I ended up just building a box after looking for the perfect NAS and finding it didn’t exist. The software is usually just crap or the hardware is underwhelming. Got a Node 804 case to slap in plenty of HDD space. Running NixOS so I’m in control of the software. In retrospect I wish I had gotten a rackmount type case. Tossed in an Arc GPU for better transcoding shortly after the initial setup.

Major desktop environments are KDE as you mentioned and Gnome.

Arch wiki is a good resource even if not running arch. You may want to look into their dotfiles page to back up your settings: https://wiki.archlinux.org/title/Dotfiles.

NixOS ended up being my distro of choice for reproducible installs but it has a high learning curve and poor documentation so I wouldn’t recommend to start with. That said you can still use Nix on other distros with home manager to manage dotfiles and install non-system apps.

Distros just pick the default things to install. You can always use the package manager to install something else like a better file manager.

A lot of choices are simply subjective so its hard to recommend any one distro. Mint is close to windows, based on Ubuntu and uses Gnome. Ubuntu based on Debian I find to be user friendly. Not used a Fedora based distro in ages but there is also Silverblue I’ve heard mentioned positively.

Distros like Arch and NixOS are more design your own system setups. Pick what you want. I used arch for a bit, but got annoyed at keeping all my systems in sync. Had a huge wiki of all the tweaks I made. Then scripts to automate some of it. I started looking at automation tooling like ansible when I found nix.

That and old ass infected computers. I’ve used Linux almost exclusively for more than a decade. Fuck if I know how to fix your 10 year old windows desktop.

Pretty snappy. All the gnome APIs are written in C. It doesn’t run on node, it runs on gnome-javascript (gjs) which exposes all the C APIs through JavaScript. If you use the Astal wrappers its pretty painless but using the gnome APIs directly in gjs is a little weird since you have to consider things like memory management.

I have it activate a layer when held where all the other keys are remapped.

I also use a 45% keyboard (https://wilba.tech/jd45) and its done in the keyboard’s firmware (https://qmk.fm/), so I need the extra keys.

I have an older model of the JD45 with a full bottom row.

It is gnome, but https://aylur.github.io/astal/showcases/ is pretty awesome if you’ve done any React development. Pretty much coded up my own desktop environment with typescript and tsx for layout stuff. Lot’s of fun widgets.

Note that I use nixos so pretty much everything is hand picked instead of a prebuilt ready to go environment. Hyprland for the basic desktop, Astal for my desktop shell with widgets, toolbars, etc.

Can confirm, it is information they already have. Below is likely the API the telco exposes to the bureau. Each data point queried returns true, false, or a confidence score.

It is intended as an anti-fraud tool. Not saying I agree with it. Something like PGP is sufficient for building out a web-of-trust without needing to share my personal information.

https://redocly.github.io/redoc/?url=https%3A%2F%2Fraw.githubusercontent.com%2Fcamaraproject%2FKnowYourCustomer%2Fr1.4%2Fcode%2FAPI_definitions%2Fkyc-match.yaml&nocors=#tag/Match/operation/KYC_Match

No programming knowledge required.

Graphene only supports Pixels due to the titan chip. The versions with “a” are cheaper. Check when they go end of life to find the cheapest if you care about updates. So probably the 6a or 7a if you want at least 2 years of updates.

1. Not sure on this one.

2. The auditor is to make sure you are installing an authentic version of graphene. That it is not a modified version that has been tampered with (e.g., backdoors).

3. Automatically enables MAC randomization. This can help with being tracked on public networks. Fingerprinting techniques have gotten better though with deep packet inspection and even measuring radio characteristics. I’ve seen demos of two brand new and identical models of iPhones being distinctly picked out due to variances in the radios during manufacturing.

Doesn’t help with advertisers tracking behavior based on IP. VPNs help with “blending-in” by putting multiple users behind the same IP. Provider matters here. Needs to be a VPN provider that won’t just sell your data or cave to law enforcement. Mullvad is my preference. Paid with crypto. RAM only logs. That said, use Tor or I2P for anything you don’t want subpoenaed.

For additional tips:

• Can’t remember if its on by default, but auto-reboot to put data at rest (encrypted and not in RAM). This is for a state-actor threat level, and less about advertisers.
• I prefer pin codes to unlock my device and don’t use biometrics. Graphene has a feature to randomize the pin pad every time to protect against a recording of the pin be entered. Specifically where the numbers aren’t picked up on the video but the pattern your hand makes can be seen. Again, more of a state-actor threat level.

Thought I was seeing a post from AI Generated Porn for a second.

No. Its all text file config. You wouldn’t use live CD mode. You define your own how you want it to work.

Its a steep learning curve so if looking for off the shelf solutions, don’t use nix. If you need something custom but through a single config paradigm, nix is awesome.

Soap boxing here but I feel these kinds of use cases is what NixOS is built for.

Declarative config to setup the system, users, and apps.

Declarative and customizable impermanence exactly how you want it.

I use Tails as well but NixOS is my daily driver. Anything not marked explicitly to persist is dropped each reboot. I’m the only user so I keep the last 30 days of non persisted data for like a power outage but that’s something I had to go out of my to setup for my use case.

There is anonymity and pseudonymity.

Do you need your opsec to be resistant to state-level actors (oppressive regime, censorship, illegal activities)? Well then you need to make sure you don’t introduce anything that will deanonomize you.

Are you trying to be resistant to mass data collection efforts used for profit? Being on the pseudonymity spectrum is a good step.

