Server projects

Single-node Kubernetes “cluster” on Fedora 42/43

Posted on by Kenneth Ballard / 0 Comment

Just putting this out there for those who might need it. This will install Kubernetes from the official repositories, using containerd.io from Fedora’s repositories as the container runtime and Calico as the network fabric. It will also pull in Helm for deploying Helm charts.

Note: This is for development or learning use, and hobbyist depending on your use cases. These commands will get you started. They will require tweaks for security and/or performance if you need Kubernetes for production.

Make sure the system is up-to-date (sudo dnf update -y) before running this. This is best run on a fresh install.

# First, set up the Kubernetes repo and install the packages. Change the 
# version to whatever you want to use. Latest is 1.34 as of this writing.

kube_version=1.34

cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://pkgs.k8s.io/core:/stable:/v$kube_version/rpm/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.k8s.io/core:/stable:/v$kube_version/rpm/repodata/repomd.xml.key
EOF

sudo dnf update
sudo dnf install -y \
    kubectl \
    kubelet \
    kubeadm \
    kubernetes-cni \
    containerd \
    helm

# Make sure swap is off. Only needed if you installed Fedora with a swap
# partition or you're using a swapfile.

sudo swapoff -a
sudo dnf remove -y zram-generator-defaults

# In most other tutorials for setting up Kubernetes, you would be disabling
# the firewall here, but whether that is necessary will depend on your use
# case. For a single-node "cluster", that isn't necessary. And for a
# multi-node cluster, you can can allow through the ports you need rather
# than disabling the firewall entirely.

cat <<EOF | sudo tee /etc/sysctl.d/99-k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF

# Turn off SELinux

sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

# Reboot!

After this, reboot to ensure everything takes. Sure, there are other commands that you can run to pull in the changes without rebooting, but rebooting is a near-guaranteed way to ensure everything takes and loads as expected.

Next is setting up the “cluster”:

# Change the CIDR and subnet to whatever you want to use.

kube_subnet="192.168.2.0/16"

# Make sure the CNI configuration in the containerd config is pointing to the
# right path. This prevents the CoreDNS pods from getting stuck in
# "ContainerCreating".

sudo sed -i 's/\/usr\/libexec\/cni/\/opt\/cni\/bin/g' /etc/containerd/config.toml

# Enable and start containerd. Enable but do NOT start kubelet. Kubelet will
# be started as part of kubeadm's initialization.

sudo systemctl enable --now containerd
sudo systemctl enable kubelet

# Pull base images and initialize the control plane

sudo kubeadm config images pull
sudo kubeadm init --pod-network-cidr=$kube_subnet

# Now to set up kubectl to finish the setup

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# Set calico_version to the latest available:
# https://github.com/projectcalico/calico/releases/

calico_version=3.31.0

# Apply the Calico network fabric and "taint" the control plane node.

kubectl apply -f "https://raw.githubusercontent.com/projectcalico/calico/refs/tags/v$calico_version/manifests/calico.yaml"
kubectl taint nodes --all node-role.kubernetes.io/control-plane-

After this, run kubectl get pods --all-namespaces and, eventually, you should see something like this (the “vbox” in the names is because I was running the above on a VirtualBox VM):

NAMESPACE     NAME                                      READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-5766bdd7c-b2j58   1/1     Running   0          2m31s
kube-system   calico-node-rjpff                         1/1     Running   0          2m31s
kube-system   coredns-66bc5c9577-5zdl9                  1/1     Running   0          2m58s
kube-system   coredns-66bc5c9577-pkz4b                  1/1     Running   0          2m57s
kube-system   etcd-vbox                                 1/1     Running   0          3m4s
kube-system   kube-apiserver-vbox                       1/1     Running   0          3m4s
kube-system   kube-controller-manager-vbox              1/1     Running   0          3m4s
kube-system   kube-proxy-b8mtq                          1/1     Running   0          2m58s
kube-system   kube-scheduler-vbox                       1/1     Running   0          3m4s

And now you have a single-node Kubernetes “cluster” on Fedora 42 against which you can deploy new pods or Helm charts.

