True. I knew I should have left that as “NFS 4” because someone would comment this. From what I’ve read (never used it), NFS 3 is very different to 4 and also just kind of not worth using, especially just for Windows, since it has no security at all.
2xsaiko
- 0 Posts
- 78 Comments
Joined 2 years ago
Cake day: June 12th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Please just use Kerberos instead of fiddling with uids. It’s the only sane way to get NFS access controls and user mapping. Works on both Linux and macOS (but there’s no NFS on Windows anyway).
I’d say you can run the Kerberos KDC on the NAS but if Synology has some locked down special OS you’ll need another machine for that (edit: but you say you have other servers already so that shouldn’t be a problem).
Unfortunately SMB is so screwed that you can’t reuse ordinary Kerberos for authentication there, which is unfortunate if you want to have both that and NFS. I’ve yet to look into whether Samba AD can be used for both.
11·26 days agoThis seems super overcomplicated. What I would do is put all the subdomains on the public DNS, let HTTP(S) through the firewall for the respective hosts, deny everything from outside of your local network on the http server that isn’t under the HTTP challenge path and then run the HTTP challenge as you would for a public site.
Then you can get certs, everyone outside trying to access will get 403, and inside the network you can access as normal.
Of course you’ll have to trust your http server’s ACL for that, but I’m just going to assume servers like nginx (which I use) have a reliable implementation.
Are you talking about these? They don’t look like they have a PCIe slot…
In any case, the specifications say
Form factor Low-profile 119.65 x 68.9 x 17.24 mm (Without bracket 119.65 x 68.9 x 12 mm)
It would need a PCIe slot, not a SATA connection. But I assume it doesn’t have that either then.
I have the QNAP TL-D800S. It’s an 8 bay DAS but there is also a 4 bay variant. Works well for me. It uses SFF cables to connect to the PC and comes with the appropriate PCIe card which seems more robust to me than anything USB for this.
Any registrar worth using has an API for updating DNS entries.
I just found this with a quick search: https://github.com/qdm12/ddns-updater
Yeah, when I got started I initially put everything in Docker because that’s what I was recommended to do, but after a couple years I moved everything out again because of the increased complexity, especially in terms of the networking, and that you now have to deal with the way Docker does things, and I’m not getting anything out of it that would make up for that.
When I moved it out back then I was running Gentoo on my servers, by now it’s NixOS because of the declarative service configuration, which shines especially in a server environment. If you want easy service setup, like people usually say they like about Docker, I think it’s definitely worth a try. It can be as simple as “services.foo.enable = true”.
(To be fair NixOS has complexity too, but most of it is in learning how the configuration language which builds your operating system works, and not in the actual system itself, which is mostly standard except for the store. A NixOS service module generates a normal systemd service + potentially other files in the file system.)
deleted by creator
You don’t need a tunnel since your server is already accessible by the VPS over IPv6 (and you have to deal with changing prefix for the direct connection from other hosts already).
Yeah, hence why I said “pretty much”.
the NC is rarely available or only for a few seconds which screws my automatic backup of photos. This is annoying. I think it is because there are two conflicting routes to the NC, one via the internal IPv4 and the other over the publicly available IPv6.
Sounds unlikely tbh. A TCP connection is established for a specific target address which stays the same for the duration of that connection, and there is pretty much no interaction between IPv4 and IPv6 in the first place. Have you run Wireshaek? Is it the same problem from other clients in the network? Have you tried explicitly connecting to the IPv6 address and the IPv4 address to see if it’s a specific one that’s not working?
But it actually doesnt. Most public wifis or other residential networks dont seem to give me external access to my Nextcloud, ironically, my mobile network via phone does.
A lot of those networks are run by boomers who don’t care about IPv6 or don’t want to set it up because (insert excuse from IPv6 Bingo) or non-tech people whose router doesn’t turn it on automatically. So yeah, that is unfortunately something you have to expect and work around.
Problem 1 seems to be best solved with renting the cheapest VPS I can find and then…build a permanent SSH tunnel to it? Use the WireGuard VPN of my router? Some other kind of tunnel to expose a public IPv4? Iirc, VPS are billed by throughput, I am not sure if I might run into problems here, but the only people that use it are my gf and me, and when not at home, mostly for the CalDAV stuff.
