I think the article is about the sw passkeys, stored in a password manager. Not hw keys like Yubikey.
But your point is still valid. With passkeys the owner of an account would need to log in and add the passkeys of the other family members so they can log in. At the moment there's no way to share passkeys or even move them between password managers, I think.
But passkeys are still developing. I could imahine that in the future it would work like SSH keys. To allow someone to login to your account, you'd just add something like an SSH public key.
I find passkeys very convenient, but it's going to take a long time until they're supported widely enough for regular people to care.
Thanks. Last time I tried it was just after bookworm released, and on ARM, so it has probably got better
It's a really solid combo, but if you're not familiar with CoreOS I wouldn't change both at once. Meaning migrate the services to Podman first, then switch the OS. I've meant to switch from Alma 9 to CoreOS a long time, but haven't found the time.
I noticed you run Nextcloud AIO, just so you know, that's one of those "mount the docker socket" monstrosities. I'd look into switching to the community NC image and separate containers managed yourself. AIO is easy, but if someone gets shell to the NC container, it's basically giving root to your host.
Either way, you're going to have trouble running AIO with Podman.
I'm very much biased towards Podman, but from what I understand rootless Docker is a bit of an afterthought, while Podman has been developed from the ground up with rootless in mind. That should be reason enough.
The very few things Docker can do that Podman struggles a bit with are stuff that usually involves mounting the Docker socket in the container or other stupid things. Since you care about security, you wouldn't do that anyway. Not to mention there's also rootful Podman, when you need that level of access.
I'd recommend an RPM-based distro with Podman, the few times I've tried Podman on a deb distro, there's always been something wonky. It's been a while, though.
I have to join the choir, what do you mean dying and doesn't work? If proprietary apps don't support it, it's just because it's one of the best ways to lock people in.
You need the G account to be able to install apps from Play Store, I don't believe the private space itself requires it.
Not sure if there's some Play "integrity check" on stock ROMs, but on GOS I was able to create the private space and download&install F-droid or other APKs just fine, without a Google account.
The official app doesn't need to be running constantly. It only needs to connect to Meta's servers once every 14 days.
The Mautrix-Whatsapp bridge will send a notification couple of days in advance to warn you if the main device hasn't been active.
It might work, I haven't tried. But I think that's also quite complicated for most people.
I've also heard quite a few people getting their number banned by only running in an emulator. If it's an older WA account, it's probably safe, but I wouldn't do it on a fresh number.
This is true.
I use WA via the Matrix bridge. WA requires the official mobile app (not web) to connect every 14 days, so you need to have it on a separate profile, a spare phone or do a complicated Android emulator setup... To be usable you need to allow the WA app access to your contacts, which results in Meta getting just about the same metadata from you it would via using the official app.
If I wasn't using Matrix for other things like notifications from servers, I wouldn't bother with this. The only upside is having only one app for messaging. The bridge system itself works really well, nothing bad to say there.
I've never used Portainer, but does it have an option to only notify of available updates?
For things that I don't mind breaking, I use latest. For the services that matter, use a specific version. Take Immich for example, in the 2-3 months I've kept it running, there's been 3 breaking changes that would prevent startup after update without manual intervention. Immich is an extreme though, some other projects have been working fine with latest without touching them for years.
I follow the important projects' releases (subacribe if possible), and update manually when they publish an image with a new version. I'd see it as either updating manually and being OK about possibly being a version behind every now and then, or using latest+auto updates and being OK with waking up to broken services every now and then. Which might never happen.
If I had money laying around, this would make a compelling home server. With a minimal GPU, or without one, if possible.
Maybe you get the possibility of routing all traffic from a container (or all the containers in that namespace/network) over the tailnet this way? With the host method, you'd need the host to use the exit node too.
Have you considered lowering the unprivileged port limit instead?
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=53 | sudo tee -a /etc/sysctl.conf
Then remove the firewall rule and bind to port 53.
Edit: typo