I don’t see anyone talking about the human side so I’ll ask - what is the appetite for change? I can see you yourself are motivated and that’s great. How do you feel the attitude is with the others there? Migrating a company that’s been working analogue for decades sounds like a big change programme regardless of the tech choices you ultimately make. This sounds like process change as well as technology change and that requires using another set of skills to wrangle the people.

I would advise to pick a small area first that’s causing the most pain but also very amenable to common tech most people are already familiar with and is only a small change to existing processes. Get an early visible success.

The photo management might be a good start as we all are used to these apps on our phones and the tech is mature and easy to find in FOSS.

Everyone loves Immich though it has some big warnings on its github page about its own maturity. Maybe something simpler: just file/photo synching and a shared gallery? It can always be upgraded in future. Syncthing is solid, some kind of NAS and one of the older/mature galleries running on top. Get your backup process nailed down and run a real recovery process before too many photos are at stake.

Anyway it sounds exciting and kudos to you for looking to FOSS. Good luck!

Not on Firefox, some site functionality is disabled: https://medium.com/@leonardodna/the-ultimate-newbie-guide-for-self-signed-certificates-d81aa3b9987b

I know what you mean but using real self-signed certificates (i.e. no CA at all) with modern browsers causes so many issues I find them unusable.

I’ll mention this as no one has yet but you can be your own CA. Tools like mkcert make it easy

https://github.com/FiloSottile/mkcert

This is potentially more hassle (than using public DNS) as you have to get your CA certs onto every device. However it may be suitable depending on the situation.

Home Assistant can do shared lists and (I’ve not used them) but has some recipe add-ons. There are apps for android and iOS. It can also take care of managing the dynamic IP. Then if you want to explore home automation in future you’re ready to go.

In that case I’ll also mention that Powershell has a secure-string that allows you to load secrets from encrypted file/user input. I believe it’s secured by the user’s login/session like secret-tool. They are even remain encrypted in memory so they can’t be snooped on.

Two more options you might consider:

• secret-tool - like a vault that unlocks when a user logs in to their session. This shifts the problem to keeping the user’s login credentials secure but depending on your setup that might be preferable. Just be aware the once unlocked any process could access the vault in theory (I wish they’d add access controls…)
• podman secrets - so you can securely provide secrets to containers. You can set these once securely then nothing except processes in the container can get them.