Free speech and press

Will Ricciardella calls for eliminating the free press

Posted on by Kenneth Ballard / 0 Comment

Quoting the tweet in case it’s later deleted:

News outlets that hid behind “anonymous sources” to sell the Russia hoax and the Ukraine call narrative have no credibility left.

They weren’t misled, they were complicit in manufacturing political scandals.

If journalism wants to rebuild trust, it starts with one rule: no source stays off the record for stories built on power or politics.

Go on record, or don’t publish.

No! No! No! Holy motherfucking No!

Yes, journalists can use the cover of “anonymous sources” to manufacture stories to have their bylines attached to something potentially big. Yellow journalism has always been a problem. The “Remember the Maine” narrative that led to the Spanish-American War came about because of yellow journalism and competing newspapers manufacturing details via “anonymous sources”, driving public support for the US going to war with Spain. (It was later determined to be purely accidental.) And there are likely other instances across history where yellow journalism and manufactured stories has caused harm.

But requiring all journalists to reveal their sources for “stories built on power or politics” is not the way to go on that. The whole point of a free press is to allow anonymous whistleblowers to come forward and reveal corruption within the halls of power, and be protected by the journalists reporting on that.

No. Absolutely No. Holy motherfucking No! And will never NOT be No from me on that. Holy shit, tell me you no longer want a free press without telling me!

Crime/Free speech and press

Jimmy Kimmel wasn’t wrong

Posted on by Kenneth Ballard / 0 Comment

I first discovered Jimmy Kimmel back when he was the co-host of Win Ben Stein’s Money on Comedy Central. He would later go on to host The Man Show. I watched some of the former, none of the latter. And eventually Kimmel made it to his own late-night talk show.

On his monologue on September 11, Kimmel said this:

We hit some new lows over the weekend with the MAGA gang desperately trying to characterize this kid who murdered Charlie Kirk as anything other than one of them, and doing everything they can to score political points from it.

If you look at everything that happened in the wake of Charlie Kirk’s murder, what Kimmel said is… correct. He’s 100% on point with this. Where Kimmel’s statements fall short is simply the fact that… their characterizations were also correct. But that’s also because at the time Kimmel made his statements, there were still some details about him that were up in the air.

Two days later is when Kirk’s alleged assassin was apprehended by police. It was only then that full details about who he was and what led up to the assassination could be pinned down. And in that, the “MAGA gang” was eventually proved correct.

But what Kimmel said is also correct.

The “MAGA gang” was doing everything they could to characterize the assassin as not being right wing. The left, on the other hand, was trying to desperately say the killer was right wing, and kept pushing that idea until they largely no longer could. Despite the fact the engravings on the rifle cartridges that were reported on very early showed the assassin very clearly was not right-wing.

However the assassin may have been raised, that was definitely not who he was when he formed the intent to kill Charlie Kirk.

And the right very much also tried to score political points from it. And seize more power.

Crime

On Jeffrey Epstein, again

Posted on by Kenneth Ballard / 0 Comment

Oh where to start…

First, did Epstein commit suicide? Yes. As I mentioned a few months ago talking about Virginia Giuffre, I still whole-heartedly believe he did. Nothing about what has come out changes my point of view on that. On which there isn’t much that’s come out anyway.

This is my speculation, but I think what happened is the guards, in whatever interaction they had with him, drove Epstein to kill himself. And if he had any interactions with other prisoners, they likely fueled the fire as well. And then turned a blind eye and didn’t bother trying to save him when they discovered he attempted. Negligence, yes, but not murder. As I’ve already explained, suicide attempt and completion is alarmingly common among the prison population. And Epstein had at least one prior suicide attempt on record.

So then… what of the infamous “client list”?

First, the infamous “black book” has been leaked online. A redacted version is available with a Google search, and some more digging might lead you to the unredacted version. I’m not linking to it here, nor giving any details beyond that.

