486

Since none of these require a Raspberry Pi to run, I would suggest using a mini PC (with an Intel N100 or similar) instead of a Pi 5. With all the accessories needed for the Pi, a mini PC can actually be cheaper and of course a lot more powerful. Since the Pi 5 is very power-inefficient, a mini PC can even be better in that regard too if that matters to you.

Especially for Jellyfin a PC with an Intel CPU with integrated GPU is awesome, since Jellyfin supports hardware transcoding with that.

Particularly in low-load scenarios there can be quite a big difference when it comes to PSU efficiency. While newer ATX PSUs have become better with regards to efficiency at low load, a Pico PSU can still be quite a bit better. Older ATX PSU often don't even reach 60 % efficiency at 5 % load (which would be a typical load for such a system at idle), sometimes considerably less than that. At the same load a Pico PSU can easily be at 85 % efficiency.
Of course, at higher loads the difference is way smaller.

I am not sure where this idea comes from, but putting a service behind a reverse-proxy does not increase its security in any way, unless you'd do authentication right at the reverse-proxy.

From a security point of view it is not a good idea to host multiple web applications in sub directories on the same hostname. With such a configuration, every application sees all cookies from all other applications. This also means that you can have collisions of cookie names between applications if the names are not unique.

So if one application would get compromised, it could easily steal all your sessions for all other applications.

Of course harassment is never okay, but I'd say when it comes to GNOME, this is not surprising. GNOME developers have been so hostile towards both users and other developers for a long time. I'm not saying every single person associated with the project does this, but it is pretty common (e.g. here and here ). Of course the GNOME devs don't have to accomodate everyone, but it is a common theme with the project to remove features despite user backlash and also to close bugs as WONTFIX often without good explanations as to why, even when there are pull requests for fixing the problem.

I am simply avoiding the project, since there are enough good alternatives.

Compared to other SBCs, Raspberry Pis have been pretty inefficient for a while. A Pi 5 idles at about 3 W, which is pretty terrible for such a board, compared to other similar devices. You can get X86 PCs that idle at 3 W which are way more powerful. Other ARM SBCs use less than half that at idle and similarly less under load.

There are probably multiple reasons for that. The Pi's SoCs have always used rather old process nodes, which are more power hungry than more modern ones used by other single board computers and PCs - 16 nm for the Pi 5 SoC and 28 nm for the Pi 4. Also, with the Pi 5 there is this additional "south bridge" chip which is attached via PCIe. This consumes additional power and for some reason the PCIe link is configured such that it never enters power saving states. I don't know why.

Also, the power supply circuitry on the Pi 5 is far from ideal with its 5 V / 5 A power supply. Such a low voltage at such a high current can easily cause additional losses on the wire. That's mostly relevant under high load though.

Getting certs from Let's Encrypt should work fine with any provider, even if you can't open any ports, since they do support DNS challenge.

There is quite a significant difference. An ssh server - even when running on a non-default port - is easily detectable by scanning for it. With a properly configured Wireguard setup this is not the case. As someone scanning from the outside, it is impossible to tell if there is Wireguard listening or not, since it simply won't send any reply to you if you don't have the correct key. Since it uses UDP it isn't even possible to tell if there is any service running on a given UDP port.

Mine runs a little under 18 W with one 8 port managed switch, a DSL modem, CM4-based router, a tiny Wifi AP, and an Intel Celeron J4105 based mini PC server.

Ansible also comes with its own secrets manager ansible-vault, which you can also use to store your secrets in an encrypted file.

Disableing the root login gains nothing in regarding security.

This is usually not the reason people recommend disabling root login. Since root is an anonymous account not tied to an actual person, in a corporate setting, you do not really know who used that account if you allow root login. If this is relevant for a personal home network is for you to decide. I would say there is not such a strong argument for it to be made in that setting.

I always found the software updates of AVM - the manufacturer of those "Fritz!Box"es - to be of questionable quality. If you take a look at the source code that they have to release upon request of the GPL'ed source code they use, you'll notice that they use ancient versions of the Linux kernel, Busybox and other tools. By ancient, I mean many years old, unsupported by upstream for years. Also, they only publish those sources manually when someone asks for them, which doesn't bode well for their internal development processes. If they used CI/CD pipelines, they could easily push out updates of those sources with every new release…

Another option is subpaths: xyz.ddns.net/portainer

While you can do that, you should be aware of the security implications (every application can see and modify every other application's cookies). If at all possible, I would try to avoid this setup.

BirdNet-Pi is awesome. Highly recommended for anyone who likes birds. The BirdNet app for phones is also nice.
Btw, BirdNet-Pi also works fine on the non-plus Raspberry Pi 3.

