What you can do is segregate networks.

If the browser runs in, say, a VM with only access to the intranet and no internet access at all, this risk is greatly reduced.

Hex Launcher: https://f-droid.org/packages/com.mrmannwood.hexlauncher

Pie Launcher: https://f-droid.org/packages/de.markusfisch.android.pielauncher

Similar approach in both of these

Best coupled with frequent refactoring and breaking of APIs so any community efforts at documentation are eternally outdated.

I’ve had good luck with finding perfectly working internal R/W drives on the local scrap market for cheap. I guess still lots of PCs from that era being junked by offices.

Sealed 25-50 GB BD RW media go for ~$1 per disc when they randomly show up in the surplus store.

LVM itself does not provide redundancy, that’s RAID.

I think this is potentially a bit confusing.

LVM does provide RAID functionality and can be used to set up and manage redundant volumes.

See --type and --mirror under man 8 lvcreate.

It’s more like busking on the street and then feeling offended about not getting any money despite people liking your music. Maybe you’re even inadvertently part of some commercial ad shoot profiting of the city vibes. Or offering free trials of a service and then being upset when nobody converts.

I don’t think things you do become “charity” just because others benefit from it and you don’t get compensated. The bar is higher than that.

No reason to expect that everyone will be in a position to do that indefinitely, especially when it comes to massive projects that turn into full time jobs.

For sure. No strings attached goes both ways.

At least Brave is open source, in contrast to Orion.

My next suspicion from what you’ve shared so far apart from what others suggested would be something out of the http server loop.

Have you used some free public DNS server and inadvertently queried it with the name from a container or something? Developer tooling building some app with analytics not disabled? Any locally connected AI agents having access to it?

You say you have a wildcard cert but just to make sure: I don’t suppose you’ve used ACME for Letsencrypt or some other publicly trusted CA to issue a cert including the affected name? If so it will be public in Certificate Transparency Logs.

If not I’d do it again and closely log and monitor every packet leaving the box.

deleted by creator

deleted by creator

If anyone else is seeing high resource use from seeding: There’s quite some spam and griefing happening to at least Debian and Arch trackers and DHT.

Blocking malicious peers can cut down that by a lot. PeerBanHelper is like a spam filter for torrent clients.

https://github.com/PBH-BTN/PeerBanHelper/blob/dev/README.EN.md

On 1: Autoseeding ISOs over bittorrent is pretty easy, helps strengthening and decentralize community distribution, and makes sure you already have the latest stable locally when you need it.

While a bit more resource intensive (several 100GB), running a full distribution package mirror is very nice if you can justify it. No more waiting for registry sync and package downloads on installs and upgrades. apt-mirror if you are curious.

Otherwise, apt-cacher-ng will at least get you a seamless shared package cache on the local network. Not as resilient but still very helpful in outage scenarios if you have more than one machine with the same dist. Set one to autoupgrade with unattended-upgrades and the packages should be available for the rest, too.

Yes, Home Assistant has this.

https://rhasspy.readthedocs.io/en/latest/

Works great. My biggest challenge was finding a decent microphone setup and ended up like many do with old Playstation 3 webcams. That was a while back and I would guess it’s easier to find something more appropriate today.

I am currently trying to transition from docker-compose to podman-compose before trying out podman quadlets eventually.

Just FYI and not related to your problem, you can run docker-compose with podman engine. You don’t need docker engine installed for this. If podman-compose is set up properly, this is what it does for you anyway. If not, it falls back to an incomplete Python hack. Might as well cut out the middle-man.

systemctl --user enable --now podman  
DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/podman/podman.sock docker-compose up  

I think Mora is on the ball but we’d need their questions answered to know.

One possibility is that you have SELinux enabled. Check by sudo getenforce. The podman manpage explains a bit about labels and shares for mounts. Read up on :z and :Z and see if appending either to the volumes in your compose file unlocks it.

If running rootless, your host user also obviously needs be able to access it.

How about using sieve rules? A nice plus is that if you ever move to self-hosted in the future, you can bring it with you.

I know at least Fastmail supports user-configured sieve. I don’t have experience with Fastmail myself but in general mostly heard good things.

https://www.cstrahan.com/blog/taming-email-with-fastmail-rules/

http://sieve.info/tutorials

You don’t interact much with lawyers and government in your work, I take it?

It sounds like notmuch is your bag. While it has its own CLI, it also works great with neomutt, aerc, and others.

https://notmuchmail.org/

https://youtube.com/watch?v=pBs_P_1--Os

You can also do very powerful presorting with sieve if your server supports it.

Auhorities in other European countries are known to MitM SSL certs at VPS providers for years already. Switzerland is moving their legislation towards the EU direction. Proton themselves have been vocal about their concerns about this.

How long until someone realizes they can demand Proton to inject some extra JS into the webmail for desired targets? Folks in a sensitive situation should follow the established best-practice of not relying on remotely served JS for client-side encryption. To be safe against this vecor, handle your encryption and signing outside of the webmail; either in your own client or copy/pasting.