Use a VPN, it’s not ideal but it’s secure.

When does your Server actually pull the repo though?

I have linkwarden set up for this.

On Android I share to the linkwarden app to save, on pc i use the Firefox addon.

Sure it’s fragmented but I’m already used to doing things different between mobile and pc anyways.

Pro tip: If you’re using openwrt or other managed network components don’t forget to automatically back those up too. I almost had to reset my openwrt router and having to reconfigure that from scratch sucks.

If logging is down and there’s no one around to log it, is it really down?

That won’t work in most cases, all https traffic isn’t cached unless you mitm https which is a bad idea and not worth it.

Only cache updates those are worth it and most have a caching server option.

Infrastructure diagram? No! In this homelab we refer to the infrastructure hyperdodecahedron.

I have set up Tor secret services in the past to do this.

The service exposed the SSH port which could then be accessed from anywhere as long as you can connect to Tor.

I don’t know anything about Talos but can you try it in a VM with a test disk? That should answer all your questions and show you possible pitfalls.

for a homelab I don’t think it’s feasible to fully review the source code of everything you install

Here’s what you can actually do:

• Consider if you actually need the application and stop applications you don’t use
• Don’t allow public access unless it is necessary, consider VPN/reverse proxies with client authentication (if supported)
• isolate applications that don’t need to talk to each other
• • see also rootless podman, firewalls, virtual machines, etc
• • don’t forget network access, if everything runs on 127.0.0.1 and every service shares it then they can all talk to each other! (See also network namespaces or VMs)
• Don’t reuse passwords
• keep software up to date
• actually evaluate the quality of the project if it needs access to sensitive information
• • see open issues, closed issues that stand out
• • check for audits or at least a history of good effort™

Sure you wont always catch ai slop this way but you don’t need to read a line of code to at least be reasonably sure your arr stack won’t get to the family photos.

Google protecting Google from FOSS.

They’re right too, after using Immich I don’t want to go back.