But the “client list” I’m pretty sure never existed. Assertions of its existence were made, along with assertions of other evidence that could’ve brought down powerful men in the world. People get a little bit of information and form wild conclusions, then won’t listen to anything that contradicts that conclusion and end up believing that anything that proves their conclusion is being “covered up”.

“I’m right, but the government is covering up everything proving me right.” Sound familiar?

“So why is Maxwell in prison if there’s no client list?” Umm… she was charged and convicted of trafficking. For Epstein and those the “black book”.

So Trump made promises on the trail that he’d declassify and release information related to several events that have driven conspiracy theories – Epstein for a few years, others since before I was born. And when that information is finally released, it’s… not what people presumed to exist. So… cue the continuation of accusations that things are being “covered up” because their assumptions aren’t being confirmed.

Instead, now, the Epstein case should just die off just like him so the whole thing can fall into obscurity. But… yeah, that’s not happening.

Due process/Trial by jury

Blame the prosecutors

Posted on by Kenneth Ballard / 0 Comment

This is more evidence of the disconnect so many people have in how criminal trials work. If the defense does nothing in the trial and the person is still acquitted, that means only that the prosecutors didn’t meet their burden of proof.

If the defense doesn’t present a counter-case to the prosecution and the defendant is acquitted, that means the prosecutors presented a very bad case that was easily countered by cross-examination and redirect.

If the defendant is acquitted without presenting a counter-case, blame the prosecutors, not the “system”. Since they filed charges they ultimately couldn’t prove beyond reasonable doubt. They overplayed their hand. Something we’ve seen time and again when celebrities face criminal charges.

Second Amendment/Supreme Court

Gun makers aren’t accessories to crimes

Posted on by Kenneth Ballard / 0 Comment

The Protection of Lawful Commerce in Arms Act provides for a lot of protections for gun manufacturers. The most broad protection being that gun makers largely cannot be sued when their products – pistols, etc. – are used in the commission of violent crimes. And there’s been a major push by the Democrat Party to rescind that protection and open up gun makers – e.g., Glock, Smith & Wesson, etc., – to liability for every instance of a violent crime wherein one of their firearms was used.

With the obvious intent of that push being to flood gun manufacturers with lawsuits and force them out of business.

Absent that rescission, there’s been a push for another legal theory: gun makers are instead accessories to the crimes in which their firearms are used. And stepping up to the plate on that idea was… Mexico.

Mexico sued all the major firearms manufacturers in the United States under the Protection of Lawful Commerce in Arms Act. In trying to weasel their way into one of the exceptions declared by that statute, Mexico alleged that those firearms manufacturers “aided and abetted unlawful gun sales that routed firearms to Mexican drug cartels” by failing to exercise “reasonable care” to see to it their products did not end up in the hands of people who would use them to commit crimes.

This is akin to car manufacturers being held responsible for drunk driving deaths for failing to take “reasonable care” to ensure their cars weren’t driven by drunk people.

But Mexico goes further in their allegations. Saying that the firearm manufacturers are “willful accessories” to unlawful gun sales by the FFLs who ultimately sold those firearms to the Mexican cartels – whether knowingly or not. Which is akin to car manufacturers being held responsible when a dealer sells one of their vehicles to someone with a history of DUIs.

And in trying to declare that the firearm manufacturers are “willful accessories”, Mexico claims the firearm manufacturers:

  1. supply firearms to FFLs they know are making illegal sales of those firearms,
  2. aren’t exercising control over any distribution networks to ensure firearms aren’t being provided to FFLs known to make illegal sales, and
  3. make “design and marketing decisions” intended to stimulate demand for their products by people barred by law from having them.

Again, all of these allegations can be made against car manufacturers as well. Yet they aren’t.

And in a unanimous decision by the Supreme Court of the United States in an opinion written by Justice Elena Kagan – who isn’t known to be friendly to gun rights – the idea of holding gun manufacturers liable for crimes committed by people using their products is… largely dead in the water.

