What I do to keep DNS consistent inside and out is use Tailscale on all my clients. I host a DNS server hosted on my tailnet that is set up as split DNS for my “kickassdomain.org”.

Fwiw I switched from k3s to Talos and find it much easier to manage. I run 3 mini 1L PCs with rook-ceph and it works flawlessly even on 1Gbe.

If you don’t need the GPIO then buy a small form factor office PC like a Dell Optiplex Micro or a Lenovo/HP equivalent. They cost about the same on the used market, are more performant without the ARM headache and use only marginally more power (maybe 5-10w more at idle).

Invidious?

You will hate Ansible if you are coming from Nix. I went the other way and Nix is 1000x cleaner.

Being able to actually reverse changes is trivial in Nix, but can be a headache in Ansible. Not to mention the advantages of writing in an actual language and not yaml full of template hacks. I personally don’t see much future for tools like Ansible, there is considerable inertia working in its favor right now and it is absolutely true that it is widely used, but the future of configuration management is for sure more aligned with how Nix works.

Similar to my scheme:

laptop = “laptop”
nas = “nas”
router = “router”

Then if there are more than one in each category I use nas-0, nas-1, etc.

I have used all three! I started with Server then went to CoreOS running Kubernetes and settled on NixOS which I have been very happy with for about a year now. I run about 25-30 services all using built in modules.

Regarding security, if you are using well crafted modules on NixOS, there should be good systemd hardening in place. That being said there is no reason you can’t just use containers on NixOS.

I also find deploying NixOS far superior to butane/ignition used by CoreOS/Fedora. I use nixos-anywhere and can deploy my entire server in a few minutes without manual intervention.

I use it over Tailscale only and it works perfectly as an alternative.

I think it is a combination of the required precision, liquid ink vs solid filament and the difficulty of handing paper vs simply moving a print bed on a 3d printer.

Prometheus and Altertmanager

Time to fork it.

Meanwhile I get support for both completely ad free with infinite selection on my Jellyfin server… What on earth are these companies thinking, you literally get a superior product by not paying for it. I would gladly pay a small fee per download of DRM free files if that were an option.

I’m using the recently merged Clevis module for NixOS. There was a recent talk at FOSDEM about it.

You might be interested in setting up network bound encryption via Clevis and Tang. I use a hidden pi zero in my house acting as a Tang server. It’s great being able to reboot any of my encrypted servers without having to manually unlock disks.

I used to, but recent budget wireless (Earfun, Soundcore, et al.) are getting good enough to compete with wired for me. Having things like multipoint pairing which is obviously not possible with wired is hard to go back from once you get used to it.