their point is unambiguous to me. it is that it is more complex to check if something was done according to a regulation, compared to checking if it was done at all.

truly a passionate dev

we should call them terrorists before they tag us as terrorists. Because that’s what they are.

last time I checked it was still kept in secret who are the members of the HLG

I have good news. I have just read the Proxmox 8.4 changelog, and they added support for using virtiofs with VMs, so now using it does not seem to require hacks anymore! But the limitation with databases probably still applies.

@RedBauble@sh.itjust.works unsure if you have read it already so tagging.

I run proxmox, and proxmox manages the zfs pool, there are VMs for important and convenience services, where important only hold things needed for the machine to work (so networking related) and metrics. I also have a desktop VM for the occasional use, and you can install opnsense later if you want an advanced firewall for VLANs and maybe internet too.
the storage is made accessible through virtiofs shares, but setup is quite hacky, and some things don’t like it (like it can’t store any kind of databases) because virtiofs works technically like a network filesystem, and does not support some consistency features (yet?). maybe ceph would be a solution, it is natively supported by proxmox.

if I were to build a new one, I would try out TrueNAS, it’s newer linux based version. I heard that can run VMs too if needed. I suspect that it can be more user friendly, but I haven’t used its web interface yet ever.

Opening a port doesn’t mean you are opening your whole home network just the specific services you want.

until a new high severity vulnerability gets discovered and some bot exploits it on your server, taking it over. and you won’t even know. if they were a bit smart, you won’t notice it ever either.

but there’s more! its not only the reverse proxy that can be exploited! over the past few years, jellyfin has patched a dozen vulnerabilities, some of which allowed execution of arbitrary system commands. one of the maintainers have expressed that nobody should be running those old versions anymore, because they are not safe even only on the LAN. and this was just jellyfin.

if that’s true, I assume it is because they don’t know about the security consequences, nor about more secure ways. and for 99% that is the worst solution, because they won’t tighten security with a read only filesystem, DMZ and whatnot, worse, they won’t be patching their systems on schedule, but maybe in a year.

99% users should not expose any public services other than wireguard or something based on it. on a VPS the risk my be lower, but on a home network, hell no!

yeah! that’s what I am thinking too, have been for years now. but at the same time babies are booming in the area (not russia, but east eu) so obviously a lot of people think differently.

my last experience with it was a half empty documentation, and a config structure that signaled to me that they dropped a lot of features for v2 release that they initially wanted to have, which has additionally made understanding their config structure harder. and that hasn’t improved for years.

The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy .

they did not say they want it public, and that’s an additional security burden they may not need

tailscale is not the same as nginx or any reverse proxy, though. I don’t expose anything publicly, but I still wouldn’t stop using a reverse proxy

8 GB RAM or more. OS installed either to SSD, or a HDD that does not store service data (for performance). a modern CPU with at least 4 cores. modern means it has at least AES and AVX2 instruction sets to do math quickly, but probably you can just pick one made in the last 10 years, with less years generally meaning better energy efficiency.

what kind of services do you want to host on it? initial plans, perhaps longer term plans?