Nextcloud shouldn’t be seeing your MAC address. However, my guess is that Nextcloud has been configured to invalidate the session if the client IP changes, and randomizing the MAC address is one way that can happen.

Are you looking for a VPN or are you looking for an IPv6 tunnel broker like Hurricane Electric?

An immutable distro… like NixOS? Or do you mean your root filesystem is immutable? NixOS can do that too. You could normally mount your nix store as readonly and remount rw during updates if you really care about filesystem immutability, or use some snapshot system if you’re paranoid about adding new files to the store corrupting other files already in the store during an update.

The nixpkgs VM creation module, which I’ve never seen documentation for, has a mode where it generates a kernel, initrd, kernel command line, and erofs image containing a prepopulated /nix directory and that’s enough to boot the VM.

Ansible is disappointing as an IAC tool. It’s good for doing things, but it’s not good for converging systems to a desired state. Too often you end up with playbooks that are not idempotent or rely on something that was done during a previous execution of the playbook or just don’t do something that was done by a previous version, and then unless you are constantly recreating your systems you won’t notice until it’s a problem and you can’t get your system back.

You can host a Proton mail bridge to use different apps running on different machines, including phones.

Self hosting e-mail, particularly SMTP, will likely require a static IP from a reputable provider. Mail servers may reject incoming mail based on the reputation of the sending server. You can avoid this by relaying through another SMTP server and configuring your DNS rules to allow that server to send mail on your behalf, but that’s not really self hosting anymore.

You can use OpenEBS to provision and manage LVM volumes. Host path requires you to manually manage the host paths.

That sounds like build automation. You can use some Git forge software.

But is it good? I’ve purchased two Android Wear watches. They both had to be charged at least daily. Both of the watches I purchased, which were different models from different manufacturers with different charger designs, and a third watch that was shipped to me as a replacement all developed a fault where eventually they could not be charged. Google has removed the “don’t” from “don’t be evil” so even if this watch could go multiple days without charging and could be seen in bright light and didn’t unexpectedly light up in dark rooms and didn’t permanently stop charging after a year or two, I don’t know if I would want to buy one. The only problem I’ve had with my Garmin watch was that the band wore out and I had to replace it.

Some attackers check services that have already cataloged the services you are running, even on uncommon ports. You won’t hear from them unless you are running a potentially vulnerable service.

If you’re self hosting Headscale you can configure your network such that Headscale is reachable on your network with or without internet access and available from the internet.

Don’t expect Gitea to make progress on federation. Forgejo is a fork of Gitea and anybody that cares about federation is probably on the Forgejo side of the fork.

If you’re running Kubernetes, what is the point of LXC or Proxmox in this setup? Kubernetes will give better scaling and utilization.

Giving a container access to the docker socket allows container escapes, but if you’re doing it on purpose with a service designed for that purpose there is no problem. Either you trust Watchtower to manage the other containers on your system or you don’t. Whether it’s managing the containers through a mounted docker socket or with direct socket access doesn’t make a difference in security.

I don’t know if anybody seriously uses Watchtower, but I wouldn’t be surprised. I know that companies use tools like Argo CD, which has a larger attack surface and a similar level of system access via its Kubernetes service user.

Mounting the docker socket into Watchtower is fine from a security perspective, but automatic updates can definitely cause problems. I used to use Rennovate and it would open a pull request to update the version.

Git does have a server component. When git connects to an ssh remote it executes an ssh command that needs to be present.

You’re missing GitLab. I’d be looking at GitLab or Forgejo.

But you might not need this. When you access a private Git repository, you’re normally connecting over SSH and authenticating using SSH keys. By default, if you have Git installed on a server you can SSH to and you have a Git repository on that server in a location you can access, you can use that server as a Git remote. You only really want one these services if you want the CI pipelines or collaboration tools.

The issue says at the bottom that SealedSecrets is unaffected.

You’re wrong about not being able to levelage your Intel graphics. Intel 11th gen has hardware HEVC (h265) encoding. Your Samsung phone probably also has HEVC hardware encoding faster than your CPU encoding. You want the ffmpeg hevc_vaapi codec, and it should go even faster if you use -hwaccel vaapi for decoding.

At least in the past, if you had a fixed amount of work to complete, underclocking would increase overall power consumption.

Port scanning isn’t abuse but automatically filing frivilous abuse reports is.

It’s not normal for - model-cache:/cache to be deleted on restart or even upgrade. You shouldn’t need to do this.