mlfh

I run the immich container stack on a vm with 4GiB memory and 2 cores, with db on local disk and external libraries over smb, and it runs perfectly fine. I offload the machine learning jobs to another sometimes-on machine, sometimes, but don’t really need to unless I’m dumping thousands of new images into the external library at a time and want it all to process quickly.

Looks like both of your vms probably have the same mac address - the 172 ip address is likely a self-assigned fallback when the dhcp server replies to the second vm that it can’t give it an address. Double-check and make sure the mac address in each vm’s proxmox network adapter settings match your pfsense dhcp reservations, and let me know if that resolves it.

The grub command line options at the beginning of this article might help get your system booted without the memory deadlock, and then you can make further adjustments as needed: https://tierhive.com/blog/tierhive-howto/debian-13-minimal-guide-reduce-ram-to-38mb-and-disk-to-275mb

Alpine is great for exactly this kind of thing, though, and I use it often in embedded environments where resources are at a premium. Just do some good reading up on it beforehand, since can be very different if you’re used to debian and systemd.

The ongoing maintenance for this would be a bit of a pain, since you’d need to recompile every update on a separate machine with enough memory to do so, package it up into a .deb, and distribute and install it everywhere.

I do this on a little raspberry pi cluster and it works, but it’s work.

But root can scrape that password as soon as you enter it, and has access to that encrypted data as soon as you decrypt it. That’s what I’m saying.

If you think anything on a *nix system is “safe” from root or a user that can elevate to root, you’re deluding yourself with wishful thinking.

Nothing at all is safe from the root account, or from any user that can elevate to root. Think of the root account as the system itself - the thing you’re trying to protect may be encrypted and safe at rest if you’ve brought it in from elsewhere, but as soon as you enter a password and decrypt it, you’re handing that password and decrypted data over to a system fully controlled by that root account.

Unless there’s more information on what kind of files and what kind or sorting needs to be done, this sounds like something that could be done with a simple shell script.

(I wouldn’t trust an ai agent to do it with accuracy, but I’m the kind of luddite that doesn’t trust an ai agent at all.)

Hahaha no I’m just an idiot and accidentally swapped the url and text, thanks for catching that - fixed now

modprobed-db can create a profile of the kernel modules that get loaded by your system over time. You can feed that directly into make localmodconfig to build a kernel that only includes those modules, or use the data to build a modprobe whitelist.

You have enough failures on each disk to make me suspect an issue with the usb-connected drive bay. I ran into similar issues with a cheap pci-e sata adapter, where little hiccups and latency in the communication layer would cause zfs to take disks offline randomly. Read, write, and checksum errors would slowly accumulate across all of the disks. Switched that machine to a proper enterprise hba, the issues vanished, and the disks are all healthy 3-4 years later.

deleted by creator

Everything I run, I deploy and manage with ansible.

When I’m building out the role/playbook for a new service, I make sure to build in any special upgrade tasks it might have and tag them. When it’s time to run infrastructure-wide updates, I can run my single upgrade playbook and pull in the upgrade tasks for everything everywhere - new packages, container images, git releases, and all the service restart steps to load them.

It’s more work at the beginning to set the role/playbook up properly, but it makes maintaining everything so much nicer (which I think is vital to keep it all fun and manageable).