How locked down are the Chromebooks?

Remote VM seems overkill if you can just enable “Linux for Chromebook”, which gives a sandboxed terminal at which point you can setup and install software like Blender, PrusaSlicer, etc.

It won’t be the fastest because they are thin clients, but even modern thin clients do decently for ‘light’ work.

I’m currently going through a similar situation at the moment (OPNSense firewall, Traefik reverse proxy). For my solution, I’m going to be trial running the Crowdsec bouncer as a Traefik middleware, but that shouldn’t discourage you from using Fail2Ban.

Fail2Ban: you set policies (or use presets) to tempban IPs that match certain heuristic or basic checks.

Crowdsec Bouncer: does fail2ban checks if allowed. Sends anonymous bad behavior reports to their servers and will also ban/captcha check IPs that are found in the aggregate list of current bad actors. Claims to be able to perform more advanced behavior checks and blacklists locally.

If you can help it, I don’t necessarily recommend having OPNSense apply the firewall rules via API access from your server. It is technically a vulnerability vector unless you can only allow for creating a certain subset of deny rules. The solution you choose probably shouldn’t be allowed to create allow rules on WAN for instance. In most cases, let the reverse proxy perform the traffic filtering if possible.

Ocis/OpenCloud can integrate with Collabora, OnlyOffice but don’t currently have things like CalDAV, CardDAV, E2EE, Forms, Kanban boards, or other extensible features installable as plugins in Nextcloud.

If you desire a snappy and responsive cloud storage experience and don’t particularly need those things integrated into your cloud storage service, then Ocis or OpenCloud might be something to look into.

Given the Linux initramfs targets a block device as a file that then gets mounted as the persistent root filesystem, I don’t think it would really be possible to unmount / and replace the location with a file. Root isn’t represented as a file or directory in any filesystem structure and is a construct of many Unix and Unix-like kernels.

Authentik has blueprints, which while not as simple as Authelia’s config, do provide a functional way to have version-controlled configuration.

Certainly a failure but at least it wouldn’t actually be as harmful as it reads, given / is a directory and the assumption you’re not root.

From my experience with a modern Thinkpad (A485); nothing if not outright inferior. The trackpoints on them are pretty terrible compared to classic IBM-era thinkpads (10-20hz polling rate, abysmal velocity curve). The physical durability of the machine might be above-average for business laptops, but the chance of the hardware failing in some major way within warranty seems to be quite high (among other replacement parts, I had 4-5 mainboard replacements done under warranty). The cooling solution on the Thinkpad I used to use was also a fair bit inadequate, and would lead to severe thermal throttling of the mid-range APU. Honestly between the reliability and torturous process to even buy a new Thinkpad from Lenovo, I just wouldn’t bother.

Before buying anything to supplement your hotspot, it may be worth checking to see if your issues are even caused by poor signal strength. Depending on the cause, buying better antennae or a signal booster relay may not provide any tangible benefit. As you say you live in a rural area, your issues may be unsolvable by different hardware as your device may be throttled by your carrier instead.

You use Steam for games on Linux primarily. Independent native games exist as well. Many Windows-only titles will be best run through Proton: Valve’s modified WINE bundle. Other store titles can be configured to run through WINE or Proton via apps like Lutris or Heroic (GOG, Itch.io, Epic Games, etc.).

For multi-monitor: use Wayland. For 2.5Gbps Ethernet NICs, they never work properly on any system in regard to performance, but I presume you are referencing the subpar Realtek NICs not connecting? Depending on the distro, you likely won’t have the driver and/or firmware package preinstalled to make it work.

Wouldn’t this still be the superior solution? The article doesn’t mention the setup for using ROCm for cards running on amdgpu.

https://librewolf.net/

A summary from its site and known technical details:

• no telemetry by default
• includes uBlock Origin
• has sane privacy-respecting defaults
• prepackages arkenfox user.js
• relatively well-maintained fork of Firefox that keeps up with upstream
• No major controversies AFAIK

As for Windows 7, nobody should really need to install Librewolf anyway on such a device. No device running Windows 7 should have access to the internet at this point. If you are asking about compatibility intending this use case, you have bigger problems to worry about than your choice of browser. If you just need to view HTML files graphically, even Internet Explorer or an older firefox ESR will do.

2-2-1 still insinuates having a remote backup. I don’t see how this particular threat destroys a 2-2-1 setup.

Use the OCI through podman or docker.

If that is the case, the developer should have likely noted otherwise before closing the issue as the final piece of discussion. That is good to know that your experience hasn’t dropped the OS into base Windows 11. If as you say is true, the developer should also really spend some time cleaning up the README and clarify that base Tiny11 can actually be updated in-OS. I will still test in a VM later today to confirm that Tiny11 doesn’t actually erode or degrade on update for myself.

From the Github README:

Also, for the very first time, introducing tiny11 core builder! A more powerful script, designed for a quick and dirty development testbed. Just the bare minimun, none of the fluff. This script generates a significantly reduced Windows 11 image. However, it’s not suitable for regular use due to its lack of serviceability - you can’t add languages, updates, or features post-creation. tiny11 Core is not a full Windows 11 substitute but a rapid testing or development tool, potentially useful for VM environments.

It literally says that it cannot be updated from a built OS install. You need to reinstall tiny11 by rebuilding the install image with a newer Windows 11 base image. Obviously it would be best to do this every time there is a security patch release for Windows 11.

EDIT: Rereading further, the bigger Tiny11 image might be able to be updated in-OS. I’m going to dig through the ps1 scripts to see if the README holds up to that un-noted capability.

EDIT2: I don’t see any registry edits that knock Windows Updater offline. I’ll test it in a VM to see if things work (from prebuilt when it eventually downloads). Though I am unsure at this moment if such an image’s changes will survive a Windows update at all.

EDIT3: VM not tested yet, but an issue on the GitHub seems to corroborate my initial assumption.

EDIT4: VM tested. Things claimed to be patched out (Edge) came back with one of the cumulative updates applied shortly after install. Other cumulative updates are being blocked (error instantly on attempt to install after download) (perhaps unintentionally). Image downloaded claimed to be for 23H2, but Windows 11 22H2 was installed, seemingly with no way to actually upgrade. I think my point stands.

Do note that this system is liable to leave your computer vulnerable as it has no way to update itself from within the OS.

This image would be fine for booting short-term VMs as long as you periodically rebuild and reinstall it, but not ready for consumer use.

Could you elaborate on this? As someone who uses SystemD extensively on workstations and servers for spawning and managing both system-level and user-level services, I do find minimal issues overall with SystemD minus some certain functionalities such as socket spawning/respawning.

Of course some of default SystemD’s housekeeping services do suck and I replace them with others. I would like to see the ability to just remove those services outright from my systems as separate packages since they do remain useless, but it isn’t that big of an issue.

As the original issues over on MySQL forums suggested, using DBeaver or other similar software rather than SQL Workbench is the best option. You unfortunately seem to be locked into using a keychain solution if you want to use SQL Workbench.

Perhaps it is possible that multiple issues are involved? Looking back at other issues with SQL Workbench causing DBus failures due to missing DBus endpoints could include the fact that SQL Workbench seems to rely on a keyring (be it Gnome Keyring or KDE Wallet). In an issue posted from 2022, SQL Workbench outright fails to connect to DBs in the same manner described if the keyring application isn’t running. It might be worth using KWalletManager to check through your KDE keyring to see if SQL Workbench has been attempting to store and resolve database passwords through your keyring, which won’t be running by default in a plain i3 session.