ace

Oh yeah, CPU usage is basically zero, and memory usage of the PHP code itself is also basically nil compared to other software I run. It's just the sudden storms of IO requests that causes issues, and since those come over a network pipe it causes issues for other pieces of software as well.

Again, it works until it requires reloading, i.e. the next update of any component or the next restart of the server.

I'm also running an inode cache on the client side, on top of the persistent opcache, but due to the sheer number of files that Nextcloud consists of it still generates a frankly ridiculous amount of calls when it needs to invalidate the cache. If you're running on local drives then that's likely much less of an issue, regardless of what kind of drive it is, but this is hosted on machines that do not have any local storage.

Yep, those values are actually somewhat tame compared to my own cache tuning, the issue remains that the code requires reloading PHP files from disk during runtime in order to support applications and updates, which - even if it doesn't happen often - causes IO storms that temporarily break both Nextcloud as well as other software.

Currently working to move away from Nextcloud myself, it's PHP nature causes IO storms when it tries to check if it needs to reload any code for incoming requests.

All OpenWRT-based routers have the option of built-in DNS-based adblock, can thoroughly recommend the Turris routers for such things.

Default block for incoming traffic is always a good starting point.
I'm personally using crowdsec to good results, but still need to add some more to it as I keep seeing failed attacks that should be blocked much quicker.