That reddit thread is horrible advice, it’s just mapping the LXC root user to the host root user, which is just a privileged LXC with extra steps (and maybe less secure).

The reason you’re probably having issues is that your root user in the LXC is mapped to the host user 100000 by default, and that user doesn’t have access to the share, but you can change that with mount options or creating a user with 100000:100000 and adding it to a group with access.

I use Tautulli, but I’m not sure if that is going to cover all the same use cases.

For anything. You can get a push notification for anything you can make run a script or send an http request.

Just run docker in an LXC. That’s what I do when I have to.

I’m not really worried about it. Each LXC runs as its own user on the host, and they only have access to what they need to run each service.

If there’s an exploit found that makes that setup inherently vulnerable then a lot of people would be way more screwed than I would.

I don’t have anything publically accesible on my network (other than wireguard), but if I did I’d just put whatever it was on its own VLAN, run a wireguard server on it, and use a VPS as a reverse proxy that connects to it.

I only use unprivileged LXCs and everything I host on my network runs in its own LXC, so I’m not really worried about someone getting access to the host from there.

I like the workflow of having a DNS record on my network for *.mydomain.com pointing to Nginx Proxy Manager, and just needing to plug in a subdomain, IP, and port whenever I spin up something new for super easy SSL. All you need is one let’s encrypt wildcard cert for your domain and you’re all set.

I mean that’s not inherently bad, what you do with that data could be though.

By running NPM in an unprivileged LXC without docker or podman. I’m surprised to hear that’s been an issue with podman for so long though.

All you have to do to avoid this is just not open any ports except one for something like wireguard, and only access your network using it externally, and you will never have this problem.

I guess I’m extremely paranoid then, my home IP doesn’t change much and I just expose the port only to it from Oracle’s site. I rarely touch mine though.

Have you tried mapping it to a different port?

Most private trackers don’t allow you to browse the tracker site from a shared VPN, but I’ve never seen one that doesn’t allow your torrent client to connect over one. That would make no sense.

As long as you’re connected to the VPN it probably shouldn’t. I use the automate app on my phone to automatically connect to my home wireguard server whenever I’m off my wi-fi, and it works great.

You’re going to run into an issue of only being able to have one VPN connected on Android at a time though if you’re already running mullvad on it, but as long as you have a decent connection at home and no data cap, you could just route all of your traffic through your home network, and then split tunnel your private IPs to connect directly, and anything else through mullvad.

Is there a reason you can’t just VPN in and expose only the VPN gateway? My preferred security is not exposing a bunch of random applications to the internet and hoping each doesn’t ever have any vulnerabilities.