jails Jails on RPi4B as DHCP/DNS/file/web server/router

[assholehoff]

I'm downsizing my server (an old 2006 hp ProLiant 19" rack monster with 41 disks) for a Raspberry Pi 4B 8GB as the electricity here in southern Sweden has become absurdly expensive. (The whole thing draws about €70 worth per year, now it is looking more like €4000...) While I'm redoing everything, I thought I might as well learn to use jails properly.

I have installed sysutils/bastille since it seems simple enough and has no dependencies. I have read through various posts on jails in this forum, as well as scattered blog posts on the web. As I understand it, it is considered good to make a jail and expose it to the external IP. And this I do by having pf (4) on the host redirect all traffic on the externally connected interface to a bridge to said jail.

So, my thinking is this:

• RPi4B host with as few ports installed as possible.
  Should net/isc-dhcp44-server go here though?
  • Jail to route traffic to/from the Internet for all jails and computers on the network.
    Also running dns/unbound with an adblock ksh-script.
    Reverse proxy goes here?
  • Jail running ports-mgmt/poudriere to fetch, configure and build all packages for the other jails.
  • Jail running net/netatalk3, net/samba413 and net/mDNSResponder to serve as a Time Machine backup server for the Macs on the network. There will be a ZFS volume connected to store the files.
  • Jail running mail/dovecot, mail/postfix, mail/spamassassin and security/clamav for my domain.
  • Jail running www/nginx (and possibly www/rubygem-jekyll) for my domain.
  • Jail running net-p2p/transmission-daemon.
  • Possibly a jail running www/nextcloud, but this is low priority.

Does this seem appropriate? Looking forward to hearing your thoughts.

 

[Phishfry]

Does this seem appropriate?

Yes for amd64 machine or maybe a Rock64 with emmc 128GB module installed.
What is your plan for running poudriere jail? Running it off an SD card?
My personal opinion is that USB is not the best storage medium on Arm.
There are options for SATA on Arm and I think that would be a better choice.
Rock Pi 3/4 is bringing nvme which is very interesting to me. Not yet supported.
But we have RockPro64 which is a nice choice.

With much help I had wrote a OneWire temp monitoring app with rrdtools API but the attached usb storage would just drop out after 3 -5 days needing a reboot. I soured on the whole project because of poor storage options on Pi.

Beaglebone was nice because of eMMC onboard but problem there is not abusing eMMC with writes.
That is why I mentioned removable eMMC modules. They fill a niche by providing reliable storage that is replaceable.

 

[diizzy]

I would highly recommend RockPro64 over the Rock64, it much more powerful and flexible. See https://wiki.freebsd.org/arm/RockChip for more information
Your milage using the RPi4 may vary due to lack of documentation and interest for that SBC

Use net/dhcpd instead of ISC unless you need specific features that OpenBSDs dhcp daemon doesn't provide. It also shares pretty much the same syntax
You're probably better off running dns/blocky or www/adguardhome than dns/unbound for adblocking
You might want to offload mail to a provider such as gandi.net which have reasonable pricing too
www/gohugo might be worth looking into compared to jekyll
net-p2p/qbittorrent-nox performs a lot better than transmission and also offers remote controller including a WebUI

 

[assholehoff]

The Rock(Pro)64 is certainly interesting, but at the moment, a Raspberry Pi 4B 8GB is what I have. In it is a 128GB SD card, but running the OS from that was not my long term plan. So far, the system seems to be running alright, I did a simple string conversion test in c, and the Pi 4 runs it just barely faster than the hp ProLiant. I have not set up the zpool on the USB3 disk yet, I know it is far from an ideal solution, but right now it is this or nothing.

What is your plan for running poudriere jail? Running it off an SD card?

I was thinking USB3 hard drive. The poudriere jail would be entirely for my curiosity.

None of these services should really come under heavy load. There are only five Macs performing backups, and beyond them, a dozen devices using the Internet connection.

I was actually just looking at net/dhcpd and trying to figure out what the difference is. I don't think I need anything special at all, it only needs to dish out addresses to the jails and the physical machines on the LAN/Wi-Fi.

I'll look into the other ports as well, thanks for the tips!

 

[assholehoff]

My personal opinion is that USB is not the best storage medium on Arm.

Ok, I now share your experience. I have tried to make the disk play nice for over an hour now, it really doesn't want to.

I'm abandoning the part about the file server, I'll set up a share on my Mac mini for the other Macs to backup to.