Blaster M

Lower the postgre to 8GB and see what happens? Also, hard drives, ssds, or nvme ssds? Recent info suggests it is possible memcaching is actually slower than direct access to nvme ssd

The lack of VoLTE in Linux OS phones is a dealbreaker for me, but otherwise, I’ve run pmOS with Posh and it works reasonably well now as of 25.06

interesting use of character for “th”

Glad me and family are not on social media.

The install terminal app is for people that like to type in the console. The Mint Upgrader will present the option to upgrade when it’s ready.

copyparty

Realistically, the skip should be named “Desktop”

If you setup a Tailscale and an NGINX reverse proxy or a port forward on a VPS, you can definitely have people connect via the VPS IP to reach your home server.

Let me go out on a limb and rec a cheap mini computer with 2 mini gigabit (or more) ethernets, and either pfsense or opnsense. Those two run on anything that has an x86_64 cpu and easily update. Not any harder to learn to setup than mikrotik, and has lots more capability.

Block new connections inbound on the router’s wan. Also block ping if you don’t want pings to find you. That’s the most basic setup for firewalling on the udm, ipv4 and 6. Every router in 2025 should be able to block new inbound on ipv6.

Let me one up this. IPv4 NAT is like the pizza guy has to deliver to you, but you live in a gated community with a strict no visitors policy, which does not allow you to even mention what unit you’re in, and none of the addresses in the community are registered with the post office or on Google Maps either. Instead, you tell the guardhouse you want to order, and they order the pizza for you. The pizza guy delivers to the guardhouse, and the guardhouse delivers the pizza to you.

IPv6 (with firewalling) is like a normal gated community, you order the pizza and include the unit number, and the delivery driver can deliver your pizza directly, as long as the guardhouse approves.

The difference is, with NAT, the guardhouse has to both guard (firewall) and route (keep track of all deliveries, and deliver) your packages, where with IPv6, the guardhouse (firewall) only has to guard (firewall) the packages.

Skill issue

IPv6 is easy to do.

2000::/3 is the internet range

fc00::/7 is the private network range (for non routing v6)

fe80::/64 is link local (like apipa but it never changes)

::1/128 is loopback

/64 is the smallest network allocation, and you still have 64 bits left for devices.

You don’t need NAT when you can just do firewalling - default drop new connections on inbound wan and allow established, related on outbound wan like any IPv4 firewall does.

Use DHCPv6 and Prefix Delegation (DHCPv6-PD) to get your subnets and addresses (ask for a /60 on the wan to get 16 subnets).

Hook up to your printer using ipv6 link local address - that address never changes on its own, and now you don’t have to play the static ip game to connect to it after changing your router or net config.

The real holdup is ISPs getting ultra cheap routers that use stupid network allocation systems (AT&T) that are incompat with the elegant simplicity of prefix delegation and dhcp.

GrapheneOS here we come

…and this is where sanitizing inputs becomes even more important…

Is there something you absolutely need root for? Or can you get away with not having root? It is always better to not have root capability, as that is a huge attack vector.

0/10 worst movie ever, no City Escape

When you put your server’s tailscale IP in the dns, anything that looks up that dns gets the tailscale IP. You only need to connect the devices you want to have connect to the server to the same tailscale network, and your system will handle the routing.

On your DNS provider, make an A record with your IP address, AAAA record with your IPv6 address. If these addresses change often, either setup a dyndns (your DNS provider needs to support this) or pay for a Static IP from your ISP. Firewall the hell out of your network, have a default deny (drop) new inbound rule, and only open ports for your service. Use an nginx reverse proxy if possible to keep direct connections out of your service, and use containers (docker?) for your service(s). Don’t forget to setup certbot and fail2ban. You need certbot to auto update your certs, and you need fail2ban to keep the automated login hacker bots from getting in.

That’s the minimum. You can do more with ip region blocking and such, as well as more advanced firewalling and isolation. Also possible to use Tailscale and point the DNS A record to the Tailscale IP, which will eliminate exposing your public IP to the internet.

Used DELL 5310. Intel 10th-gen, 60Whr battery (goes 8+ working hours on a charge) often 16GB RAM and at least a 256GB SSD at that price range. Upgradeable (DDR4, NVMe) too.

Privacy =/= Security. Windows XP might have good privacy (I would argue Windows 2000 is better for that, as it doesn’t have Product Activation), but security is nonexistant in 2025 in either case. For malware, it’s free real estate.