Dealing with the latter is like dealing with a bully. Make it not worth their time. They just want to put you in bucket X so they can estimate the most likely way to influence you for reason Y. Pseudonymity is about having multiple aliases that get put into different buckets so their privacy invasive efforts are less effective.

For our lower environments we use rsync like the author but skip the pipeline altogether. The servers have a watch script to restart when files are rsynced. We then have a local watch script that rsyncs on file changes.

Relatively instant deploy (2-5s) whenever a file is saved.

Good call on a simulated failure. When I first set it up, it was LVM/BTRFS or ZFS as my top choices. It was a coin toss at the time because I hadn’t built this sort of setup before.

I use immutable nixos installs. Everything to redeploy my OS is tracked in git including most app configurations. The one exception are some GUI apps I’d have to do manually on reinstall.

I have a persistence volume for things like:

• Rollbacks
• Personal files
• Git repos
• Logs
• Caches / Games

I have 30 days (or last 5 minimum) of system rollbacks using BTRFS volumes.

The personal files are backed up hourly to a local server which then backs up nightly to B2 Backblaze using rclone in an encrypted volume using my private keys. The local server has a mishmash of drives in a mirrored LVM setup. While it works well for having mixed drives, I’ll warn I haven’t had a drive failure yet so I’m not sure the difficulty of replacing a drive.

My phone uses the same flow with RoundSync (rclone + GUI).

Git repos are backed up in git.

Logs aren’t backed up. I just persist them for debugging and don’t want them lost after every reboot.

Caches/Games are persisted but not backed up. Nixos uses symlinks and BTRFS to be immutable. That paradigm doesn’t work well for this case. The one exception is a couple game folders are part of my personal files. WoW plugin folder, EvE online layouts, etc.

I used to use Dropbox (with rclone to encrypt). It was $20/mo for 2Tb. It is cheaper on paper. I don’t backup nearly that much. Backblaze started at $1/mo for what I use. I’m now up to $2/mo. It will be a few years before I need to clean up my backups for cost reasons.

The local server is a PC in a case with 8 drive bays plus some NVME drives for fast storage. It has a couple older drives and for the last couple years I typically buy a pair of drives on sale (black Friday, prime day, etc). I have a little over 30TB mirrored, so slightly over 60TB in total. NVME is not counted in that. One NVME is for the system, the others are a caching layer (monero node) or temp storage (transcoding as it also my media server).

I like the case, but if I were to do it again, I’d probably get a rack mountable case.

For the networking I found some repos with Nix and Gluetun (OCI containers). I don’t see them in my bookmarks, so it was probably a day project when I set up and didn’t keep the references.

That part is still in docker / podman. So any docker network guide just needs to be translated to nix.

Best resource I’ve found is searching GitHub.

My setup closely follows https://github.com/Misterio77/nix-config.

For servarr I just translated someone else’s docker compose setup to nix. There are some ready made nix ones you can look at like https://github.com/rasmus-kirk/nixarr/tree/main/nixarr.

The complex networking I just picked up over time once I knew my way around a little bit.

GitHub is your best resource. lang:nix search terms.

I wouldn’t run NixOS in a container. With native nix containers I’m pretty sure they share the store. For docker I’d use images built with nix (doesn’t run nix itself) or pull from docker hub.

OS: NixOS (high learning curve but its been worth it). Nix (the config language) is a functional programming language, so it can be difficult to grok. Documentation is shit as its evolved while maintaining backwards compatibility. If you use the new stuff (Nix Flakes) you have to figure what’s old and likely not applicable (channels or w/e).

BYOD: Just using LVM. All volumes are mirrored across several drives of different sizes. Some HDD volumes have an SSD cache layer on top (e.g., monero node). Some are just on an SSD (e.g., main system). No drive failures yet so can’t speak to how complex restoring is. All managed through NixOS with https://github.com/nix-community/disko.

I run stuff on a mix of OCI containers (podman or docker, default is podman which is what I use) and native NixOS containers which use systemd-nspawn.

The OS itself I don’t back up outside of mirroring. I run an immutable OS (every reboot is like a fresh install). I can redeploy from git so no need to backup. I have some persistent BTRFS volumes mounted where logs, caches, and state go. Don’t backup, but I swap the volume every boot and keep the last 30 days of volumes or a min of at least 10 for debugging.

I just use rclone for backups with some bash scripts. Devices back up to home lab which backs up to cloud (encrypted with my keys) all using rclone (RoundSync for phone).

Runs Arrs, Jellyfin, Monero node, Tor entry node, wireguard VPN (to get into network from remote), I2C, Mullvad VPN (default), Proton VPN (torrents with port forwarding use this), DNS (forced over VPN using DoT), PiHole in front of that, three of my WiFi vlans route through either Mulvad, I2C, or Tor. I’ll use TailsOS for anything sensitive. WiFi is just to get to I2C or Onion sites where I’m not worried about my device possibly leaking identity.

Its pretty low level. Everything is configured in NixOS. No GUIs. If its not configured in nix its wiped next reboot since the OS is immutable. All tracked in git including secrets using SOPS. Every device has its own master key setup on first install. I have a personal master key should I need to reinstall which is tracked outside of git in a password manager.

Took a solid month to get the initial setup done while learning NixOS. I had a very specific setup of LVM > LUKS encryption /w Secure Boot and Hardware Key > BTRFS. Overkill on security but I geek out on that stuff. Been stable but still tinkering with it a year later.