Now this still leaves open the possibility that Congress can rescind the protections Federal law affords firearm manufacturers, but that isn’t happening any time soon.

Product and service reviews

Staying with Plex

Posted on by Kenneth Ballard / 0 Comment

Back in… 2019, Proctor & Gamble made a bit of a marketing blunder with their Gillette brand with what became colloquially known as their “toxic masculinity” campaign. Now in the time since, Gillette has obviously not folded – despite all the chants from the “go woke, go broke” crowd – but they also haven’t repeated that mistake from what I’ve personally seen.

I bring that up briefly as in that article I said this: “I don’t let others dictate my purchase decisions.”

So now Plex has entered the chat.

And for some fucking reason, a lot of people online are acting like Plex is now one of the worst companies in the world and Plex is one of the worst products around and are now saying “Switch to Jellyfin!” or something else.

And to that I say: calm the fuck down!

It’s been over 9 years now since I first built Nasira. And since first building it, I’ve been using Plex as a media server. First running it through the FreeNAS plugin, which worked… horribly, then running it through a separate virtual machine, and now as a Docker container on a larger virtualization server. For much of that time, I’ve had the Plex Pass – paying the $5 monthly, even though I could’ve easily bought the lifetime pass. And the reason I’ve had it is… largely threefold:

  1. to have access to it through mobile – it would only allow you to preview media otherwise
  2. sharing the library with my wife on her own Plex account, and
  3. supporting the company

So let’s go over the recently announced changes. Starting with the price increase.

There’s been this trend recently where people act like no company should be allowed to raise prices at all. But it’s like… companies have costs as well. And that Plex has been able to put off raising their Plex Pass price for this long is commendable. It’s the first price increase in 10 years. And I’m sure it was a decision they didn’t want to make but largely saw no choice in making for the sake of their bottom line.

So let’s talk about remote playback, since this appears to have everyone’s panties in a bind. Again, Plex has underlying costs. And to enable Remote Playback, you need a proxy server of some kind to stream through. Plex is, obviously, providing that proxy server, meaning they need to operate and maintain it. Which isn’t free!

I’ve personally never used the remote playback feature because I have a self-hosted VPN – specifically Wireguard running on my router – so to Plex’s mobile app, it looks like I’m on the same network as the Plex server. I’m fully aware not everyone has that option. But the mobile app is what prompted me to get the Plex Pass in the first place, since the app wouldn’t play anything more than a preview even when on the same network.

Which is one of the limitations they’re removing. A limitation they never should’ve had at all, in my opinion, but it’s a limitation that got me on the Plex Pass to begin with – and probably the same for plenty of other users. (You always had the option of streaming through the browser.) And I personally don’t mind supporting Plex financially. I’m not someone who is always saying “If it’s not free, I’m not using it” or who denigrates a person or company wanting money for something that takes a lot of effort to produce.

Here’s the thing: you always needed a Plex Pass for remote playback. I don’t think that has ever not been the case, since, as mentioned above, that’s a service Plex is providing through servers Plex owns and operates. So if you could not set up a self-hosted VPN (e.g., restrictive ISP) and wanted to play your personal media on the road, such as while staying at a hotel, then you needed a Plex Pass. Same to download media locally.

What appears to be changing is remote playback… for other users. Now this is a change that won’t affect me because I’m grandfathered in. My wife has her own Plex account without a Plex pass. My Plex account with the Plex Pass is what controls on the server. My wife can stream media from the server to her desktop on her personal Plex account without issue. That isn’t changing.

And if she had ever wanted to, she could use Remote Playback as well without needing a Plex Pass because her account has had access to my server since before the most recent changes. (I don’t have Remote Playback turned on in the server configuration and never have, though.) But that is what Plex cut off when the service changes went active at the end of April.

With those new changes, in short, every user authorized to access a Plex server remotely through the Remote Playback service must have their own Plex Pass or Remote Watch Pass. The Plex Pass grants access to additional features, while the Remote Watch Pass is for streaming content only.

