Honestly, just assume email is an inherently weak protocol in regards to privacy and work from there. So I would suggest getting the cheaper one that fulfills your feature needs and work with E2E encryption like OpenPGP (which also has issues, beware!). Some providers offer encrypting incoming emails with your public key. If you want more secure interpersonal communication look elsewhere (e.g. Signal).

Not sure what Docker Hub has, but as sys admin you can pin to a specific 256sha, so that specific image can’t be taken over. However that conflicts with the idea of just running Watchtower.

Which system are you using? SELinux/AppArmot active? Can you share your compose? There are manyavariables at play here.

Other than that: Setting UID/GID via environmental variable is usually wrong, mostly from a design perspective of the container. There is a user directive during build as well as during deploy to use for that.

From a quick look at the docker file it does look like the user you use to run linkding needs to be in the root group.

BUT rootless podman maps the root user (usually to your user ID) to so the root user inside the container has not the same ID as the one outside. So I would suggest setting the permissions of the volume to your user for now.

Another way to figure out which user to use: just start a new/clean instance of the service and look at the new volumes.

Not that I am aware of. Komodo should be compatible with podman as well.

I deploy and update my service similiar to this fantastic guide: https://nickcunningh.am/blog/how-to-automate-version-updates-for-your-self-hosted-docker-containers-with-gitea-renovate-and-komodo

Basically I run Komodo, which pulls a git repo. Renovate opens a PR (and most of the time the changelog is included, so I can quickly check what happened) for new versions. Once merged a webhook fires to tell Komodo to pull the new version.

I really recommend this approach now. Once setup it is very automatic, but not to the point of YOLO-automation like Watchtower and :latest 😅

is easier to automate for things like providing bots with changed social media credentials

Tbh, sounds a bit like a cursed use case for a password manager, but I am curious how you set that up.

meaning if you disconnect from VPN for whatever reason, the other containers don’t suddenly send data over non-VPN network.

Is that 100% certain? I think I can recall stories from 15 years ago, where torrent clients had kill switches and they still leaked data.

Damn, people are taking Stardew Valley serious

There are 2 more sides unused as of now. Give me a whole minecraft block destruction animation while scrolling down, lol

Now a days, you can do sessions all online.

I wish. Germany usually has a combination of “bad internet”, “tech illiteracy” and “no appointments in the next 2-4 years” .

Honestly, no clue, but in my career the answer why something beneficial hasn’t been done is usually “backwards compatibility”.

They dont detect at all. It depends on what location you choose when you register. So if you want to migrate, you have to create a new account.

dish washer to sterilize jars for canning

Household Dishwashers do not sterilise, they only sanitise at best (with a 65° (150°F)). For sterilisation of all microorganisms including spores they would need to heat up to 120°C (250°F) for several minutes.

That being said you most likely breath in your own poop particles all the time, so sanitation may be enough.

I thought downloading and redistributing tiktok videos was against TikToks TOS?

Which you only agreed to if you have an account (and even then they realistically can only ban your account). If you rehost publically you might get issues with copyright laws though.

Since rootless docker is (mostly) a security improvement, here is a interesting list of other Docker realted security tips I like to consult: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

Absolutely, it is not necessary if the proxy can reach the service in other ways (e.g. a shared network). Some non-http services don’t like to be proxied though. Some constellations where the proxy is not on the same host as the containers may also make it necessary. My answer was based on the possibility to not have the same inside/outside port, not necessarily the need though😉

Also a great choice :)

Welcome to the community then :) For rootful Docker you are correct - the inside port can be 80 and you can expose it on whatever port you want (ideally you expose it only via reverse proxy and not by port - I can recommend Caddy-Docker-Proxy for that)

Unless I am missing some obvious setting: Restricted Kubernetes doesnt work like that. You have to run the container with a non-root UID (usually something upwards of a million). Non-root users however can’t reserve ports below 1025. Nextcloud builds on the default php-apache image which comes with the default apache ports.conf (Listen 80).

So now this has to be overwritten either by making a custom build (which may require creating a custom build pipeline) or by mounting a new config file (e.g. via ConfigMap) else it wont start. Both are an additional update risk which now has to be documented and checked before updating in addition to changes from the normal nextcloud changelog.

Similiar issues probably appear with rootless docker/podman unless you add extra capabilities, which is not possible in restricted kubernetes settings.