Did anyone manage to build this? It seems something is missing, or I am doing something wrong. The build fails due to missing symbols for me. Also, interestingly the assembler complained about one line in a certain file being too long. Fortunately that lines was just a comment, so it was easy to fix that.
Great photos!
Compared to other SBCs, Raspberry Pis have been pretty inefficient for a while. A Pi 5 idles at about 3 W, which is pretty terrible for such a board, compared to other similar devices. You can get X86 PCs that idle at 3 W which are way more powerful. Other ARM SBCs use less than half that at idle and similarly less under load.
There are probably multiple reasons for that. The Pi's SoCs have always used rather old process nodes, which are more power hungry than more modern ones used by other single board computers and PCs - 16 nm for the Pi 5 SoC and 28 nm for the Pi 4. Also, with the Pi 5 there is this additional "south bridge" chip which is attached via PCIe. This consumes additional power and for some reason the PCIe link is configured such that it never enters power saving states. I don't know why.
Also, the power supply circuitry on the Pi 5 is far from ideal with its 5 V / 5 A power supply. Such a low voltage at such a high current can easily cause additional losses on the wire. That's mostly relevant under high load though.
Since none of these require a Raspberry Pi to run, I would suggest using a mini PC (with an Intel N100 or similar) instead of a Pi 5. With all the accessories needed for the Pi, a mini PC can actually be cheaper and of course a lot more powerful. Since the Pi 5 is very power-inefficient, a mini PC can even be better in that regard too if that matters to you.
Especially for Jellyfin a PC with an Intel CPU with integrated GPU is awesome, since Jellyfin supports hardware transcoding with that.
Of course harassment is never okay, but I'd say when it comes to GNOME, this is not surprising. GNOME developers have been so hostile towards both users and other developers for a long time. I'm not saying every single person associated with the project does this, but it is pretty common (e.g. here and here ). Of course the GNOME devs don't have to accomodate everyone, but it is a common theme with the project to remove features despite user backlash and also to close bugs as WONTFIX often without good explanations as to why, even when there are pull requests for fixing the problem.
I am simply avoiding the project, since there are enough good alternatives.
I'd choose LUKS over Veracrypt for simplicity. If the drive is solely for backup, depending on the backup tool you use, you might not even need encryption on the file system level. Several backup solutions support data encryption.
There is quite a significant difference. An ssh server - even when running on a non-default port - is easily detectable by scanning for it. With a properly configured Wireguard setup this is not the case. As someone scanning from the outside, it is impossible to tell if there is Wireguard listening or not, since it simply won't send any reply to you if you don't have the correct key. Since it uses UDP it isn't even possible to tell if there is any service running on a given UDP port.
Getting certs from Let's Encrypt should work fine with any provider, even if you can't open any ports, since they do support DNS challenge.
Particularly in low-load scenarios there can be quite a big difference when it comes to PSU efficiency. While newer ATX PSUs have become better with regards to efficiency at low load, a Pico PSU can still be quite a bit better. Older ATX PSU often don't even reach 60 % efficiency at 5 % load (which would be a typical load for such a system at idle), sometimes considerably less than that. At the same load a Pico PSU can easily be at 85 % efficiency.
Of course, at higher loads the difference is way smaller.
Mine runs a little under 18 W with one 8 port managed switch, a DSL modem, CM4-based router, a tiny Wifi AP, and an Intel Celeron J4105 based mini PC server.
I am not sure where this idea comes from, but putting a service behind a reverse-proxy does not increase its security in any way, unless you'd do authentication right at the reverse-proxy.