So what’s the problem? No, in all seriousness, what’s the issue here? The fact they decided to start charging for something previously offered for free? Get over yourself! If you’re seriously going to up and switch out your entire media streaming experience because Plex decided they needed to start charging for something, then you’re one of the small-minded people I alluded to in my Gillette article.

So why am I not switching away? First, none of the announced changes affect me except for the monthly price increase. And I have no problem paying monthly over buying the one-time Lifetime Plex Pass, since the monthly and annual passes give them a steady stream of revenue. I’m not even going to bother with buying the annual pass since that’ll only save me… $1.15 a month.

Plus, Plex… just works. Their mobile app… just works. Their desktop app… just works. (Provided you’re not trying to use the Linux version on Wayland with NVIDIA’s official drivers.) Aside from trying to use the FreeNAS Plex plugin at the beginning, I’ve literally never had issues. And the same with the Plex HTPC they briefly offered (and wish they’d bring back) that I ran off a Raspberry Pi to my television.

The only recent change I’m not fond of is requiring the separate PlexAmp app to play music on a mobile device. That was a little bit of a shock on my Memorial Day road trip, but pretty quick to get sorted once I had a moment to do so. Plus the PlexAmp app is slimmer anyway, being dedicated to just music.

So in the end… yeah, if Plex still work for you, stick with it. And buy the Plex Pass even if you aren’t using the features that require it just to give them money so they can keep paying developers to keep it rolling. I’ve stuck with it for so long and continue to financially support them because, again, it’s just worked. I would’ve switched it out long ago if that stopped being the case.

And to everyone else who is screaming about Plex’s recent changes and demanding everyone abandon it… calm down, go outside, and touch some grass and don’t go back online until you’ve regained the ability to think rationally…

Concealed carry/Fourth Amendment/Law Enforcement/Police/Second Amendment

Officers and civilians

Posted on by Kenneth Ballard / 0 Comment

Police officers have a bit more leniency under the law when it comes to use of force. And they do need it. In part to deter civilians from becoming vigilantes and acting like they can just decide the police aren’t doing their job and so will do it for them. But the more critical reason for that is, of course, in part of their role to protect the public at large.

No one individual is entitled to individual police protection. Instead society at large is entitled to the protection of the police in general by way of their role to enforce the laws and apprehend those breaking them.

But officers absolutely can and have gone too far. One such case is that of Roberto Felix, a police officer accused of doing just that when he shot and killed Ashtian Barnes.

On April 28, 2016, Felix pulled over Barnes on suspected highway toll violations. During the stop, Felix ordered Barnes out of the vehicle. Which an officer can at any time during a stop lawfully order a person to exit their vehicle, and they don’t need to articulate a reason to do it. And the person being ordered out of the vehicle must comply.

Instead of complying, though, Barnes attempted to take off. In response, Felix grabbed onto the window sill of the vehicle, drew his service weapon, and fired. Two shots hit Barnes, killing him.

Now in that additional leeway granted to law enforcement officers, including in the use of deadly force, they still have to justify their actions. They can’t just shoot someone without reason. So the question in this instance is, obviously, why? What caused Felix to fire on Barnes?

Unfortunately, though, the United States District Court and Court of Appeals for the Fifth Circuit foreclosed any inquiry into that with the Fifth Circuit’s “moment of threat” rule. In short that requires addressing just one question: was the officer “in danger at the moment of the threat that resulted in his use of deadly force”? Any event before that doesn’t matter. Only the moment of the shooting matters.

Yeah… no.

There is absolutely no way a civilian would be able to make that kind of defense, so it absolutely should be unavailable to law enforcement. And today, the Supreme Court of the United States made that the case. Unanimously.

The key issue with relying on the “moment of threat” rule is it forecloses any inquiry into any preceding events. Meaning… context is thrown out the window. The “totality of the circumstances” that comes into play in a civilian case where someone is claiming self defense. And now the “totality of the circumstances” will apply to all law enforcement officers.