You don’t even need a tunnel. Just a proxy on a VPS that runs on IPv4 and connects to the IPv6 upstream. Set the AAAA record to the real host and the A record to the VPS. Assuming you actually get a static prefix which you should, but some IPv4-brained ISPs don’t and you get a rotating prefix, in which case it’s probably more annoying.
I do this too, mine runs on a free Oracle Cloud ARM VPS.
The disks are the most uggo part. They’re a bunch of old disks of varying sizes with a RAID+LVM setup to make the most use of them while still being redundant.
lsblk output of the whole thing
saiko@vineta ~ % lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 111.8G 0 disk ├─sda1 8:1 0 512M 0 part /Volumes/Boot └─sda2 8:2 0 111.3G 0 part /nix/store / sdb 8:16 1 372.6G 0 disk └─sdb1 8:17 1 372.6G 0 part └─md1 9:1 0 1.5T 0 raid5 └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage sdc 8:32 1 465.8G 0 disk ├─sdc1 8:33 1 372.6G 0 part │ └─md1 9:1 0 1.5T 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage └─sdc2 8:34 1 93.1G 0 part └─md2 9:2 0 279.3G 0 raid5 └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage sdd 8:48 1 4.5T 0 disk ├─sdd1 8:49 1 372.6G 0 part │ └─md1 9:1 0 1.5T 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage ├─sdd2 8:50 1 93.1G 0 part │ └─md2 9:2 0 279.3G 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage ├─sdd3 8:51 1 465.8G 0 part │ └─md3 9:3 0 931.3G 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage └─sdd4 8:52 1 3.6T 0 part └─md4 9:4 0 3.6T 0 raid1 └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage sde 8:64 1 7.3T 0 disk ├─sde1 8:65 1 372.6G 0 part │ └─md1 9:1 0 1.5T 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage ├─sde2 8:66 1 93.1G 0 part │ └─md2 9:2 0 279.3G 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage ├─sde3 8:67 1 465.8G 0 part │ └─md3 9:3 0 931.3G 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage └─sde4 8:68 1 3.6T 0 part └─md4 9:4 0 3.6T 0 raid1 └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage sdf 8:80 1 931.5G 0 disk ├─sdf1 8:81 1 372.6G 0 part │ └─md1 9:1 0 1.5T 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage ├─sdf2 8:82 1 93.1G 0 part │ └─md2 9:2 0 279.3G 0 raid5 │ └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage └─sdf3 8:83 1 465.8G 0 part └─md3 9:3 0 931.3G 0 raid5 └─storagevg-storage 254:0 0 6.3T 0 lvm /Volumes/storage sr0 11:0 1 1024M 0 rom
Most computers with (at least) two network interfaces will do. If it’s something too crappy your throughput will be limited by CPU speed but I can’t tell you exact recommendations here. Here’s OPNsense’s hardware recommendations for example, they’re not high at all. Off-the-shelf devices that allow you to do this should probably be fine too.
I’d put Linux on it and use nftables but BSD PF seems to be very popular for firewalls (OPNsense/pfSense are built on this) which I have never used so consider that too.
Not a professional networking guy either but here’s my opinion.
What I would do is use the ISP router as is, open all ports on it (except to itself, hopefully it doesn’t do that…), and put a firewall in between the router and everything else that controls the actual access to everything behind it (in bridge mode between the two network interfaces of the firewall, so you only have the one network).
Could a potential second router also assign addresses to devices in that globally routable space directly?
Devices in IPv6 assign addresses themselves via SLAAC, you just need one device advertising the prefix which the ISP router should already do. The firewall should be able to just purely be there for packet filtering. If you need fixed addresses for public facing servers I would just assign them manually to the respective boxes as you likely also need to add them to public DNS manually anyway.
Huh, I thought I looked through them all when I tried it last time. I’ll check again.
Do you self-host Jitsi? The public instance has absolutely unusable FPS for streaming gameplay which is pretty much the only thing I still use discord for because it’s the only thing that seems to do it well. I read somewhere you can turn up the FPS on a self-hosted Jitsi though.
I use borgbackup, with daily backup to borgbase.
At some point I want to set up a distributed file system between multiple locations as both a backup target and also a network share with automatic snapshots or some other undelete mechanism, but I still need to get the hardware for that and the current setup works well