I would probably remove python 2 support, it was end of life when the project was started.

I dont think Immich supports turning a normal account into an sso account, though it may be possible with manual database editing.

Kubernetes is great for single nodes! It definitely is more advanced than docker compose, but it’s actually not hard at all if you read through the documentation. It definitely makes running containers easier in the long run.

Here is my git repo for my big Kubernetes cluster at home: https://codeberg.org/jlh/h5b/src/branch/main/argo/custom_applications

It started out as just a NFS server and a Kubernetes server running on Proxmox in 2021.

It’s not going to make a meaningful difference in your threat model and it will cause a lot of hassle for extra configuration and broken docker images, so I wouldn’t bother.

There is some nice tooling for transparent user name spaces coming down the pipeline in Kubernetes which will be a nice 0-effort security upgrade, but if you don’t have the tooling, I would say it’s not worth it.

https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/

SSDs are getting crazy cheap.

If you need 10tb of storage, you could get 2x used 10tb hdds in raid 1 for $200, but 6x used 2tb nvme in raid 5 is only $600 and 100x faster. Both take up the same amount of space.

SMR is designed for enterprise raid that is SMR-aware.

I’m not aware of any open-source zoned storage raid but I think Ceph is planning to add support next month.

https://zonedstorage.io/docs/getting-started/smr-disk

Hetzner Storage box is $20/month for 10tb.

Probably not that hard to build a simple flask frontend around it.

Automatically processing files in an S3/WebDAV directory would also be useful.

https://docs.k3s.io/installation/uninstall

There is also a k3s option for Nixos, which removes the security and side-affect risks of running a random bash script installer.

Very true. Each brick you lay upgrades your setup and your skillset. There are very few mistakes in Kubernetes as long as you make sure your state is backed up.

For question 1: You can have multiple resource objects in a single file, each resource object just needs to be separated by ---. The small resource definitions help keep things organized when you’re working with dozens of precisely configured services. It’s a lot more readable than the other solutions out there.

For question 2, unfortunately Docker Compose is much more common than Kubernetes. There are definitely some apps that provide kubernetes documentation, especially Kubernetes operators and enterprise stuff, but Docker-Compose definitely has bigger market share for self-hosted apps. You’ll have to get experienced with turning a docker compose example into deployment+service+pvc.

Kubernetes does take a lot of the headaches out of managing self-hosted clusters though. The self-healing, smart networking, and batteries-included operators for reverse-proxy/database/ACME all save so much hassle and maintenance. Definitely Install ingress-nginx, cert-manager, ArgoCD, and CNPG (in order of difficulty).

Try to write yaml resources yourself instead of fiddling with Helm values.yaml. Usually the developer experience is MUCH nicer.

Feel free to take inspiration/copy from my 500+ container cluster: https://codeberg.org/jlh/h5b/src/branch/main/argo

In my repo, custom_applications are directories with hand-written/copy-pasted yaml files auto-synced via ArgoCD Operator, while external_applications are helm installations, managed via ArgoCD Operator Applications.

helm charts are awful, i didn’t really like cdk8s either tbh. I think the future “package format” might be operators or Crossplane Composite Resources

Excuse you, I don’t have a problem.

On non-Fairphones, which tend to have larger batteries and lower power consumption batteries tend to be usable for much longer. We are talking 3-5 years there.

No way.

Get the battery replaced once in the phone’s lifetime at a local 3rd party repair shop for €100 wait for half an hour and get your phone back.

These shops only service iPhones and Samsungs, there’s only like 1-2 shops in Stockholm that repair Pixels and Xiaomis at all, let alone whatever 3 year old model you have. Not to mention things like screen and USB port repairs cost 100-200€ more than the fairphone parts.

(Fairphone tends to have availability issues with spare parts. For example, right now the FP5 battery is out of stock.)

I’ve had to wait a month for a fairphone battery before, but it’s not like they’re discontinued. I can imagine battery warehousing costs more than screens and USB ports.

A repairable phone is the most important thing. I could buy a used flagship, but the battery will be trashed. I used to buy a phone every 2 years but now I just buy a battery every 2 years. I can use my phone knowing that if anything breaks I can have a replacement part in within a week, and I don’t have to spend 100€s to ship it to some repair shop in a different part of the country.

Fairphone 4 and 5 are also the only smartphones certified by the Swedish unions: https://tcocertified.com/product-finder/index?category=Smartphones

https://sv.wikipedia.org/wiki/TCO_Certified

Who in the US is buying midrange or flagship phones without a loan?

all home routers have NAT which functions as a firewall, but VPSes don’t cone with any firewall by default, so you’d have to set one up. Also VPS ranges seem to hotter for scanning.

Your stuff is more likely to get scanned sitting in a VPS with no firewall than behind a firewall on a home network

Yeah Stalwart seems to have a lot of momentum, I’ll probably be setting up a server with my kubernetes+ceph cluster this month.

Check out NixOS. It can build qcow images from scratch for you to import into proxmox

https://github.com/nix-community/nixos-generators

I have 8 bare-metal servers and I do everything automated with NixOS, I rarely ever access the servers directly.

Here are the nixos configs for my DHCP server and kubernetes servers that you can use as a base.

https://codeberg.org/jlh/h5b/src/branch/main/porygonz

https://codeberg.org/jlh/h5b/src/branch/main/nodes

For what it’s worth, Ive been using Ansible off and on at work for 8 years, and I think it’s pretty outdated and clunky these days, there are much smarter ways to manage workloads such as kubernetes, cloud-init, terraform, and NixOS. If you don’t want to get into Kubernetes then definitely learn NixOS.