Super simple, like 30 minutes to setup mergerfs and then the bind mounts are a few lines added to the LXC config files at most. This isn’t necessarily needed, but I have users setup on the proxmox host with access to specific directories that are kind of a pain in the ass to remap the LXC users to, but were needed to give my *arr stack access to everything needed without giving access to the entire storage pool. Hard links won’t work across multiple bind mounts because the container will see them as separate file systems, so if your setup is /mnt/storage/TV, /mnt/storage/downloads, etc. then you’d have to pass just /mnt/storage as the bind mount.

On the other hand, I’ve been mounting my storage drives on the proxmox host with mergerfs and exposing what I need to the LXCs with bind mounts for years, and I haven’t had a single issue with it across multiple major version upgrades.

You can pass the storage you need to the LXCs with bind mounts. No network connection needed.

https://github.com/gtxaspec/wz_mini_hacks adds wireguard and other features to a few supported Wyze cameras. I haven’t tried wireguard because mine is on my home network but it works great for streaming rtsp locally.

Bitwarden caches your vault to your device, so you don’t actually need a live connection to the server.

What you’re describing sounds pretty much exactly like how I use Proxmox at this point (everything in LXCs, most just running docker on Alpine) and I’ve been wanting to make the switch to Incus for a while. Did you migrate your LXCs over from Proxmox? I’m a little worried about how painful that process might be.

That reddit thread is horrible advice, it’s just mapping the LXC root user to the host root user, which is just a privileged LXC with extra steps (and maybe less secure).

The reason you’re probably having issues is that your root user in the LXC is mapped to the host user 100000 by default, and that user doesn’t have access to the share, but you can change that with mount options or creating a user with 100000:100000 and adding it to a group with access.

I use Tautulli, but I’m not sure if that is going to cover all the same use cases.

For anything. You can get a push notification for anything you can make run a script or send an http request.

Just run docker in an LXC. That’s what I do when I have to.

I’m not really worried about it. Each LXC runs as its own user on the host, and they only have access to what they need to run each service.

If there’s an exploit found that makes that setup inherently vulnerable then a lot of people would be way more screwed than I would.

I don’t have anything publically accesible on my network (other than wireguard), but if I did I’d just put whatever it was on its own VLAN, run a wireguard server on it, and use a VPS as a reverse proxy that connects to it.

I only use unprivileged LXCs and everything I host on my network runs in its own LXC, so I’m not really worried about someone getting access to the host from there.

I like the workflow of having a DNS record on my network for *.mydomain.com pointing to Nginx Proxy Manager, and just needing to plug in a subdomain, IP, and port whenever I spin up something new for super easy SSL. All you need is one let’s encrypt wildcard cert for your domain and you’re all set.

I mean that’s not inherently bad, what you do with that data could be though.

By running NPM in an unprivileged LXC without docker or podman. I’m surprised to hear that’s been an issue with podman for so long though.

All you have to do to avoid this is just not open any ports except one for something like wireguard, and only access your network using it externally, and you will never have this problem.

My last couple phones have been Samsungs (need MDM support for work) and I had no idea this even existed, let alone that everyone else has it already.

I guess I’m extremely paranoid then, my home IP doesn’t change much and I just expose the port only to it from Oracle’s site. I rarely touch mine though.

Have you tried mapping it to a different port?

Most private trackers don’t allow you to browse the tracker site from a shared VPN, but I’ve never seen one that doesn’t allow your torrent client to connect over one. That would make no sense.