if you are curious. While not as resilient there is also apt-cacher-ng to at least get a seamless shared package cache on the local network.