Why can’t you just have a long lived internally signed cert on your archaic apps and LE at the edge on a modern proxy? It’s easy enough to have the proxy trust the internal cert and connect to your backend service that shouldn’t know the difference if there’s a proxy or not.

Or is your problem client side?

Automated certificates are relatively new and pretty neat. Killing off the certificate cartels is an added bonus.

You could try a path unit watching the cert directory (there are caveats around watching the symlinks directly) or most acme implementations have post renewal hooks you can use which would be more reliable.

You could try using the DNS challenge instead; I find it a lot more convenient as not all my services are exposed.

Not really with the same flexibility.

You only get usable capacity of the smallest disk in a vdev or you have to add a new vdev with your newly sized disks.

Unraid lets you mix and match however you like and get all the usable capacity (as long as your parity is your largest sized disks).

Cisco, HP, and many other “Enterprise” switches will take a minute or two to start forwarding frames after boot.

Doesn’t really excuse Ubiquiti but that’s what they’re trying for.

Why are you searching for a solution to a problem you don’t have?

There’s nothing wrong with systemd.

I agree. GeoIP was never a good idea, but here we are. Any ASN could be broken up and routed wherever (and changed) but it’s still far too prevalent.

I might be misunderstanding. It’s definitely possible to have as many IPv4 aliases on an interface as you want with whatever routing preferences you want. Can you clarify?

I agree with your stance on deployment.

Given how large the address space is, it’s super easy to segregate out your networks to the nth degree and apply proper firewall rules.

There’s no reason your clients can’t have public, world routeable IPs as well as security.

Security via obfuscation isn’t security. It’s a crutch.

This article is biased to selling you more F5 equipment but is a reasonable summary:

https://www.f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security

Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.

I can potentially see that scenario if your transit provider is giving you a dynamic prefix but I’ve never seen that in practice. The address space is so enormous there is no reason to.

Otherwise with either of RADVD or DHCPv6 the local routers should still be able to handle the traffic.

My home internal network (v6, SLAAC) with all publicly routeable addresses doesn’t break if I unplug my modem.

Hurricane Electric have a free tunnel broker that is super simple to set up if you really want to get on the bandwagon.

https://tunnelbroker.net/

Though honestly I’d say the benefits of setting it up aren’t really worth the trouble unless you’re keen.

IMO they shouldn’t have allowed ULA as part of the standard. There’s no good reason for it.

It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice – though I’ve found some network admins dislike this idea because they’re so used to thinking about it differently or (mistakenly) think it adds to their security.

Yes.

Just beware of their reclamation policy:

https://docs.oracle.com/en-us/iaas/Content/FreeTier/freetier_topic-Always_Free_Resources.htm#compute__idleinstances

Thanks for taking the time to respond.

I appreciate the info, but I am not a patient man. :)

Where on earth are you buying HP Mini machines for so cheap? Even the older gen seem to be 5 times as expensive as your estimate.