> the cost of parts definitely has risen in the same tiers if you look over a long enough period
This is especially apparent if you’re a hardware manufacturer and have to buy the same components periodically, since the performance increase that consumers see doesn’t appear.
> if you... buy the same components periodically... the performance increase that consumers see doesn’t appear.
Good point and that should properly be called inflation in the semiconductor sector. We always have general inflation, but the different sectors of the economy exhibit different rates of inflation depending on the driving forces and their strength.
As of today, tariffs are the major driver of inflation and semiconductors are hit hard because the only high-volume, reasonable quality/price country has been practically excluded from the the US market by export bans and prohibitively high tariffs - that's China of course.
The other producers are in a near monopoly situation and are also acting like a cartel without shame or fear of law... which isn't there to begin with.
They let you produce SD-card images with custom NixOS'es.
Very useful when you want an exact software layout, and exact system settings, like what user accounts and SSH keys to include, what systemd services should run, what directories should be tmpfs, and how to interact with the local network using avahi.
> unless fixing a bug requires a significant refactor/rewrite, I can’t imagine spending more than a day on one
Race conditions in 3rd party services during / affected by very long builds and with poor metrics and almost no documentation. They only show up sometimes, and you have to wait for it to reoccur. Add to this a domain you’re not familiar with, and your ability to debug needs to be established first.
Stack two or three of these on top of each other and you have days of figuring out what’s going on, mostly waiting for builds, speculating how to improve debug output.
After resolving, don’t write any integration tests that might catch regressions, because you already spent enough time fixing it, and this needs to get replaced soon anyway (timeline: unknown).
In a world where people think NAT addresses are safe because you don’t need to know anything else about firewalls, IPv6 _is_ fundamentally less secure.
> In a world where people think NAT addresses are safe because […]
The vast, vast majority of people do not know what NAT is: ask your mom, aunt, uncle, grandma, cousin(s), etc. They simply have a 'magic box' (often from the ISP) that "connects to Internet". People connect to it (now mostly via Wifi) and they are "on the Internet".
They do not know about IPv4 or IPv6 (or ARP, or DHCP, or SLAAC).
As long as the magic box is statefully inspecting traffic, which is done for IPv4-NAT, and for IPv6 firewalls, it makes no practical difference which address family you are using from a security perspective.
The rending of garments over having a globally routable IPv6 address (but not globally reachable, because of SPI) on your home is just silliness.
If you think NAT addresses are safe because… of any reason whatsoever really… simply shows a lack of network understanding. You might as well be talking to a Flat Earther about orbital mechanics.
> which is done for IPv4-NAT, and for IPv6 firewalls
Are internet routers that do ipv4 NAT usually also doing an IPv6 firewall (meaning they only let incoming connections in if they are explicitly allowed by some configuration)? Maybe thats the point where the insecurity comes from. A Home NAT cannot work any other way(it fails "safely"), a firewall being absent usually means everything just gets through.
All the ones I've had have had a firewall by default for IPv4 and IPv6, yes. If ISPs are shipping stuff without a firewall by default I'd consider that incompetence given people don't understand this stuff and shitty IoT devices exist.
I do wonder how real the problem is, though. How are people going to discover a random IPv6 device on the internet? Even if you knew some /64 is residential it's still impractical to scan and find anything there (18 quintillion possible addresses). If you scanned an address per millisecond it would take 10^8 years, or about 1/8 the age of the earth, to scan a /64.
Are we just not able to think in such big numbers?
> Are internet routers that do ipv4 NAT usually also doing an IPv6 firewall (meaning they only let incoming connections in if they are explicitly allowed by some configuration)?
Consider the counter-factual: can you list any home routers/CPEs that do not do SPI, regardless of protocol? If someone found such a thing, IMHO there would be a CVE issued quite quickly for it.
And not just residential stuff: $WORK upgraded firewalls earlier in 2025, and in the rules table of the device(s) there is an entry at the bottom that says "Implicit deny all" (for all protocols).
So my question to NAT/IPv6 Truthers is: what are the devices that allow IPv6 connections without SPI?
And even if such a thing exists, a single IPv6 /64 subnet is as large as four billion (2^32) IPv4 Internets (2^32 addresses): good luck trying to find a host to hit in that space (RFC 7721).
