Goofed Home

The title says basically everything but let me elaborate.

Given the recent news about the sold out of harddrives for the current year and possibly also the next years (tomshardware article) I try to buy the HDDs I want to use for the next few years earlier than expected.

I am on a really tight budget so I really don’t want to overspend. I have an old tower PC laying around which I would like to turn into a DIY NAS probably with TrueNAS Scale.

I don’t expect high loads, it will only be 1-2 users with medium writing and reading.

In this article from howtogeek the author talks about the differences and I get it, but a lot of the people commenting seem to be in a similar position as I am. Not really a lot of read-write load, only a few users, and many argue computing HDDs are fine for this use case.

Possibilites I came up with until now: 1. Buy two pricey Seagate Ironwolf or WD Red HDDs and put them in RAID1 2. Buy three cheaper Seagate Barracuda or WD Blue and put two in RAID1 and keep one as a backup if (or should I say when?) one of the used drives fails.

I am thankful for every comment or experience you might have with this topic!

It is a gamble, fuck the my butt bozos for speculating us into economic uncertainty

F in the chat for your savings, least you’ve got the peak of home NASes. Pretty fuckin cool and I hold out hope when the drop comes in a… 6 months to 3 years…? that I’ll be able to afford full SSD NAS life. The power savings, the speed, the no worries of shock or vibrations, the silence - jealous

On my Lan I have 192.168.1.111 hosting a bunch of various services not containerized. All connections are done either from my internal lan or from wireguard going through 192.168.1.111 so no external traffic bar wireguard.

I’ve set the host name of 111 in the hosts file inside the router and 111 and it works for all devices expect the ones connecting via wireguard.

But I dont want to have to use hostname+port for every service, I’d like each service to have its own name. I’d also like certs.

Can someone point me in the right direction for what I need to do? I’m thinking maybe this requires a local DNS server which im hesitant to run because im happy using 8.8.8.8.

For certs do I create a single cert on the 192.168.1.111 and then point all the applications to it?

See the section “Personal dashboards” of this great resource page I often refer to: https://github.com/awesome-selfhosted/awesome-selfhosted

I don’t see anyone else recommending it here but you can also use Traefik, that’s what I use. I’ve sein it up so that I can automatically add any docker hosted apps based on the container tags, it makes it convenient to use.

The Huntarr situation (score 200+ and climbing today) is getting discussed as a Huntarr problem. It’s not. It’s a structural problem with how we evaluate trust in self-hosted software.

Here’s the actual issue:

Docker Hub tells you almost nothing useful about security.

The ‘Verified Publisher’ badge verifies that the namespace belongs to the organization. That’s it. It says nothing about what’s in the image, how it was built, or whether the code was reviewed by anyone who knows what a 403 response is.

Tags are mutable pointers. huntarr:latest today is not guaranteed to be huntarr:latest tomorrow. There’s no notification when a tag gets repointed. If you’re pulling by tag in production (or in your homelab), you’re trusting a promise that can be silently broken.

The only actually trustworthy reference is a digest: sha256:.... Immutable, verifiable, auditable. Almost nobody uses them.

The Huntarr case specifically:

Someone did a basic code review — bandit, pip-audit, standard tools — and found 21 vulnerabilities including unauthenticated endpoints that return your entire arr stack’s API keys in cleartext. The container runs as root. There’s a Zip Slip. The maintainer’s response was to ban the reporter.

None of this would have been caught by Docker Hub’s trust signals, because Docker Hub’s trust signals don’t evaluate code. They evaluate namespace ownership.

What would actually help:

• Pull by digest, not tag. Pin your compose files.
• Check whether the image is built from a public, auditable Dockerfile. If the build process is opaque, that’s a signal.
• Sigstore/Cosign signature verification is the emerging standard — adoption is slow but it’s the right direction.
• Reproducible builds are the gold standard. Trust nothing, verify everything.

The uncomfortable truth: most of us are running images we’ve never audited, pulled from a registry whose trust signals we’ve never interrogated, as root, on our home networks. Huntarr made the news because someone did the work. Most of the time, nobody does.

One thing that sucks about that is you might miss an upgrade that needed to happen before a large version jump later. It’s pretty rare but I believe I’ve seen a container break like that and the upgrade was misery.

Fair! I’m not giving enough credit to the fact that some applications don’t really have another option than to run root for some dependencies

Hey y’all, this actually isn’t self hosting related, but who have you had good luck with for paid matrix hosting?

Right now, I do enough tinkering with everything that I would be willing to just pay to host a matrix server for my friends.

Unless it really is easy enough to do it on a synology nas for text/voice/screen share…but do I need to pay for a domain still?

We are (like everyone) on matrix.org now but realize we need to move eventually.

If you have your own VPS anyway, there is the Matrix Ansible Playbook which makes the setup with docker containers very easy. But I also get the sentiment that you don’t want to tinker around all the time and just want stuff to work.

Kudos to you for using Matrix in the first place, I hope you can bring a lot of your friends and family to switch over to it. So far this has been the biggest hurdle on my journey 😅

If you’re Canadian, you can get free and cheap .ca domains https://www.cira.ca/en/why-choose-ca/

I have CasaOS and I installed this https://hub.docker.com/r/linuxserver/overseerr

Is there an easy way to simply upgrade it like a normal update and keep the settings?

