short (30-50cm) direct dedicated Ethernet cable between Orange PI ONE and X86 host, a firewall on both hosts which allows only a single connection of NFS from a single specific corresponding IP address.
X86 booted from ROM or from a very old SD card or even from a floppy (grub4dos).
Everything which can be encrypted (actually only against disk firmwares) is encrypted by luks: system, ZFS pool devs, etc.
What can be improved?
>> OpenBSD can run diskless but not sure if it works well, that depends on
>> your workload and opinion.
>OpenBSD works "well" as a diskless system (see diskless(8)). The value
>of "well" depends on your expectations. I don't run any of my OpenBSD
>systems with a graphical UI, for example, and I don't need super fast
>disk access to edit files or read my email.
>Andreas (Kusalananda) Kähäri
>SciLifeLab, NBIS, ICM
>Uppsala University, Sweden