KDE Connect can do all three of these.

A 172.16.0.0/12 address would be a very unusual fallback behavior. Normally you’ll have only a 169.254.0.0/16.

lv* commands are for LVM logical volumes. They’re not related to LUKS. Unless your LVM “physical” volume is on a LUKS encrypted device, you aren’t using LUKS. You’ll need to make the LUKS encrypted PV larger before you can grow your LV.

Unless your PV is already taking up the whole disk, in which case whether it is LUKS encrypted or not is irrelevant and the question you want to be asking is “how do I resize my LVM LV to fill the rest of my LVM PV?”, which is probably what the commands you have do.

This looks more comprehensive than Untracker, but maybe it is too complicated for some people?

You can use both at the same time and it is useful to have ULA if your ISP changes your assigned prefix.

BIOS menus aren’t the only way to adjust fan speeds on servers. You may be able to do it from Linux using a management interface.

Setting the SSH service to a random high port doesn’t make security better and may make security worse. Linux has a restriction that low numbered ports require special permissions but high numbered ports do not. If an attacker manages to get low privilege code execution on your machine, they may manage to bind their service to the SSH port instead. If the server and client are configured correctly, this will cause a host key mismatch error. Continuing anyway could allow the attacker to take over your account on the server. It’s unlikely unless you are a high value target.

Root login and password authentication are already disabled, and it’s very uncommon for self hosters to use SSH certificates at all.

Changing the SSH port away from 22 does not improve security unless your password is “password” or “admin”. Anybody who’s even slightly sophisticated will find your SSH service on the correct port and make requests there instead.

This problem has nothing to do with NPM. Checkmarx was compromised last month, and during that compromise there were malicious VS Code extensions published to Visual Studio Code Marketplace. A Bitwarden developer says that somebody ran one of those malicious extensions, and GitHub API keys were stolen which were used in publishing the malicious CLI package.

It’s probably better that it happened on NPM. If the CLI were only downloadable from the Bitwarden website, it would have likely taken longer for somebody to notice something was wrong.

I’ve never heard of anything working that way. The preferred algorithm is RFC 8305 “Happy Eyeballs,” which uses whichever network responds first. Even if your clients prefer IPv4, having IPv6 available allows you to access some resources that are not available over IPv4.

Matter uses IPv6 but it does not require you to have IPv6 internet. As long as the router isn’t blocking IPv6 router advertisements and IPv6 traffic between devices in your LAN you should be okay.

Would the MacBook Pro or rpi4 with a second Ethernet nic running a firewall before the routers also fix the issue of not getting security updates?

No. For most routers, this provides no additional protection to the router. Your router should not be accepting connections from the WAN side that would be blocked by the firewall, but consumer routers almost always initiate connections to the WAN side, indistinguishable from normal client traffic to your firewall, and accept connections from the LAN side, invisible to your firewall. If the firewall blocks all incoming requests, it would create problems for UPNP, effectively giving you CGNAT, even if the firewall does not perform address translation.

At least for some laptops, you cannot just remove the battery. If the battery is removed, the performance may be throttled. This is true of very old MacBooks.

In the US, most IPSs have remote access to your modem as well, even if you purchased it yourself from a store unaffiliated with your ISP.

Enabling SSH password authentication is unnecessary and not a good idea, especially if your temporary passwords are simple. I haven’t used Hetzner but there is probably a way to upload a file or to paste into the console, or else if you fix your keyboard you could at least type a URL to download the public key from the internet. You may want to look into cloud-init instead of manually installing and configuring your VMs.

LUKS may not make your server meaningfully more secure. Anyone who can snapshot your server while it’s running or modify your unencrypted kernel or initrd files before you next unlock the server will be able to access your files.

curl bash is not as bad as people think. Nobody downloads and reverse engineers binary packages off of these websites before running them with the same permissions.

If you’re running insecure services, you can restrict them to be accessible by vpn. I have a mix of internet accessible and vpn accessible services using the tailscale nginx plugin.

If you want to send all your traffic over a vpn, you will either need to route all your traffic through your own vpn or use some sort of multiplexed vpn. tailscale can do this with mullvad, but it’s not yet possible with headscale.

Kubernetes is much more complicated and powerful than Docker, and Docker Compose is more similar to the way you work directly with Kubernetes than it is to Helm, which adds in a templating system. Basically, from a Docker perspective, Helm allows you to configure your compose file, but not just by substituting variables. Helm can make structural changes such as completely adding or removing sections based on the variables used when loading the chart. The output of Helm is YAML, sort of like a compose file.

Kubernetes has a much more complicated system for describing workloads and their resources than Docker Compose, and it is extensible. For example, if you are running on AWS you can have Kubernetes attach EBS volumes to your pods, or if you’re on bare metal you might use LVM, and it’s not limited to things that Kubernetes natively understands like storage volumes: Cert Manager is a common piece of software that is deployed into Kubernetes that takes care of issuing and renewing TLS certificates for other software in Kubernetes.

I used to run Kubernetes at home with ArgoCD, but I’ve moved on to NixOS instead. NixOS is less powerful because it doesn’t have dynamic workload scheduling, but I don’t actually need dynamic workload scheduling or all the configuration necessary to facilitate dynamic workload scheduling in my house, and Nix is much nicer to work with than Helm’s gotmpl templating. Unless you like this kind of stuff or want to get into Kubernetes, you probably want to avoid it for running a few things on one host.

Helm is what is used for real world software deployments. It has its problems but it’s better than Docker Compose.

Just be careful with SD cards if you’re using SBCs. Home Assistant does a lot of writing and if your SD card can’t handle repeated writes you may suddenly lose everything. Keep backups to another device and have a replacement SD card ready if extended downtime is going to be a problem for you.