Would the MacBook Pro or rpi4 with a second Ethernet nic running a firewall before the routers also fix the issue of not getting security updates?

No. For most routers, this provides no additional protection to the router. Your router should not be accepting connections from the WAN side that would be blocked by the firewall, but consumer routers almost always initiate connections to the WAN side, indistinguishable from normal client traffic to your firewall, and accept connections from the LAN side, invisible to your firewall. If the firewall blocks all incoming requests, it would create problems for UPNP, effectively giving you CGNAT, even if the firewall does not perform address translation.

At least for some laptops, you cannot just remove the battery. If the battery is removed, the performance may be throttled. This is true of very old MacBooks.

In the US, most IPSs have remote access to your modem as well, even if you purchased it yourself from a store unaffiliated with your ISP.

Enabling SSH password authentication is unnecessary and not a good idea, especially if your temporary passwords are simple. I haven’t used Hetzner but there is probably a way to upload a file or to paste into the console, or else if you fix your keyboard you could at least type a URL to download the public key from the internet. You may want to look into cloud-init instead of manually installing and configuring your VMs.

LUKS may not make your server meaningfully more secure. Anyone who can snapshot your server while it’s running or modify your unencrypted kernel or initrd files before you next unlock the server will be able to access your files.

curl bash is not as bad as people think. Nobody downloads and reverse engineers binary packages off of these websites before running them with the same permissions.

If you’re running insecure services, you can restrict them to be accessible by vpn. I have a mix of internet accessible and vpn accessible services using the tailscale nginx plugin.

If you want to send all your traffic over a vpn, you will either need to route all your traffic through your own vpn or use some sort of multiplexed vpn. tailscale can do this with mullvad, but it’s not yet possible with headscale.

Kubernetes is much more complicated and powerful than Docker, and Docker Compose is more similar to the way you work directly with Kubernetes than it is to Helm, which adds in a templating system. Basically, from a Docker perspective, Helm allows you to configure your compose file, but not just by substituting variables. Helm can make structural changes such as completely adding or removing sections based on the variables used when loading the chart. The output of Helm is YAML, sort of like a compose file.

Kubernetes has a much more complicated system for describing workloads and their resources than Docker Compose, and it is extensible. For example, if you are running on AWS you can have Kubernetes attach EBS volumes to your pods, or if you’re on bare metal you might use LVM, and it’s not limited to things that Kubernetes natively understands like storage volumes: Cert Manager is a common piece of software that is deployed into Kubernetes that takes care of issuing and renewing TLS certificates for other software in Kubernetes.

I used to run Kubernetes at home with ArgoCD, but I’ve moved on to NixOS instead. NixOS is less powerful because it doesn’t have dynamic workload scheduling, but I don’t actually need dynamic workload scheduling or all the configuration necessary to facilitate dynamic workload scheduling in my house, and Nix is much nicer to work with than Helm’s gotmpl templating. Unless you like this kind of stuff or want to get into Kubernetes, you probably want to avoid it for running a few things on one host.

Helm is what is used for real world software deployments. It has its problems but it’s better than Docker Compose.

Just be careful with SD cards if you’re using SBCs. Home Assistant does a lot of writing and if your SD card can’t handle repeated writes you may suddenly lose everything. Keep backups to another device and have a replacement SD card ready if extended downtime is going to be a problem for you.

I have 1 podman container on NixOS because some obscure software has a packaging problem with ffmpeg and the NixOS maintainers removed it. docker: command not found

Quarto and Docusaurus are for documentation. You may be looking for a more general static site generator like 11ty.

Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.

Check the README for piper. It moved to https://github.com/OHF-Voice/piper1-gpl

Nextcloud shouldn’t be seeing your MAC address. However, my guess is that Nextcloud has been configured to invalidate the session if the client IP changes, and randomizing the MAC address is one way that can happen.

Are you looking for a VPN or are you looking for an IPv6 tunnel broker like Hurricane Electric?

An immutable distro… like NixOS? Or do you mean your root filesystem is immutable? NixOS can do that too. You could normally mount your nix store as readonly and remount rw during updates if you really care about filesystem immutability, or use some snapshot system if you’re paranoid about adding new files to the store corrupting other files already in the store during an update.

The nixpkgs VM creation module, which I’ve never seen documentation for, has a mode where it generates a kernel, initrd, kernel command line, and erofs image containing a prepopulated /nix directory and that’s enough to boot the VM.

Ansible is disappointing as an IAC tool. It’s good for doing things, but it’s not good for converging systems to a desired state. Too often you end up with playbooks that are not idempotent or rely on something that was done during a previous execution of the playbook or just don’t do something that was done by a previous version, and then unless you are constantly recreating your systems you won’t notice until it’s a problem and you can’t get your system back.

You can host a Proton mail bridge to use different apps running on different machines, including phones.

Self hosting e-mail, particularly SMTP, will likely require a static IP from a reputable provider. Mail servers may reject incoming mail based on the reputation of the sending server. You can avoid this by relaying through another SMTP server and configuring your DNS rules to allow that server to send mail on your behalf, but that’s not really self hosting anymore.

What Microsoft is doing with Minecraft should be illegal. After they purchased Minecraft from Mojang, they started changing the rules so instead of being a game you have purchased and you play with your friends how you want to play it, it’s a game that you have a temporary license to use in a way that Microsoft thinks is appropriate for small children, even if you are hosting your own private server like these people are doing. Microsoft doesn’t like the way that these people are playing the game and talking outside the game, so they are taking the game away. You may not like these people because they sound like the kind of people that use “free speech” as an excuse for hate speech, but would it be the same if Microsoft were taking away the game from servers that allowed people to specify their pronouns or use different color combinations associated with LGBTQ representation, which they may soon be pressured to do by the government of the country they are headquartered in?

You can use OpenEBS to provision and manage LVM volumes. Host path requires you to manually manage the host paths.