kumi

What you can do is segregate networks.

If the browser runs in, say, a VM with only access to the intranet and no internet access at all, this risk is greatly reduced.

LVM itself does not provide redundancy, that’s RAID.

I think this is potentially a bit confusing.

LVM does provide RAID functionality and can be used to set up and manage redundant volumes.

See --type and --mirror under man 8 lvcreate.

My next suspicion from what you've shared so far apart from what others suggested would be something out of the http server loop.

Have you used some free public DNS server and inadvertently queried it with the name from a container or something? Developer tooling building some app with analytics not disabled? Any locally connected AI agents having access to it?

You say you have a wildcard cert but just to make sure: I don't suppose you've used ACME for Letsencrypt or some other publicly trusted CA to issue a cert including the affected name? If so it will be public in Certificate Transparency Logs.

If not I'd do it again and closely log and monitor every packet leaving the box.

What is the reason you are not considering running chromium or firefox in kiosk mode and just opening the slideshow view in a fullscreen web browser without the chrome?

If anyone else is seeing high resource use from seeding: There's quite some spam and griefing happening to at least Debian and Arch trackers and DHT.

Blocking malicious peers can cut down that by a lot. PeerBanHelper is like a spam filter for torrent clients.

https://github.com/PBH-BTN/PeerBanHelper/blob/dev/README.EN.md

On 1: Autoseeding ISOs over bittorrent is pretty easy, helps strengthening and decentralize community distribution, and makes sure you already have the latest stable locally when you need it.

While a bit more resource intensive (several 100GB), running a full distribution package mirror is very nice if you can justify it. No more waiting for registry sync and package downloads on installs and upgrades. apt-mirror if you are curious.

Otherwise, apt-cacher-ng will at least get you a seamless shared package cache on the local network. Not as resilient but still very helpful in outage scenarios if you have more than one machine with the same dist. Set one to autoupgrade with unattended-upgrades and the packages should be available for the rest, too.

Yes, Home Assistant has this.

https://rhasspy.readthedocs.io/en/latest/

Works great. My biggest challenge was finding a decent microphone setup and ended up like many do with old Playstation 3 webcams. That was a while back and I would guess it's easier to find something more appropriate today.

I am currently trying to transition from docker-compose to podman-compose before trying out podman quadlets eventually.

Just FYI and not related to your problem, you can run docker-compose with podman engine. You don't need docker engine installed for this. If podman-compose is set up properly, this is what it does for you anyway. If not, it falls back to an incomplete Python hack. Might as well cut out the middle-man.

systemctl --user enable --now podman  
DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/podman/podman.sock docker-compose up  

I think Mora is on the ball but we'd need their questions answered to know.

One possibility is that you have SELinux enabled. Check by sudo getenforce. The podman manpage explains a bit about labels and shares for mounts. Read up on :z and :Z and see if appending either to the volumes in your compose file unlocks it.

If running rootless, your host user also obviously needs be able to access it.

How about using sieve rules? A nice plus is that if you ever move to self-hosted in the future, you can bring it with you.

I know at least Fastmail supports user-configured sieve. I don't have experience with Fastmail myself but in general mostly heard good things.

https://www.cstrahan.com/blog/taming-email-with-fastmail-rules/

http://sieve.info/tutorials