Not as o̸̯̪̳̫͗f̴̨͇̉̉̀ͅt̶̢̩̞̽̾̆ẽ̶̳n̸̩͓̯̼͑̃̀̉ ̶̛̜̘̠̉̍̕a̸̭͆̓̀s̴̙͚̮̣̊ ̷̮̽̀Ị̷̬͓̀̕ ̸̧̨̜̥̄͠ş̸̨̫̼͔̠̘͕̮̫̥̘̜͉͖̦̱̭͕̟͕̳̩͎̅̍̿̓̆̈̍̏͛͛̋̈́̇̅̑̓̀̊͗͘͝͝͝͠h̸̢̡̢̢̖͖̝̦̰̤̦͉̒̀̋̾̉̈́̏́̉ơ̶̢̲̤̩͈̹͙̯̝͕͕͔̱̌̀͛̑͑̏̓̔͐͋̆ŭ̶̧̢͙͉̭̮̺͚͍͙̮̫̩̮͓͉͗͗̃̏͊̀̽̂̏͊̎̐̓̌̕͝͠l̸̖̙̩̖̈͗́̀̓̀͗̏͑̊̃̓͋͛̕͠͝d̷̳̼̆́͛̀̆̽́͑̏͂͌͘

Wow. I was thinking of setting up immich. Why is it crippling your unraid server?

This is what I found, a Discord bot. Hopefully GP comes back with an answer.

I’m looking at Talos on my Proxmox cluster as VMs. I’m trying to automate it all through ansible and currently stuck trying to bootstrap my secrets manager. Somewhat of an analysis paralysis at the moment. Thinking of using a cloud hosted one with some kind of a local passthrough cache in case the WAN connection gets disrupted.

Yea either failover or an active/active virtual switch… I’ve been toying with hyperconverged infrastructure and I wanted to bring my network infra into the fold, been looking at OVS. Not for any particular use case, just to learn how it works and I really like the concept of horizontally scaling out my entire infra just by plugging in another box of commodity hardware. Also been toying with a concept of automatically bootstrapping the whole thing.

For home use, if used in an HA setup, the change window issue should disappear. Do you see any other issues that might crop up?

Do you run Talos on bare metal or on something like Proxmox? Care to discuss your k8s stack?

Yea that’s the whole trusting trust thing. You can theoretically set up hour browser to only trust your private CA and not trust any of the publicly trusted CAs. Depends on your threat model I suppose.

Because a private CA allows you to create a certificate and nobody else has the ability to create certificates unless you give them the keys or a signing CA. With Let’s Encrypt, you are trusting every major certificate authority to not create a cert on your domain; coupled with DNS poisoning means you would end up on a legit-looking but counterfeit website of yours.

You’ll have to explain that one to me.

1. Never host anything that is externally accessible
2. If you have to, put it behind a VPN (OVPN, Wireguard, IPSec, Tailscale, etc.)
3. Certificate based authentication is preferred for VPN tunnels
4. Always TLS encrypt your actual endpoints. Private CAs are most secure but a pain in the ass. Let’s Encrypt is very simple to set up in most cases.

Just my 2 cents.

I have been burned by WD Red on SMR drives, so I will just say Fuck You WD. That is all.

Services the only supported sqlite databases struggled (Jellyfin). Anything that worked with postgresql worked like a charm. So trick on the sqlite ones is a local PV then do a task to copy to NFS periodically.

My setup was a central NAS hosting an NFS server then each Pi mounted PVs from the NFS CSI driver over the network and I only used local storage to boot the OS.

I manually manage the media files but I do assign the categories, I just mount it on Jellyfin as read only so it can’t make any changes and it stores the metadata and album art on the Jellyfin system partition.

Raspberry Pi 4 4GB handled it just fine for me the last couple years.

Figure out why my new 10GbE NIC won’t read in my repurposed gaming rig (now server), get all my storage migrated over to Ceph, transition my services over to Proxmox hosted Talos k8s stack from my RPi-hosted k3s stack.

A relatively newish SBC can run Jellyfin and even do some light transcoding (single stream full HD or 2-3 streams SD).

I love Jellyfin (kind of love/hate haha), but I would never trust it to manage my media files themselves.

Definitely check out k3s. I ran a 7 node arm64 cluster for a couple years and it served me well. I’ve since graduated to proxmox/ceph and all that, wish me luck 😅