How locked down are the Chromebooks?

Remote VM seems overkill if you can just enable “Linux for Chromebook”, which gives a sandboxed terminal at which point you can setup and install software like Blender, PrusaSlicer, etc.

It won’t be the fastest because they are thin clients, but even modern thin clients do decently for ‘light’ work.

There are good reasons for why both JPEG-XL and WebP exist though.

If you’re running an email server for more than a handful of persistent users, I’d probably agree. However, there are self-host solutions that do a decent job of being ‘all-in-one’ (MailU, Mailcow, Docker-Mailserver) that can help perform a lot of input filtering.

If your small org just needs automation emails (summaries, password resets), it’s definitely feasible to do actually, as long as you have port 25 available in addition to 465, 587 and you can assign PTR records on reverse DNS. Optionally you should use a common TLD for your domain as it will be less likely to be flagged via SpamAssassin. MXToolbox and Mail-Tester together offer free services to help test the reliability of your email functionality.

I’m currently going through a similar situation at the moment (OPNSense firewall, Traefik reverse proxy). For my solution, I’m going to be trial running the Crowdsec bouncer as a Traefik middleware, but that shouldn’t discourage you from using Fail2Ban.

Fail2Ban: you set policies (or use presets) to tempban IPs that match certain heuristic or basic checks.

Crowdsec Bouncer: does fail2ban checks if allowed. Sends anonymous bad behavior reports to their servers and will also ban/captcha check IPs that are found in the aggregate list of current bad actors. Claims to be able to perform more advanced behavior checks and blacklists locally.

If you can help it, I don’t necessarily recommend having OPNSense apply the firewall rules via API access from your server. It is technically a vulnerability vector unless you can only allow for creating a certain subset of deny rules. The solution you choose probably shouldn’t be allowed to create allow rules on WAN for instance. In most cases, let the reverse proxy perform the traffic filtering if possible.

It doesn’t.

For desktop/workstation users: the simple answer is just use the flatpak from Flathub or from some other source if you need a user package that doesn’t align to the ethos of your chosen distro. In most cases desktop Linux users have gone beyond self-packaging for specific library versions and just use a separate set of common libraries to power application needs beyond the out of box experience of any given distro. It’s part of why immutable distros are starting to take off and make more sense for desktop/workstation use-cases.

For servers, it’s in the nature to become part of the technical debt you are expected to maintain, and isn’t unique among RHEL, OpenSUSE Leap, Debian, Ubuntu, or any other flavor of distro being utilized.

If you’re not on RHEL-likes manually installing piles of out-of-tree software or randomly dumping RPMs into your system blindly hoping that things will “just work”, all is good on most rpm-based distros (RHEL, Fedora, AlmaLinux, OpenSUSE Leap, etc.). Updates don’t have issues and system upgrades (where possible) have had minimal problems within the past few years on all of my systems.

Ocis/OpenCloud can integrate with Collabora, OnlyOffice but don’t currently have things like CalDAV, CardDAV, E2EE, Forms, Kanban boards, or other extensible features installable as plugins in Nextcloud.

If you desire a snappy and responsive cloud storage experience and don’t particularly need those things integrated into your cloud storage service, then Ocis or OpenCloud might be something to look into.

Given the Linux initramfs targets a block device as a file that then gets mounted as the persistent root filesystem, I don’t think it would really be possible to unmount / and replace the location with a file. Root isn’t represented as a file or directory in any filesystem structure and is a construct of many Unix and Unix-like kernels.

Certainly a failure but at least it wouldn’t actually be as harmful as it reads, given / is a directory and the assumption you’re not root.

You’re not referring to this satire article by chance?

From my experience with a modern Thinkpad (A485); nothing if not outright inferior. The trackpoints on them are pretty terrible compared to classic IBM-era thinkpads (10-20hz polling rate, abysmal velocity curve). The physical durability of the machine might be above-average for business laptops, but the chance of the hardware failing in some major way within warranty seems to be quite high (among other replacement parts, I had 4-5 mainboard replacements done under warranty). The cooling solution on the Thinkpad I used to use was also a fair bit inadequate, and would lead to severe thermal throttling of the mid-range APU. Honestly between the reliability and torturous process to even buy a new Thinkpad from Lenovo, I just wouldn’t bother.

For what it’s worth, I do think OCIS is worthy of switching to if you don’t make use of all of the various apps Nextcloud can do. OCIS can hook into an online office provider, but doesn’t do much more than just the cloud storage as of right now.

That said, the cloud storage and UX performance is night and day between Nextcloud/Owncloud and OCIS. If you’re using a S3 provider as a storage backend, then you only need to ensure backups for the S3 objects and the small metadata volume the OCIS container needs in order to ensure file integrity.

Another thing to note about OCIS: it provides no at-rest encryption module unlike Nextcloud. If that’s important to your use case, either stick with Nextcloud or you will need to figure out how to roll your own.

I know that OCIS does intend to bring more features into the stack eventually (CalDAV, CardDAV, etc.). As it stands currently though, OCIS isn’t a behemoth that Nextcloud/Owncloud are, and the architecture, maintenance is more straightforward overall.

As for open-source: OCIS released and has still remained under Apache 2.0 for its entire lifespan thus far. If you don’t trust Owncloud over the drama that created Nextcloud, then I guess remain wary? Otherwise OCIS looks fine to use.

You use Steam for games on Linux primarily. Independent native games exist as well. Many Windows-only titles will be best run through Proton: Valve’s modified WINE bundle. Other store titles can be configured to run through WINE or Proton via apps like Lutris or Heroic (GOG, Itch.io, Epic Games, etc.).

I believe it’s mostly drawing tablet support in Qt and in turn porting to Qt6 that’s holding native Wayland builds back.

For multi-monitor: use Wayland. For 2.5Gbps Ethernet NICs, they never work properly on any system in regard to performance, but I presume you are referencing the subpar Realtek NICs not connecting? Depending on the distro, you likely won’t have the driver and/or firmware package preinstalled to make it work.

Just took a couple minutes to install and setup the fork to try it out. Turns out there is a flatpak on Flathub under the id dog.unix.cantata.Cantata that looks to be maintained directly by nullobsi. I’ll have to see where rough edges show up, but this fork looks good thus far. A full port from Qt5 -> Qt6 isn’t a trivial amount of effort, so mad respect to everyone working on this ported version.

The question that I have to ask: what category of CLI apps (or even some examples) exist that are too complex to maintain a few versions simultaneously as native packages but are not complex enough to just use an OCI container for them instead?

Wouldn’t this still be the superior solution? The article doesn’t mention the setup for using ROCm for cards running on amdgpu.

As I found out recently myself, you should almost always set the minimum amount of reserved memory for the iGPU on modern hardware. The reserved memory is just that— reserved. The kernel still dynamically allocates memory for GPU usage as needed on iGPUs.