This is both good and bad for law enforcement. For one, it’ll hold law enforcement to much the same standard as civilians when it comes to deadly force. They do still have more leniency under the law, since they are charged with defending the public as part of their duty to enforce the law and apprehend those breaking it. But in vacating the “moment of threat” standard at the Fifth Circuit for the greater “totality of the circumstances” standard that likely… everyone else presumed was the standard for reviewing law enforcement actions, it means the totality of their actions come into play, not just the few seconds before “shots fired”.

For Felix, this means he now has to fully explain why he shot and killed Barnes.

I’ve written before that law enforcement officers treat each traffic stop as if it could be their last. And this is not without reason. The number of individuals who hostily engage law enforcement – and, let’s be honest, a disproportionate number of those individuals are black – is very unreasonably high. That said, that alone does not give law enforcement officers clearance to use any force they want. Instead they still must act reasonably.

While their next traffic stop easily could be their last, they can’t go into that traffic stop with the presumption it will be. If a law enforcement officer fires on a civilian, they must be able to justify their actions, must be able to articulate what gave them reason to believe the individual they shot – whether or not the individual died as a result – was a threat of great harm or death to themselves or the public at large.

Doing this requires examining the “totality of the circumstances”, which the Supreme Court of the United States also emphasized as “no time limit”.

The case today was Barnes v. Felix, No. 23-1239, 605 US ___ (2025).

Crime

On Virginia Giuffre

Posted on by Kenneth Ballard / 0 Comment

And here’s that tweet with its date:

https://twitter.com/VRSVirginia/status/1204620018035462144

December 10, 2019.

So about a month and a half after Epstein’s suicide. (And yes, I still firmly believe Epstein did kill himself.) Yet, as we see in the above screenshot, like with Epstein, many are basically saying that suicide is impossible with Virginia Giuffre.

Anyone familiar with the psychological dynamics of suicidality – on which I have… first-hand experience – will say that someone who says they aren’t suicidal can become suicidal in a shockingly short amount of time – even as short as a few months depending on life events and environment simply because… the human brain is very, very strange. That’s the whole “driving someone to suicide” thing, on which people have been successfully prosecuted – though such prosecutions are difficult.

And if you’re going to change your tune and say “Okay, she committed suicide, but [insert person you wish to accuse] drove her to it!” you’d better have plenty of evidence at the ready that isn’t just speculation or circumstantial.

Even someone who is suicidal or going through suicidal ideation can lie and say they aren’t suicidal. Suicide doesn’t play out how it’s portrayed in media. Someone who is suicidal can look surprisingly calm and collected, even “normal”. It’s one of the reasons the survivors of someone who committed suicide often have a hard time accepting the death is suicide – with “They didn’t seem suicidal” or “I didn’t realize they were suicidal” reactions not being uncommon – even when all the evidence points to it.

Like with Epstein, many so desperately want this to be a homicide. That her death cannot possibly be suicide, as if God himself is somehow making it impossible for her to kill herself… but that requires the kind of mental gymnastics that are characteristic of… leftists. Showing they’re little different from them in how they think, only different in what thoughts they hold.

OPNsense router

Making an Arch-based router

Posted on by Kenneth Ballard / 0 Comment

For a while I’ve been using OPNsense for my custom router. I recently decided, though, to migrate away from that over to Arch.

Hardware

I haven’t changed anything on the router since the last hardware update, so here’s a recap:

Correction, the LAN card was upgraded to the ConnectX-3, but everything else has stayed the same.

Why not OPNsense (or pfSense)? And why Arch?

The router’s first incarnation was at the tail end of 2022, built using leftover AMD FM2+ parts, after I got frustrated both with Google Fiber’s router interface and MikroTik’s RouterOS… non-performance.

And in the 2+ years since, it’s become very apparent that… for a home router, OPNsense (and pfSense) is overkill. Very, very much so. And I don’t need… the vast majority of what OPNsense provides. I almost never log into the OPNsense front-end except for package upgrades.