There is one practical difference. IPv6 without a NAT exposes information about different devices inside the private network. A NAT (whether ipv4 or ipv6) will obfuscate how many devices are on the network. Whether that is desirable depends on the circumstances.
> […] In this paper, we design an efficient and scalable system via spatial-temporal traffic fingerprinting from an ISP’s perspective in consideration of practical issues like learning- testing asymmetry. Our system can accurately identify typical IoT devices in a network, with the additional capability of identifying what devices are hidden behind NAT and the number of each type of device that share the same IP address. […]
> IPv6 without a NAT exposes information about different devices inside the private network.
In practice this has not been true for over 20 years.
IPv6 devices on SLAAC networks (which is to say, almost all of them) regularly rotate their IPv6 address. The protocol also explicitly encourages (actually, requires) hosts to have more than one IPv6 address active at any given time.
You are also making a wrong assumption that the externally visible address and port ranges chosen by the NAT device do not make the identity of internal devices easily guessable.
In both cases the only consumer security comes from "the home router defaults to being a stateful firewall". The only difference between the two is whether it also defaults to doing NAT with that state, which is not what was making IPv4 secure for people unaware either.
First off, amazing post. I learned a lot about networking, Linux and Kubernetes.
As a learning project, this is absolutely awesome.
I run Kubernetes via Kind on Docker on NixOS.
There's a ton of other ways to get a development environment on your NixOS developer PC.
I don't pretend this one is very good, I just copy what my colleagues have come up with (+ NixOS).
For production workloads, I wouldn't run the kubelet using this much custom wiring.
I'd run Talos. It's vastly simpler, you can run them in NixOS VMs, it's declarative and lowers the surface area of things that need interaction, no SSH'ing in.
It seems like the author is torn between where to put control: In NixOS, or in Kubernetes?
You can move stuff, e.g. CoreDNS, out of Kubernetes for a "simpler" setup.
But the point of running workloads inside Kubernetes is that you get redundancy between nodes.
So if a single node dies, your services don't die.
Embracing Kubernetes, I certainly haven't let go of NixOS. My personal servers still just run NixOS.
It's much simpler, much cheaper, and resilient in its own way.
Selling Kubernetes and Cloud Native users on using NixOS, I'd probably go another way, e.g. via dev environments.
You're right, it's very much a trade-off and preference where you put control, NixOS or Kubernetes. I'm not so much torn, but more believe you always have to weigh pros and cons.
For CoreDNS specifically, this setup adds CoreDNS to every node, and every node does DNS locally, so there's no redundancy benefit to using a Kubernetes deployment for CoreDNS. It does become a benefit as soon as you can't have a CoreDNS per node. I guess the obvious downsides to CoreDNS per node are that cache becomes very spread out in larger setups, and you may end up hammering your API server and upstream DNS servers more.
Most software doesn’t need to be distributed. But it’s the growth paradigm where we build everything on principles that can scale to world-wide low-latency accessibility.
A UNIX pipe gets replaced with a $1200/mo. maximum IOPS RDS channel, bandwidth not included in price. Vendor lock-in guaranteed.
I recently provisioned a VPS for educational purposes. As part of teaching public/private network interfaces in Docker, and as a debug tool, I run netstat pretty easily on.
Minutes after coming into existence, I have half a dozen connections to sshd from Chinese IP addresses.
Just put sshd on a nonstandard port, and 95% of the traffic goes away. Vandals can't be bothered with port-scanning, probably because the risk of getting banned before the scan is even complete is too high.
More. In 2024, Bitcoin mining companies collectively spent over $3.6 billion on hardware, data centers, and infrastructure to maintain and expand their operations.
Just run a second LLM pass on it and adjust the writing style by feeding it examples. Then run a final manual pass on it and remove the unnecessary parts.
Write shorter. Half the words would have worked.
Besides that, it’s embarrassing for me to read, because our spot on describes me.
I have one coping strategy: when I’m taking care of my kid, or it’s a day off work where I’m grumpy because I left my dopamines at the office: I tell myself, I don’t get to enjoy computers all day. Knowing that resets my expectations and I can better enjoy family time.
Took my entire 6 month paternity leave and 3 months of work before I finally “got it”. Still a struggle. But just being not cranky is a gigantic life improvement, my wife says.
This is especially apparent if you’re a hardware manufacturer and have to buy the same components periodically, since the performance increase that consumers see doesn’t appear.