Avatar

zedkyuuB

zedkyuu@alien.top
Joined
0 posts • 9 comments
Direct message

I’ve run more than that in a small closet with poor ventilation. Only got up to around 85 F or so. Unless your room is super duper sealed, you probably don’t need to do anything special.

permalink
report
reply

I have had a couple of drives die on me in the first year. And I have a few drives that are approaching 20 that are still working (though another one did die a year or two ago). You don’t know when a drive is going to die, only that nothing lasts forever, so that’s why to have backups.

These are all drives that were plugged in and constantly on. For drives in cold storage, I would be even more nervous about whether the drive would successfully power back on after years of being off.

permalink
report
reply

I’d say have backups, but then, I’d say have backups anyway. The bathtub curve is real.

More to the point: I don’t get why people can spend so much money on giant pools of storage and then get uptight when told they should get dedicated backup devices.

permalink
report
reply

This is just playing media back, right? Keep a copy of the media elsewhere (and, if it’s important to you, check that you can access it periodically) and buy the cheapest thing you can find for the TV.

permalink
report
reply

If your DS920+ is completely inaccessible to outside your network except for the Cloudflare tunnel, then the Synology firewall and IP blocklist aren’t going to do squat for you since all connections will appear to originate from either inside your network or from Cloudflare. So you’re 100% dependent on Cloudflare to keep bad actors out.

I’m not familiar with Cloudflare but the impression I had from looking at it was that you can decide which authenticated Cloudflare users can access your tunnel. So it’s a matter of credential management. Supposing some bad actor gets your credentials, they would then be able to access the entirety of your NAS, and you’re now hoping that there isn’t some undiscovered or unpatched security hole that they can use.

permalink
report
reply

You state you want to configure things so that nobody on the remote side “can access them”; I interpret this to mean that they should be firewalled off entirely. In which case, unless you have some way to physically lock anyone on the remote side away from your stuff, there’s no way to ensure this. You’d essentially need to set up your own secure network on the remote end, one that nobody there can tamper with, and you’d want a separate firewall, probably one on which you’d run Tailscale with a local subnet.

And I think you’d want this anyway if you are looking to do remote management with iLO4. At least in my experience, remote OOB management comes in handy mostly when I screw something up on the server and it won’t boot anymore. If Tailscale is on the server I can’t boot, then I can’t use it to access the OOB management either.

Now, if you can’t lock things down physically, then things get even simpler. You should assume that someone there can do things like screw with the local console or with the hardware configuration, so you should not put things there in a form that they would be able to do anything with. This implies that your backup there should be encrypted (and it should be anyway; if a drive dies, you can discard it with no worry about data exfiltration). This also implies that it should have no ability to connect back to your home network, and that you should not run any services on it that you would be concerned about anyone breaking into or messing with. If all that is the case, then I think you probably are fine just plugging iLO4 into the same insecure remote network (again subject to the same caveat that it’ll be useless if your machine ever goes down and you have no other way to connect in); if anyone manages to break in, you’ll have controlled what they will be able to do with what they find.

The bottom line is very simple: don’t trust untrusted environments!

permalink
report
parent
reply

Honestly, I wouldn’t stick any OOB management thing on any network I couldn’t trust. And it sounds like you have no ability to ensure that someone on the remote side can’t just go and change what your box is plugged into arbitrarily.

With that in mind… I’d probably do Tailscale, bare metal (no virtualization), and set up the machine’s local firewall to drop all incoming connections from the ethernet port. Tailscale would connect out to establish its tunnel and then everything coming in via Tailscale would be fine.

permalink
report
reply

I’ve never heard of warming up wine slightly. I’ve heard of mulling wine, but that takes higher heat…

permalink
report
reply

I also do think this is massive overprovisioning, starting with the 5Gb plan, but I will suspend that. How do your computer room machines connect to your existing switch? If you have existing wall ports for them then you can get away with one 10Gb switch in the garage. If you only have one wall port in the computer room then you are correct in that they will need a switch. That switch’s single 10Gb uplink to the garage could become a bottleneck but I wouldn’t worry about that since your internet connection is only 5 anyway.

permalink
report
reply