Settings

Your goal isn’t super clear from the post.

Are you asking how to host an OS on an NFS share?

Some states have open data. Unsure if it’s in Json though.

Also, this answer.

Yeah, so if you’re running rootless containers, they aren’t run by root, and for added security, you don’t want them run by your normal user because if they get broken, then they’d have access to what your user has access to. Just create another user that only runs containers, and doesn’t have access to your things or root.

Wireguard is a VPN, so that’s not going to help you much here unless you’re forwarding all your traffic through a remote server, in which case anyone gets in there will still be able to get your local machines. It’s another hop in the chain, but that’s about it.

If you want to be more on guard about reacting to attacks, or just bad traffic, you probably want something like Crowdsec. You’ll at least be able to detect and ban IPs probing your services. If that’s too much work, leverage OoenWRT reporting and some scripting to ban bad actors that probe your firewall and open ports. That’s a good first step.

If you’re concerned about the containers, consider using something more secure than dockerd. Podman rootless with a dedicated service user is a good start. Then maybe look at something more complex: Kata, gvisor, lxc…etc. The goal being sandboxing the containers more to prevent jailbreaks.

That’s an IPv6 address forwarding to port 3001.

This is the correct answer, but you need a few things to clarify:

1. The issue isn’t the Docker system service. Don’t make that depend on Tailscale
2. Add a healthcheck and restart policy to the container to make it fail when conditions aren’t met, and restart until they are successful
3. Build in some time tolerance at the service level inside the container to prevent it from flailing if your Tailscale healthchecks don’t pass after they initially start. Don’t rely solely on container health checks to ensure it works properly as that might not always be possible.

Yes, because each one has been. Just because it’s “Apple” and you think it’s better every iteration is a mistake on your part.

Cool, so the version from many years ago related to OP’s question…how?

Pretty much exact. Lots of reviews to back that up without me spouting about it.

Take your own advice: https://www.n-able.com/fr/blog/vlan-hopping-security

For some reason you think a home router can’t be gotten into because of a VLAN of all things🤣

You’re sitting here worrying about some packets from the internet being safe for some reason and not realizing the big picture. Go back to Innernette learning school, tough guy.

Lolz at you. Sweet baby Jesus, you have no idea.

JFC 🤦

How are you NOT understanding what OP thinks is happening, versus what you thinks is happening?

If I get shell access to this router I have access to ALL NETWORKS. VLAN won’t help any of this.

Move everything back two spaces. You may need a yaml linter. Your problem is just the format from what I’m seeing.

You are aware that being on the router would have access to ALL the ingress and egress interfaces, right?

I’m not saying idle power is unimportant. I’m saying the M-Class chips can’t ever go idle with a minimal set of features NOT being engaged, because they’re going to be more engaged in general vs other chips that can run truly headless. macOS doesn’t allow for that.

Well it wouldn’t matter if your router is the thing that someone gets into. All you’re doing is separate traffic in different subnets, and if that’s your goal, you’re good to go.

Okay, but the post being responded to threw an error that certainly seems like a yaml formatting error.

If you simply deleted the “template” portion, and then changed the “binary_sensor” line without correcting the spacing in the lines after that, you’d get this error. Yaml is strict about leading spaces.

Give us the plain English of what you think this is supposed to do first 😉

Your error suggests a yaml formatting issue.