I worte a guide last year on how I do network bound encryption - that is the disk will automatically decrypt at boot if it’s connected to my home network, but not if the disk or machine is removed from my house. The advantage over the dropbear method is that you can set unattended upgrades to auto reboot your server whenever it installs security updates, and it’ll come back up with no manual intervention from you.
I had some spare time today, so I wrote it up on my website here
I don’t at the moment, because I don’t have a need for it, but I did for a while run a PoC with Step CA, and that seems like the easiest way to get up and running, even if its features are overkill for a home lab.
if you go down the luks route, an option to look at is Clevis/Tang for automatic unlocking on a trusted network. I have a tang server running in the cloud, firewalled to my home IP, so if my server reboots in my house, it auto unlocks, but if you steal it and try to turn it on anywhere else, it won’t be able to auto unlock, and will require a password.
I should write that config up somewhere as a guide.
Thinkst have also published opencanary which you can run yourself and contains a decent subset of what their hardware canaries run, including SSH and cifs.
Yes, if you’ve built the network from scratch that works. Retrofitting it into an existing network however is a massive piece of work when you don’t have that single source of truth to start with however. On networks I’ve built sensibly, I’ll happily give people whatever CNAME they want to refer to their machine, but the machines actual name is descriptive, not the other way round.
My home network is somewhat overkill ;p but so far, about £500 on compute to run VMs, >£1000 on a nas and various other offsite and local stoarage, a couple hundred quid on networking gear, and then the extra premium on smart home devices you pay for non-tracking versions of the hardware (e.g a ring video doorbell would have cost me £40 less than the reolink I ended up buying). I’ve also so far spent over £75 on smart light switches trying to find one that both works with home assistant and fits inside my really narrow back boxes without yet finding one that works, so the number is continuing to go up!
A pihole. Given how much I’ve spent over the years on self hosting kit, few ‘cheap’ things have ended up costing me more than that first 30 quid raspberry pi
Every machine is named after what it does (although I do 1337-ify the names, because I’m still a late 90s IRC teen at heart). If you’ve ever been onboarded into a sysadmin role where all the machines are named with whatever whimsical naming scheme each department chose, you’ll fast develop a visceral hatred for non-descriptive naming schemes. The fifth time you get a ticket saying something like ‘Hedwig is down’ and you have to go crawling through three layers of linked files on SharePoint to find what and where ‘Hedwig’ is, you’ll be ready to beat the person who named it to death, and that attitude tends to persist to your home naming scheme :p
AV1 isn’t needed yet, because its only really being used for live streaming like youtube gaming at the moment (Plex itself only started supporting AV1 in December). That might change in the next few years, depending on if the scene picks it up as a technology, its just a case of whether you want to future proof yourself. Of course, given how cheap these mini pcs are, you might be as well sticking with the N5105 now, and then picking up an N100 (or even whatever it’s successor is) in a few years time. If you do end up running proxmox, you can always cluster them together, so you can keep using the old one alongside the new one. (Because they’re so cheap, I actually have three of them in a little cluster, so I can patch and reboot each proxmox server without downtime to my plex server)
Getting proxmox to pass the GPU through to containers is a little fiddly, but it got a lot easier since they moved to the 6.x kernel, and there’s plenty of guides around. It could well be worth a look if you want to run multiple servers on one device
As for the GPU, they’re unlikely to make a huge difference either way, but note that the n5105 has no hardware support for the AV1 codec, so any media you have or end up with in that format will need decoding on the CPU. The n100 igpu has hardware decode instead, so if you think you might end up with any av1 content, then that’s the way to go.
I run Plex on essentially one of these (different case, but n5105/8gb ram, bought from AliExpress) and they’re great little machines for it. Most of my library is 1080p, but I have run 2 simultaneous 4k transcodes before and it just keeps chugging along happily. I’m actually running proxmox on it, with Plex being just one container out of several, so it also has the grunt to do several simultainious streams and keep my mastodon server, torrent box, pihole, and a few other things running at the same time. In my experience, you’ll run out of ram before ever chocking the CPU on a standard setup, so it might be worth upping to the n100 to get 16gs instead.
It wouldn’t be any cheaper for them to ship without windows, because the windows os youre getting from aliexpress sellers selling budget pcs is almost always counterfeit :p but installing Linux on them is a breeze, they’ve got a full standard uefi BIOS, so just plug a USB stick with Ubuntu on it in, and install as usual.
Its interesting that everyone focuses on the privacy and the EEE risk of this, but my reasons for leaving Facebook were that Facebook is actively-allowing-the-promotion-of-genocide-because-not-moderating-is-better-for-their-bottom-line Evil. I left facebook because I’m not willing to provide the (even infinitesimal) boost to their network effects that my account had. For the same reason, Threads is an instant defederate on launch.
The ultimate bad bot blocker (https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker) does the heavy lifting for me, it updates multiple times per day to add and remove IP addreses and bot referers. It does need some monitoring though, some of the rules wildcard a bit hard and will catch mastadon servers with unusual names for example.