But updates can end up looking like… this:

This was the proverbial straw in this instance. os-wireguard is the OPNsense Wireguard plugin. And it appears to have been replaced by something else. Meaning to upgrade OPNsense, I would need to back up my Wireguard configurations, remove everything Wireguard-related, upgrade, add the new Wireguard plugin, then add back my configurations, provided I could actually do that cleanly… Really?

Does FreeBSD not allow packages to be declared as replacements for something else? Good thing I haven’t needed to restore my router from a configuration backup… Anyway…

Routers are typically one-and-done like most servers. Once you have it set up and configured to your liking, there isn’t much need to pay it any mind except for periodic software updates. The virtual machine that serves this website, for example, is like that. Once I have everything on it that needs installed, there’s nothing more for me to do except keep the software up to date.

And those software updates shouldn’t require removing anything to upgrade them. Anyway…

Why Arch?

OPNsense, pfSense, and other similar distributions are built with general purpose in mind along with providing a clean, hopefully intuitive UI for configuration. (Though minus the “clean, hopefully intuitive UI” for VyOS.) They try to anticipate what you’re going to use based on feedback from their audience. This is, by the way, why Windows and a lot of Linux distributions (most distros anymore, it seems) don’t give you any option on what to install, pushing a pre-determined set of software.

Which is why I looked to Arch.

Arch provides two significant benefits: it’s lean, and it’s a rolling release. The latter means I don’t have to worry about a distro going end-of-life, like what’s happening with Ubuntu 20.04 LTS in April 2025. Meaning I don’t have to worry about replacing an entire distribution to keep everything up-to-date, with the downtime that comes with that.

Which is a consideration for OPNsense and pfSense, since both ride on FreeBSD, which are definitely not rolling-release operating systems. And while OPNsense’s upgrade is typically pretty smooth, it isn’t perfect – see the above screenshot. In all seriousness, though, if OPNsense migrated everything to sit on top of Arch – similar to how TrueNAS created SCALE, which rides on top of Debian – I think they’d be much better positioned given the far superior hardware support the Linux kernel offers. Along with not needing to create a magic file to enable the Mellanox driver.

Then there’s how lean you can make an Arch installation.

The base installation instructions on the Arch Wiki start you with only three packages: base, linux, and linux-firmware (plus their dependencies, obviously). You add whatever you need on top of that – and you’ll definitely need more than just that. But it’ll probably surprise you how little you need for a router.

The final install footprint for this project is… under 3GB. Tempting, then, to run this off a USB drive but, for the sake of stability and performance, especially reboot performance… definitely don’t do that. There’s a reason even TrueNAS doesn’t recommend doing that, even though they once did. And I initially ran it that way until switching to an SSD when the USB drive started showing issues.

Though if you really wanted to take things to the edge (pun intended), you could rebuild the kernel with it stripped down to the essentials and nothing more.

Who is this NOT for?

I need to stress that this is NOT a project for the inexperienced. At minimum you need to be comfortable with Linux.

And reasonably comfortable with Arch. The install steps aren’t written with the expectation you’re daily driving it, you should be familiar with Arch’s concepts and how they differ from the other root distributions like RedHat and Debian so you can, at the least, keep it up to date. If you’ve never installed Arch to even a virtual machine to create a simple web host or even a desktop for limited purpose, get comfortable doing that first.

And you absolutely need to be familiar with IP networking concepts – e.g., IPv4, DHCP, DNS, subnets, etc.

Setting it up

All the scripts and configurations I created to set this up are over on Github, along with the instructions for setting this up for yourself.

For Dynamic DNS updating, there are a few options available. OPNsense relied on ddclient, so that’s what I kept. And I migrated my previous Wireguard configuration as well – thankfully it wasn’t difficult to do by hand. Though without a UI, adding another Wireguard configuration will be a little more involved, but not substantially difficult.

Which, in the end, OPNsense is really just a UI on top of existing services.