Speaking of which, I always had issues with WiFi stability on OpenWrt. Maybe I was just unlucky, but I had issues with both Qualcomm Atheros (ath9k and ath10k) and Mediatek based routers. I couldn't find anything regarding stability of the WiFi in their hardware database. Is there a list of devices that are known to run reliably?

Before anyone loses their minds, imagine you get the i3-8300T model that will peak at 25W, that’s about 0.375$ a month to run the thing assuming a constant 100% load that you’ll never have.

Not sure how you came to that conclusion, but even in places with very cheap electricity, it does not even come close to your claimed $0.375 per month. At 25 W you would obviously consume about 18 kWh per month. Assuming $0.10/kWh you'd pay $1.80/month. In Europe you can easily pay $0.30/kWh, so you would already pay more than $5 per month or $60 per year.

Well, what they are stating is obviously wrong then. No need to use some website for that anyway, since it is so easy to calculate yourself.

Sure, cloud services can get quite expensive and I agree that using used hardware for self-hosting - if it is at least somewhat modern - is a viable option.

I just wanted to make sure, the actual cost is understood. I find it rather helpful to calculate this for my systems in use. Sometimes it can actually make sense to replace some old hardware with newer stuff, simply because of the electricity cost savings of using newer hardware.

For many li-ion laptop batteries, the manufacturer's configuration of a 100 % charge is pretty much equivalent to overcharging. I've seen many laptops over the years with swollen batteries, almost all of them had been plugged in all the time, with the battery kept at 100 % charge.

As an electrical engineer you should know that technically there is no 100 % charge for batteries. A battery can more or less safely be charged up to to a certain voltage. The 100 % charge point is something the manufacturer can choose (of course within limits depending on cell chemistry). A manufacturer can choose a higher cell voltage than another to gain a little more capacity, at the cost of longterm reliability. There are manufacturers that choose a cell voltage of 4250 mV and while that's possible and works okay if charged only occasionally, if plugged in all the time, this pretty much ensures killing the batteries rather quickly. I would certainly call that overcharging.

Since you already mentioned charging thresholds, I just want to say, anyone considering using a laptop as a server should absolutely make use of this feature and limit the maximum charge.

Lots of answers about use-cases of additional wifi networks, so I won't go into that. I haven't seen the downsides mentioned here, though. While technically you can run lots of wifi networks of off the same wifi router/ap, each SSID takes a bit of air time to broadcast. While this might sound rather insignificant since this is only a rather tiny bit of information transmitted, it is actually more significant than one might expect. For one the SSIDs are broadcast quite often, but also they are always transmitted at the lowest possible speed (meaning they require a lot more airtime than normal WiFi traffic would require for the same amount of data) for compatibility reasons. This is also the reason why it is a good idea to disable older wifi standards if not needed by legacy clients (such as 54 Mbit/s 802.11G wifi).

Having two networks is usually fine and doesn't cause noticable performance degradation, having 4 or more networks is usually noticable, particularily in an already crowded area with lots of wifi networks.

No, even the earliest Ryzens support ECC reporting just fine, given the motherboard used supports it, which many boards do. Only the non-Pro APUs do not support ECC.

Oh, I didn't want to suggest that there is no value in using a reverse-proxy, there certainly is. Just don't expect it to do anything for you in terms of application security. The application behind it is just as exposed as it would be without a proxy. So if there was a security flaw in that application, the reverse-proxy does not help at all.

Yes, the Odroid H series SBC probably come closest to OP's requirements. Schematics are available on their website. They are also really low power with even the older H2 idling below 4 W.

Highly susceptible to replay and man in the middle attacks.

fwknop isn't susceptible to either.

I was thinking about doing something similar and was considering running Android on a Raspberry Pi. There are unofficial LineageOS builds for the Raspberry Pi. I haven't tried that yet, but I guess it should be possible to use the Jellyfin Android app on such a setup.

I assume some sort of DSL was meant by 'phone line'. In which case one could always use an external DSL modem, then any supported router should work. Or one could choose one of the few supported devices with built-in DSL modem, but make sure the modem supports the DSL standard you require.

OP mentioned $0.40/kWh, so that would be about $17 per year with a 5 W difference.

In order to successfully implement a backdoor, you need to ensure that you are more clever than your adversaries, because those same backdoors can be used against you.

In this instance, that's not the case. Only those in possession of the right key can use the backdoor. Also, discovering infected systems from the outside, appears to be impossible - the backdoor simply does not do anything to reveal itself if you don't have the key.

You were talking about adversaries discovering the backdoor. That's something entirely different from compromised keys. So your sacrasm is quite misplaced here.