Interesting. As a native English speaker (from the US), I'd say that "good small old" felt a little awkward for me to say out loud. Personally, I'd probably say "good old small ...", but to your point, there isn't exactly a "right" answer, just one that sounds right. I'm assuming you're also a native English speaker from the UK, so maybe we've discovered a funky difference between the English in our two countries. It would be a fun study to give native English speakers a list of those adjectives, and the noun "book", and tell them to order them.

- pihole and unbound are running in a VM on an old intel NUC with an i5 and 18GB of RAM. The NUC is running Proxmox, and is connected to the edgerouter over ethernet

- Separately, there's a ubiquiti WAP and a standalone modem, but there's nothing special about their configuration

edit: to be honest though, I don't look at the logs often to see what else gets caught, or why

Some additional details:

- Outbound internet access over port 53 is blocked for everything on the network, other than the Pi-Hole/Unbound server

- IpTables rule in place to force all outbound traffic over port 53 to go thru the Pi-Hole. This prevents devices from circumventing the Pi-Hole filtering by hard-coding public DNS servers

- Cronjob that polls http://public-dns.info/nameservers-all.txt regularly, and updates an IpTables rule to block all outbound internet traffic over any port/protocol to servers in that list. This is my attempt to block things that try to circumvent DNS filtering by doing DNS over HTTPS

- Unbound makes it possible to bypass DnsCrypt for specific zones, as needed. It also is configured to prefetch records before expiration, which generally eliminates the latency introduced by DnsCrypt

---

This is overkill, but I tried to address privacy concerns as well as ad-blocking with this setup, and it's also been fun to tinker with

I'd like to do something similar, currently we use a mix of ansible tower (which I don't love) and ansible runs from local machines to manage the infrastructure. I'd rather it all be tied into terraform though, so that we have a single place to manage changes from

This is my primary problem with ansible. I find that it's been really great for managing things from my local machine, but that model breaks down a little once you have a medium / largish fleet of machines in some cloud provider's space. On top of that, if you have strict security boundaries between different environments/resources, then running ansible scripts that touch a ton of machines becomes more of an exercise in key management than anything else. I know that there are tools out there like AWX and rundeck, which wrap a lot of ansible functionality, but I've found the push model to be a little hard to manage at scale.

We're using ansible almost exclusively for config mgmt tasks, and I'd like to find a way to make it work better for us, but the agent model used by puppet/chef/salt sounds really appealing, especially when I want to role a change out to a large set of machines