Their own doc, sure why not.

Any other context where there’s a giant with the same name. No, please at least write it out expanded once.

Two wrongs don’t make a right. I was scratching my head for a few seconds looking at the thumbnail and the title. And even the post body didn’t clarify things. 🤷🏻

Lots of people contributed really good answers, so I don’t have anything valuable to add to their answers. But I wanted to point out for your detailed question, you include what you have done, what is your understanding and what are your shortcomings clearly. As opposed to a lot of posts with vague, detail-challenged narratives, that’s a top notch post.

And the community delivered by giving good answers, so go community!

Also, you didn’t just ghost after the initial post and interacted.with the people who graciously donated their time, so another bonus point there, as well.

Lots of relevant comments in this post https://aussie.zone/post/4286731

ZFS has a “copies=N” setting, but documentation and discussion I can find say there’s no guarantee that the copies will end up on different devices (vdevs in ZFS parlance)

Same here.

https://longhorn.io/ for the curious

You can use Snikket with other servers too, there is no restriction or special sauce. It’s mostly a fork of Conversations.

in addition to “dedicated Nas + compute node” and “just use a desktop” suggestions, there’s the microserver option in between. Small, but has enough power to run stuff other than storage.

Hp proliant microserver is what I use, you can try getting a previous generation from second hand market.

https://www.hpe.com/us/en/product-catalog/compute/proliant-servers/pip.proliant-microserver.1014673551.html

“underpowered” routers are usually underpowered for multiple high bandwidth wireless connections. if you disable the wireless, shoving bits over copper would -usually- be efficient enough to not be the bottleneck.

Did you consider keeping the services closed to the outside world and using tailscale to access them? Doesn’t work well if you want to give access to a bunch of people, though.

i also think that it’s overkill, especially for a minimalistic tool like wireguard. That’s why I mentioned “if you want to be extra paranoid”. This forum is for learning, and this question is an open ended learning question, hence, an opportunity to learn about port knocking, even if the actual real life benefit of that would be minuscule.

+1 on not using containers.for Network routing stuff That way lies pain and misery.

Good point, kernel updates should be paired with reboots to get kernel patches applied quickly.

Yes wireguard would only accept connections clfrom clients with known certificates, but this is “belt and suspenders” approach. What happens if there’s a bug in wireguards packet parsing or certificate processing? Using port knocking would protect against this —very remote— possibility.

VPN software usually is built strong to begin with, and any vulnerabilities discovered will be promptly fixed as well, so updating frequently should suffice. (Why not automate it with unattended-upgrades package?

Using a random high port number will probably hide it well enough for Internet-wide port scanners as well.

if you want to be extra paranoid, you can hide the VPN service behind a port knocker as well.

I recommend https://migadu.com. not free, but the lowest price tier has lots of features, unlimited mailboxes etc.

See https://lemm.ee/post/4593760 for a related post and more discussions about pros and cons of each.

keepass2android is worth a try as well.

A good answer to a “why?” question is “why not?” This can be a great learning or practice opportunity for redundant network links and other interface challenges.

Huh, I wasn’t so sure about Osiris-Rex but I totally remembered STEREO A & B as stationary at L4 and L5.

Note to self: re-read the sources you quote.

There are STEREO and Osiris rex already in L4 and 5

https://en.m.wikipedia.org/wiki/List_of_objects_at_Lagrange_points