Can’t you just do a new setup? I just installed the seerr container on my unraid server and it took just a couple of minutes. Or am I missing something?

yeah, it really sucks to spring this upon as like this… I had to change UID/GID of a user too because of that, really annoying.

tldr: I’m going to set up raid z2 with 4x8TB hard drives. I’ll have photos, documents (text, pdf, etc.), movies/tv shows, and music on the pool. Are the below commands good enough? Anything extra you think I should add?

sudo zpool create mypool raidz2 -o ashift=12 /dev/disk/by-id/12345 ...

zfs set compression=lz4 mypool #maybe zstd?
zpool set autoexpand=on mypool
zpool set autoreplace=on mypool
zpool set listsnapshots=on mypool

With ai raising hard drive prices, I over spent on 3x10TB drives in order to reorganize my current pool and have 3 hard drives sitting on a shelf in the event of a failure. My current pool was built over time but it currently consists of 4x8TB drives. They are a mirrored stripe so a usable 16TB. If I understand it correctly, I can lose 1 drive for sure without losing data and maybe a second drive depending on which drive fails. Because of that, I want to move to raid z2 to ensure I can lose 2 drives without data loss. I’m going to move data from my 4x8TB drives, to the 3x10TB, reconfigure the 4x8TB, and move everything back. I run Immich, plex/jellyfin, and navidrome off the pool. All other documents are basically there for storage just in case. What options should I use for raid z2 when setting it up?

Make sure you scrub weekly. The probability of a second device failure is higher than you think, since it can be triggered by resilvering. I would also make sure you have a spare at hand.

For context, I’ve also been using ZFS since Solaris.

I was wrong about compression on datasets vs pools, my apologies.

By “almost no impact” (for compression), I meant well under 1% penalty for zstd, and almost unmeasurable for lz4 fast, with compression efficiency being roughly the same for both lz4 and zstd. Here is some data on that.

Lz4 compression on modern (post-haswell) CPUs is actually so fast, that lz4 can beat non-compressed writes in some workloads (see this). And that is from 2015.

Today, there is no reason to turn off compression.

I will definitely look into the NFS integrations for ZFS, I use NFS (exports and mounts) extensively, I wonder what I’ve been missing.

Anyway, thanks for this.

They banned the user that did the robust cybersecurity audit. They banned everyone who pointed it out or linked to the post or mentioned it. They took the subreddit private. The clown dev has a donate feature and claims that it will be used to put his daughter through school. Just scum all around.

Personally I prefer my software to give me options, I hate when stuff like this is picked for me when equally valid options exist

My current internet setup is like this (which is common for most people).

fiber line from ISP <-> ISP fiber modem <-> Personal wifi router <-> switch

This is working fine with no issues. But I need to power two devices. I want to reduce this to a single device.

fiber line from ISP <-> Modem+Firewall PC <-> Switch <-> AP1,AP2...

From my initial research, what I need is an SFP module which can be attached to a PC which supports SFP. OPNsense should be able to handle most SFP modules.

What is the community’s take on this? Is this worth the effort? Can I find a mini-PC which supports SFP? Will it be cost effective?

Yeah. I ended up getting a couple ms of latency back when i pulled the isp router too.

I was having the same internal struggle. But I’ve landed on

iSP -> ISP router -> my new firewall -> home router

It’s way simpler that way and basically the same benefit.

Hi everyone,

For those of you scaling up your NAS or Data Center in 2026, sourcing high-capacity drives like the 26TB and 28TB Enterprise models often comes with a painful 20% import tax hit in Europe.

At RobertElectronics, we’ve optimized our logistics to provide factory-recertified drives with a full 5-year warranty, matching factory standards while bypassing the typical tax traps through DDP (Delivered Duty Paid) routes.

Explore our inventory with precise technical specs and localized support:

Global / USA: [https://www.robertelectronics.com/]()

United Kingdom: https://www.robertelectronics.co.uk/

Germany: https://www.robertelectronics.com/de

France: https://www.robertelectronics.com/fr

Italy: https://www.robertelectronics.com/it

Netherlands: https://www.robertelectronics.com/nl

Why 26TB/28TB Recertified? Our drives undergo a rigorous multi-stage recertification process to ensure zero-hour reliability. You can find our full technical whitepaper and TCO analysis on our GitHub Documentation.

These prices are terrible, even for Europe.

provide factory-recertified drives

Recertified drives are about the same as used cars with odometers reset to zero.

What kind of idiot would buy them?

Sunday dev challenge: how many free APIs can you chain together?

Here's one pipeline:
1. curl https://mating-liable-folk-fabulous.trycloudflare.com/uuid → get unique ID
2. curl https://mating-liable-folk-fabulous.trycloudflare.com/hash/sha256/yourtext → hash it
3. curl https://mating-liable-folk-fabulous.trycloudflare.com/base64/encode/yourtext → encode it

All free, no signup, no API key.

Try it:
curl https://mating-liable-folk-fabulous.trycloudflare.com/uuid

What's your favorite no-signup API?

@selfhosted

#selfhosted #devtools #api #webdev #programming #foss #linux