I take my shitposts very seriously.
ZFS uses the RAM intensively for caching operations. Way more than traditional filesystems. The recommended cache size is 2 GB plus 1 GB per terabyte of capacity. For my server, that would be three quarters of the RAM dedicated entirely to the filesystem.
Read my comment again, it has the answer. Most VPN services do not provide end-to-end tunnelling. If the exit node is located outside Russia, then what enters the Russian internet will be simple HTTPS traffic.
Been running it from Russia where stock WireGuard stopped working mid-2025.
Sounds like the issue is ISPs within Russia blocking outgoing Wireguard traffic from customers.
If the traffic exits the tunnel without hitting a Russian ISP (e.g. a Mullvad exit node in Sweden that routes the unencrypted traffic to the destination), you won’t be affected. If the exit node is behind a Russian ISP, it might get filtered by DPI depending on which direction is subject to the filter.
It’s problematic, but possible: https://jamesguthrie.ch/blog/multi-tailnet-unlocking-access-to-multiple-tailscale-networks/
If the other person has a Tailscale account, it sounds like the most expedient method is to simply invite them to the tailnet as a non-admin user with strict access control.
You could share a node with an outside user, but I don’t know how much the quarantine would affect its functionality. You could also use Funnel to expose the node to the internet (essentially like a reverse proxy), but there are obvious vital security considerations with that approach.
The treekie in me wants BookData.
(edit) This made me remember The Measure Of A Man and now I’m fucking depressed. They had such high hopes for the future.
Fuck, I’m an idiot. I really shouldn’t be giving advice when I’m sleep-deprived like this. I completely forgot that when I used RDP, I did it through an SSH tunnel.
Removed.
deleted by creator
Three important factors:
Mine is using a network share to transfer files faster than any USB device we have at home.
To delegate the responsibility of securing login data to a company better equipped to deal with it (in theory at least). You can also use an external OIDC provider.
Tailscale. Create an account, put the client on the LAN device, put the client on the remote device, log in on both, you’re done. It bypasses NAT, CGNAT, and the firewall through some UDP black magic fuckery. As long as the router allows outgoing connections, it will work.
If the factory resets cause the router to lose connection to the ISP, though, then nothing will work.
Tailscale Funnel will let you expose a host to everyone on the internet. You’ll need the Tailscale client running on either the Jellyfin host or a reverse proxy pointing to it. Tailscale itself will act as a reverse proxy with TLS encryption, plus a DNS server.
Exposing a service to the internet will always present some risk. You should definitely run your LXCs as unprivileged, unless needed otherwise, to mitigate the potential damage if an attacker escapes the container, or put the services in full virtual machines.
external access
Do you want the Jellyfin server to be accessible from only within your tailnet, or anywhere from the internet?
If you have IPv4 addresses, I guarantee you’re behind at least one NAT gateway. What you need is a Tailscale subnet router, or something equivalent from another service.
In the most basic configuration, the Tailscale client facilitates communication (by using some UDP black magic fuckery) between one host it is running on and another host it is running on that are both connected to the same tailnet (the virtual network between Tailscale hosts). For this purpose, it uses addresses from the 100.64.0.0/10 “shared address space” subnet. These addresses will only be reachable from within your tailnet.
If you want an entire subnet (e.g. your LAN) to be accessible within your tailnet, you need to set up a subnet router. This involves configuring the Tailscale client on a device within the target subnet to advertise routes (tailscale set --advertise-routes=192.168.1.0/24), allowing the host to advertise routes in the admin page (Machines -> … -> Edit routes), and configuring the Tailscale client on external hosts to accept advertised routes (tailscale set --accept-routes).
If you want your servers to be accessible from anywhere on the internet, you’ll need Tailscale Funnel. I don’t use it personally, but it seems to work. Make sure you understand the risks and challenges involved with exposing a service to the public if you want to choose this route.
I think you forgot level 6: happily growing crops and raising chickens on a remote farm where the most high-tech device for miles is a rotary hoe.
TORVALDS is a powerful Great Prince of Hell who has 618 legions of demons under his command. He gives true answers of all things past, present, and yet to come; he reveals the secrets and source of the kernel if asked; and he grants to the conjurer power and authority over devices and binds them to the conjurer’s will.
I guess I forgot to point out (six months ago, well done) that these are free loaners provided by the university. Usually high-end, current-generation hardware. They can be smart on their own devices, that’s neither my concern nor my responsibility, but these are not theirs to disembowel.
I’d love to know what an actual moderator would think if you imposed your idea on them.
Right at this moment, I’m rebuilding my homelab after a double HDD failure earlier this year.
The previous build had a RAID 5 array of three 1TB Seagate Barracudas that I picked out of the scrap pile at work. I knew what I was getting into and only kept replaceable files on it. When one of the drives started doing the death rattle, I decided to yank some harder-to-acquire files to my 3TB desktop HDD before trying to resilver the entire array. Guess which device was the next to fail. I could mount and read it, but every operation took 2-5 minutes. SMART showed a reallocation count in the thousands. That drive contained some important files that I couldn’t replace, which were backed up to the (now dead) server. Fortunately
ddrescuemanaged to recover damn near everything and I only lost 80 kilobytes out of the entire disk. That was a very expensive lesson that I’ve learned very cheaply.The new setup has a RAIDz1 pool of 3x 4TB Ironwolf disks (constrained by the available SATA sockets on the motherboard), plus a new SSD for the OS and 16GB RAM (upgraded from literally the first SSD I ever bought and 10GB mis-matched DDR3).
Mounting it was a bit of a dilemma. The previous array was simply mounted to the filesystem from
fstaband bind-mounted to the containers. I definitely wanted the storage to be managed from Proxmox’s web UI and to be able to create VDs and LXC volumes on it. Some community members helped me choose ZFS over LVM-on-RAID5. Setting up the correct permissions wasn’t as much of a headache as last time. I’ve just managed to get a Samba+NFS+HTTP file server and Jellyfin running and talking to each other. Forgejo and Nextcloud will be next.