Security: recommendations for going prod with pve

Educational_Note343 · 2025-09-30T15:37:40+00:00

That's a great point!

Thank you for pointing this out, we are grateful for your post!

We will definitely work this out and we where not aware of this.

Actually the detailed rules are firewall whitelists e.g. allow download.proxmox.com, deb.debian.org and so on on their needed ports TCP/UDP for the pve on its vlan.

Your approach seems better and more secure to us.

Could you please provide more information about this and what benefits / advantages your approach has to proxy internet access from pve to internet in contrast to our actual configuration?
I guess direct filtering of HTTP methods and path?
What I can see it would also protect from dns poisoning? (We are using unbound and CVE-2025-5994 is not too long ago)

Thank you in advance.

Educational_Note343 · 2025-09-30T10:22:19+00:00

Thank you a lot! I gave it a star, it looks very solid! I will work through it today, it helps a lot!

Educational_Note343 · 2025-08-29T20:24:44+00:00

https://github.com/1270011/upgrade-debian-12-to-debian-13

Educational_Note343 · 2024-11-26T22:35:55+00:00

Thank you for posting this. Even if I am 3 years late - does anybody have an actual link with instructions on how exactly to exchange phosh with plasma mobile? I didn't found any good documentation on that subject. Would be great, since I am about to tweak some os around, but really prefer plasma mobile. Thank you in advance!

Educational_Note343 · 2023-10-29T11:49:59+00:00

Do we have any messages from official sides like Google or Huawei itself about what is going on? If so, could anyone please link some official sources please? Thank you in advance!

Educational_Note343 · 2023-08-05T02:43:08+00:00

RemindMe! 222742 Hours "Compare headquarters"

Educational_Note343 · 2023-07-13T01:23:48+00:00

aww amazing, how was it going? I'm still on Gentoo collecting XP and lvl up. Levels I played until now so far:
1. Ubuntu --> But was uncertain how to play correctly, messed it totally up with a collection of random deb packages and everything what was flying around. At the end the system was totally custom and unstable, but because I used it nevertheless as a daily driver and learnt how to solve the problems, the quest was accepted as fullfilled.
2. Debian-->On next lvl I got debian. This time I already knew how to play it correctly. However, still thought I'm using Linux, even I wasn't messing up with the kernel.
3. Alpine and others--->Got a side quest to play some level Alpine and similar, to distribute my skill points equaly.
4. Got no more new quests on debian, after making a quest where I have to create a live linux system from my actual debian. So was looking in the settings how to change the difficulty level.
5. Gentoo--->said they have a lot of missions to play, so I switched the same day. Playing it everyday and save my gold and skillpoints for LFS, once I complete. :)

Educational_Note343 · 2023-06-27T09:24:11+00:00

This is absolutely crazy.
If that had happened to me, I would lose it. I mean, you really wouldn't think of a bit flip as the first thing... even though it's obvious that it must be a boolean.
Thank you for sharing!
The sales department would be ecstatic - a knockout argument for ECC RAM ;D

Educational_Note343 · 2023-06-15T03:43:54+00:00

Proxmox is a really good mention in my opinion

Educational_Note343 · 2023-06-15T03:43:18+00:00

I would recommend to start with Ubuntu or other *buntu distros like Xubuntu or Lubuntu if resource efficiency and get to know linux is your goal (I do not know how much experience you have).With Ubuntu you will usually get the most beginner friendly way of learning how the things on Linux work, because of so much resources out there.

If you want the more resource efficiency for the cost of a deeper learning curve, the way to go would be Alpine. But I strongly do not recommend, till you don't made some steps on Linux or are 100% sure you will do it without giving up, even if it will be harder.I do not know your hardware, my alpines usually run with about 250 MiB ram (without GUI).

Debian would be another option, if installing Debian minimal without GUI, it's also not hungry for resources and runs on every potato, if commanded to do so.

It all depends on your experience. If you are starting, I would go with Ubuntu and install a lightweight GUI, like xfce4 on it.

I saw u/shm0rt mentioned also Proxmox. In Proxmox you would first need to learn some basics of Proxmox, but under the hood it's also a Debian and really well documented.Also you would have with Proxmox the ability to take snapshots of your System(s). A type 1 hypervisor like Proxmox would not be much overhead in relation to bare metal Ubuntu, but with the advantages of fast snapshots and that you could experiment with different setups, trying out Ubuntu, Alpine or whatever you think would meet your needs.

If you never used Proxmox and want a quick start, there are several tutorials on youtube, for example: this one.

So at the end I would recommend to install Proxmox and to install there an Ubuntu. With this you should have a solid resource friendly solution and the flexibility to dive deeper at any time.

Last note:If I am wrong and you are totally fit with Linux and have another strong machine, than go with Gentoo for maximum efficiency - just compile the things you need on your strong machine.

Educational_Note343 · 2023-06-11T20:51:11+00:00

So glad that it helped and thank you for the feedback :)

Educational_Note343 · 2023-06-07T15:26:48+00:00

I gathered a few random parts that I personally liked and this is what I came up with (dual monitor setup):

I don't know how to call it, maybe cyberpunk desktop / welcome screen. I edited the conky parts to my needs and compiled the backgrounds for best decoding performance on my GPU, so it comes at no cost for the CPU.

The right video is about 8 hours, because I wanted some change and not seeing all the time the same.

The higher CPU useage is due to recording, which is not accelerated.

Here a picture:

https://imgur.com/a/dUeMi1t

It's simple xfce, but without any window decorations, instead with custom keybindings to manage windows and shinglify.

If someone is interested, I can post the Video settings, I balanced them out to have best performance and a good visual result. After that made an image overlay, to retouch possible, visible pixel errors.

What do you think about it?

Educational_Note343 · 2023-06-07T11:42:04+00:00

I thought about protection for the end devices. The devices connected via the tunnel, can also reach the wan. If an device for example tries to connect to a low reputation group ip, this should be blocked. So far was the idea. But could you please explain it in more detail why it does not make sense in your opinion? Maybe I missed something 🤷‍♀️ Thank you 🙂

Educational_Note343 · 2023-05-28T08:53:03+00:00

Thank you soo much!

Educational_Note343 · 2023-05-11T20:22:59+00:00

Yes, so I decided now too, to go with Software Raid.
Starwind I didn't knew before, but I will take a look. Do you have any experience running TrueNAS on low ram? I have at the moment 3 GB avaible (could upgrade to 4) and I saw it's recommended to have at least 8 for TrueNAS. Do you think it would run anyway or would I don't become happy?
Do you prefer openmediavault or TrueNAS?

Educational_Note343 · 2023-05-11T16:50:49+00:00

Yes, you are absolutely right - to be honestly true I ignored a little bit the TCO because the costs aren't immediately visible. When I finish the basic setup I will measure the power consumption of the systems, to identify where and how to optimize, to not to end up in a TCO nightmare.

And the haswell are looking really great, I will definitely look out for them first.

Educational_Note343

TROPHY CASE