no. Arp bridges layer 1 and 2. It’s switch local. With a VLAN, it becomes VLAN local, in the sense that 802.1q creates a “virtual” switch.

Broadcast traffic (such as DHCP) doesn’t cross subnets without a router configured to forward it. It’s one of the reasons subnets exist.

What in the world is “a proprietary OS I cannot trust”. What’s your actual threat model? Have you actually run any risk analyses or code audits against these OSes vs. (i assume) Linux to know for sure that you can trust any give FOSS OS? You do realize there’s still an OS on your dumb switch, right?

This is a silly reason to not learn to manage your networking hardware.

A VLAN is (theoretically) equivalent to a physically separated layer 2 domain. The only way for machines to communicate between vlans is via a gateway interface.

If you don’t trust the operating system, then you don’t trust that it won’t change it’s IP/subnet to just hop onto the other network. Or even send packets with the other network’s header and spoof packets onto the other subnets.

It’s trivially easy to malform broadcast traffic and hop subnets, or to use various arp table attacks to trick the switching device. If you need to segregate traffic, you need a VLAN.

Edit: Should probably note that simply VLAN tagging from the endpoints on a trunk port isn’t any better than subnetting, since an untrusted machine can just tag packets however it wants. You need to use an 802.1q aware switch and gateway to use VLANs effectively.

What you are asking will work. That’s the whole point of subnets. No you don’t need a VLAN to segregate traffic. It can be helpful for things like broadcast control.

However, you used the word “trust” which means that this is a security concern. If you are subnetting because of trust, then yes you absolutely do need to use VLANs.

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

deleted by creator

The answer to your overarching question is not “common maintenance procedures”, but “change management processes”

When things change, things can break. Immutable OSes and declarative configuration notwithstanding.

OS and Configuration drift only actually matter if you’ve got a documented baseline. That’s what your declaratives can solve. However they don’t help when you’re tinkering in a home server and drifting your declaratives.

I’m pretty certain every service I want to run has a docker image already, so does it matter?

This right here is the attitude that’s going to undermine everything you’re asking. There’s nothing about containers that is inherently “safer” than running native OS packages or even building your own. Containerization is about scalability and repeatability, not availability or reliability. It’s still up to you to monitor changelogs and determine exactly what is going to break when you pull the latest docker image. That’s no different than a native package.

Depends on the specific Zigbee switch, but generally yes.

The magic is in the fact that you can decouple the relay, and use the switch as a sensor that triggers things that may or may not be related to the physical switch position.

The other reason I like it better than a typical “smart switch” is that I can use the shellys with whatever switch I want, so I can have it match my dumb switches and use different colors.

shelly relays will do exactly what you want. just wire them as disconnected switches. i do this to simulate 3-way switches, but it’ll work just as well to swap circuit behavior.

you can use a homeassistant action if you’re already using HA, or you can have the shellys call each others web api when it senses the switch.

Just cause you’ve never seen them doesn’t make it not true.

Try using quadlet and a .container file on current Debian stable. It doesn’t work. Architecture changed, quadlet is now recommended.

Try setting device permissions in the container after updating to Debian testing. Also doesn’t work the same way. Architecture changed.

Redhat hasn’t ruined it yet, but Ansible should provide a pretty good idea of the potential trajectory.

It isn’t. It’s architecture changes pretty significantly with each version, which is annoying when you need it to be stable. It’s also dominated by Redhat, which is a legit concern since they’ll likely start paywalling capabilities eventually.

Every complaint here is PEBKAC.

It’s a legit argument that Docker has a stable architecture while podman is still evolving, but that’s how software do. I haven’t seen anything that isn’t backward compatible, or very strongly deprecated with notice.

Complaining about selinux in 2024? Setenforce 0, audit2allow, and get on with it.

Docker doing that while selinux is enforcing is an actual bad thing that you don’t want.

Gatorz are tough as hell, and have some of the best polarized optics I’ve ever worn.

They’ll do lens replacements, and can make prescriptions as well.

Careful leaving them on a car dashboard though. They’re aluminum frames and I burned my temples once.

Free tier is super limited and super easy to accidentally break out of. I had a single file in S3, but because my logging settings were wrong, I broke the free tier with junk logs.

The t2 micro ec2 instances are fine, but you need to be very careful about their storage and network egress.

Best use I’ve had for AWS that has managed to stay within the free limits has been Lambda. Managed to convert a couple self hosted discord bots to a few Lambda functions, works great. Plugging it into CloudFormation and tying up CI/CD with CodePipeline and the like were overkill but good learning exp.

I don’t think there’s any ECS free tier, but you can fit a private container repository in the free S3 limits as well.