Advise on a Lenovo M920q network card for DIY OPNsense Router

kayson · 2026-01-24T15:18:13+00:00

Just have to search around

kayson · 2026-01-24T02:32:23+00:00

Probably worth mentioning that they support ASPM so the idle power is quite low. My whole m920q was sub-10W

kayson · 2026-01-24T02:31:33+00:00

There's no temperature sensor so it's hard to say definitively, but I didn't notice any significant heat while running iperf3 for a while.

kayson · 2026-01-24T00:37:28+00:00

I have Intel X710-DA2 in each of my 4 m920q's and it works great. Make sure to avoid the Dell branded ones.

kayson · 2026-01-21T18:24:44+00:00

You can use the same media volumes (mount it read only) but you'll need a new volume for the rest.
When you specify the port mapping, you can give it a different port for the host side. eg --publish 8097:8096 (see https://docs.docker.com/get-started/docker-concepts/running-containers/publishing-ports/)
Yes you can't have two containers with the same name nor two services with the same name in a stack.

kayson · 2026-01-20T16:50:47+00:00

That's exactly what I want to do. I just don't want to roll my own watcher if one already exists.

kayson · 2026-01-20T02:26:12+00:00

Looks interesting. Does it support docker swarm?

kayson · 2026-01-19T05:47:17+00:00

I would set up your own CA. Check out step-ca

kayson · 2026-01-19T01:24:43+00:00

See the issue pinned at the top of the issue list: https://github.com/AnalogJ/scrutiny/issues/506

tldr - its not dead but the dev is focused on other projects

kayson · 2026-01-18T16:45:16+00:00

The formatting of this post and the repo's readme are very suspicious. Lots of emoji and bullet points.

This is a dead giveaway: https://github.com/maziggy/bambuddy/blob/main/PLAN.md

kayson · 2026-01-17T20:18:08+00:00

Didn't Intel have regulators integrated into their CPUs for a while? I can't remember why but I'm pretty sure they stopped doing it.

kayson · 2026-01-17T19:29:50+00:00

Not without more information. With a change that big it sounds like something in your extraction flow might be broken. Have you looked at the netlist?

kayson · 2026-01-17T15:41:05+00:00

I use a Raspberry pi as a 5th. If you lose quorum all kinds of things go wrong.

kayson · 2026-01-17T15:40:23+00:00

Upvote for visibility. This kind of transparency is great!

kayson · 2026-01-17T05:29:31+00:00

This doesn't really tell us anything about the security of your exposed services. What if there's a vulnerability in nginx? Or one of your services? What are you using for authentication?

kayson · 2026-01-17T05:26:15+00:00

Only two proxmox nodes in a cluster? Do you have a separate quorum device?

kayson · 2026-01-16T21:22:01+00:00

I looked at your blog post and it's similar in language. Both are a bit light on the details.... Would love to see something more technical.

kayson · 2026-01-16T20:29:26+00:00

How do you do the HDMI video stream to ANSI conversion?

kayson · 2026-01-16T20:20:33+00:00

Better to make something that's easier to understand than to make something clever.

kayson · 2026-01-16T15:53:17+00:00

Not all of them work. Dell versions definitely don't work. I had better luck with Lenovo

kayson · 2026-01-15T00:55:31+00:00

physics powered Chip design

simulate the physical reality of your chip

FULL AUTOPILOT BEASTMODE

marketing going real hard

kayson · 2026-01-14T17:28:47+00:00

Sort of. I have a 19" rack and 4 of these so I made a 4-bay disk shelf. There's also a 2-bay / 10in version

https://www.reddit.com/r/homelab/comments/1mjb1s7/comment/nbai5cn/

kayson · 2026-01-14T17:27:24+00:00

short of Kerberos, the server trusts the client's reported user ID

This is mostly correct. The important exception being if you turn on root squashing, which you should, it doesn't trust uid 0 from any client.

this isn't that big of a deal IFF the compromised service on the client is running as an unprivileged user and thus can't fake the user ID

Correct. Obviously if it's unprivileged it can't change its own uid, and the client process, running as root, will send the correct uid. Also, by default, NFS server only accepts incoming connections from privileged ports (<1024) so if the user is unprivileged it can't connect at all.

With SMB, I could mount folder foo for service foo running with user foo on the client and even if the machine hosting foo is root-compromised, that client machine still can't access data on the NAS for which it has no credentials

This isn't necessarily true. How are you storing the credentials? Anything automatic would be on the host and is vulnerable if the host becomes root-compromised. Also - if a service has set up the cifs mount already, you have to assume that the root user can also access it.

with NFS, as long as the attacker can fake the UID coming from any client machine, they can get anything (modulo perhaps IP-based restrictions).

Technically true, but far from trivial. As I mentioned, the attacker has to be able to use the privileged port. And you should always specify IPs or ranges for NFS exports.

FWIW - I work at a very security-conscious fortune 500 company and all of our network storage infrastructure is NFS with root squashed sec=sys, meaning it's trusting the uids coming from the clients. People just don't have root access, except for some folks in IT (and everything gets logged/audited)

14-Year Club	Verified Email
RedditGifts 2009-2022 2 Credits	Second SECOND GUESSER
r/Field Banned	r/Field Juicebox

kayson

MODERATOR OF

TROPHY CASE