I’d set up something like that, to hand out the password to a (previously prepared) Keepass database, in case something happens to me. To have everything readily available for my loved ones, to aid with cleaning up after me.

I use a SSH tunnel. Doesn’t need more then a barebones VPS running with OpenSSH.

ArgoCD. If there’s something that doesn’t come with a Helm chart, i just wrap it into bjw-s’ common chart (https://github.com/bjw-s/helm-charts/tree/main/charts) and call it a day.

If they’re VMs, just install the kernel you want - keeping them updated is your responsibility anyways. If they’re containers (Virtuozzo), you’re not gonna change the kernel anyways.

Normal background noise. You expose stuff to the public and in return you make friends with a bunch of bots.

Froxlor

Granted I use Kubernetes, but here you go:

• I run stuff with user namespaces, so even a root process within the container is unprivileged on the host
  • there’s a demo
  • https://www.youtube.com/watch?v=M4a2b4KkXN8
  • https://kubernetes.io/blog/2023/09/13/userns-alpha/
• I isolate namespaces via NetworkPolicies
  • Even my Nextcloud instance has no business to check upstream for updates (i have renovate for that)
• I use securityContexts to make my containers as unprivileged as possible
  • drop all capabilities
  • enforce a read-only container filesystem
  • enforce running as a specific UID/GID (many maintainers are lazy and just run their stuff as root)

Been an OVH customer for 10+ years. Always been a solid choice.

Ahh, good old IRC. Look into something like InspIRCd. It should already allow you to restrict channel creation to registered accounts. Then combine that with something like Atheme or Anope IRC Services. I couldn’t find any PAM modules, but Atheme should at least support an external database (back in the day we used a mysql backend).

Look at K3s. Since a while it has built-in support for Tailscale (can also use Headscale).

Alternatively, it doesn’t really matter how or where your nodes are located, if you add a VPN to allow them to talk to each other.

Your main issue would be storage. But that’s easily fixed with a topology aware CSI and then keeping your stateful workloads either wherever they got their volumes provisioned, or forcing them to be provisioned on your home servers.

run the container as a non root user (some containers won’t work so they need to be run as root user)

To avoid issues with containers, could also make use of user namespaces: https://docs.docker.com/engine/security/userns-remap/

Allows a process to have root privileges within the container, but be unprivileged on the host.