Skip Navigation
Podman or rootless docker?
  • It's a really solid combo, but if you're not familiar with CoreOS I wouldn't change both at once. Meaning migrate the services to Podman first, then switch the OS. I've meant to switch from Alma 9 to CoreOS a long time, but haven't found the time.

    I noticed you run Nextcloud AIO, just so you know, that's one of those "mount the docker socket" monstrosities. I'd look into switching to the community NC image and separate containers managed yourself. AIO is easy, but if someone gets shell to the NC container, it's basically giving root to your host.

    Either way, you're going to have trouble running AIO with Podman.

  • Podman or rootless docker?
  • I'm very much biased towards Podman, but from what I understand rootless Docker is a bit of an afterthought, while Podman has been developed from the ground up with rootless in mind. That should be reason enough.

    The very few things Docker can do that Podman struggles a bit with are stuff that usually involves mounting the Docker socket in the container or other stupid things. Since you care about security, you wouldn't do that anyway. Not to mention there's also rootful Podman, when you need that level of access.

    I'd recommend an RPM-based distro with Podman, the few times I've tried Podman on a deb distro, there's always been something wonky. It's been a while, though.

  • How to use the new Private Space feature in Android 15
  • You need the G account to be able to install apps from Play Store, I don't believe the private space itself requires it.

    Not sure if there's some Play "integrity check" on stock ROMs, but on GOS I was able to create the private space and download&install F-droid or other APKs just fine, without a Google account.

  • Privacy-focused Whatsapp mods?
  • The official app doesn't need to be running constantly. It only needs to connect to Meta's servers once every 14 days.

    The Mautrix-Whatsapp bridge will send a notification couple of days in advance to warn you if the main device hasn't been active.

  • Privacy-focused Whatsapp mods?
  • It might work, I haven't tried. But I think that's also quite complicated for most people.

    I've also heard quite a few people getting their number banned by only running in an emulator. If it's an older WA account, it's probably safe, but I wouldn't do it on a fresh number.

  • Privacy-focused Whatsapp mods?
  • This is true.

    I use WA via the Matrix bridge. WA requires the official mobile app (not web) to connect every 14 days, so you need to have it on a separate profile, a spare phone or do a complicated Android emulator setup... To be usable you need to allow the WA app access to your contacts, which results in Meta getting just about the same metadata from you it would via using the official app.

    If I wasn't using Matrix for other things like notifications from servers, I wouldn't bother with this. The only upside is having only one app for messaging. The bridge system itself works really well, nothing bad to say there.

  • Updates vs. version pinning in Docker-based homelab
  • I've never used Portainer, but does it have an option to only notify of available updates?

    For things that I don't mind breaking, I use latest. For the services that matter, use a specific version. Take Immich for example, in the 2-3 months I've kept it running, there's been 3 breaking changes that would prevent startup after update without manual intervention. Immich is an extreme though, some other projects have been working fine with latest without touching them for years.

    I follow the important projects' releases (subacribe if possible), and update manually when they publish an image with a new version. I'd see it as either updating manually and being OK about possibly being a version behind every now and then, or using latest+auto updates and being OK with waking up to broken services every now and then. Which might never happen.

  • *Permanently Deleted*
  • Maybe you get the possibility of routing all traffic from a container (or all the containers in that namespace/network) over the tailnet this way? With the host method, you'd need the host to use the exit node too.

  • DNS trouble with pihole running with podman
  • Have you considered lowering the unprivileged port limit instead?

    sudo sysctl -w net.ipv4.ip_unprivileged_port_start=53 | sudo tee -a /etc/sysctl.conf  
    

    Then remove the firewall rule and bind to port 53.

    Edit: typo

  • InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)OR
    oranki @piefed.social
    Posts 0
    Comments 12