Garmin smartwatch but used offline only and connected with the FOSS gadgetbridge software. I’ve also started doing some manual tracking in a diary just to get my thoughts down with it.

I would expect that the security issues are with the stock OS, but can’t argue with the gl.inet recommendation.

Also unrelated, but if you’re running a x86 system with gigabytes of RAM, why not run Opnsense at that point?

I believe it’s gotten better but historically *BSD had poor SQM support (bufferbloat mitigation), which is particularly useful on slower, asymmetric connections and where low, consistent latency is paramount.

It was also a bit of a laggard on Wireguard support, although that’s long since been fixed. So mainly you might prefer OpenWRT if you want the Linux kernel which tends to get features more quickly. Also because it’s so low on resource usage (including disk space), you can put it in a VM and very rapidly recover in the case of issues.

You could of course also use a full Linux based router OS, but I don’t believe there are many with a web interface, which most users would prefer.

This thread is helpful for Lenovo minipcs specifically: https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-thinkstation-tiny-project-tinyminimicro-reference-thread.34925/

Another approach would be setting up your own recursive revolver with e.g. Unbound. It’s debatable whether it’s more or less private than using DoH etc but it would bypass the DNS tampering by your ISP at the least.

You could also get a wildcard cert using dns challenge, and not even expose the subdomains publically.

Lenovo Tiny series for example, and I believe there are HP and Dell equivalents.

The mini-pcs that people typically recommend use around that at idle, and are much more powerful and have more reliable storage. But if you all you need is a Pi that’s fine of course.

You could also secure what peers inside the tunnel can access, particularly if you plan to give other people access. I.e. only allow only port 443 on a given server using a reverse proxy. It’s not a major threat either way but it would reduce the amount of access if someone gets into your phone/laptop etc.

You might want to open a feature request for one of the active projects. Shiori has a Firefox extension which has “search bookmarks” mode, which is close to what you are asking for, but is missing the remove bookmark feature.

1. Hourly snapshots using btrbk
2. Daily local backup to a NAS, also with btrbk (note: requires btrfs on both sender and receiver systems)
3. I’m currently setting up a remote backup solution using borg to the NAS of a relative

I’d consider paper (physical) backups for essential passwords and keys, but be careful about security.

probably something with my ISP that I can’t really easily work around

I’d try and find out if you’re behind a CG-NAT first, and whether you have IPv6 support. Some ISPs will turn off CG-NAT if you ask if that is the reason you haven’t been able to get things working. Wireguard will then work properly which is a bit kinder on battery life with mobile devices in particular compared to Tailscale and Netbird (although both are improving in that regard).

Maybe a used minipc like the Lenovo Tiny series, although it might be slightly exceeding your budget.

Vodafone/TPG now implements this too. It’s just shitty old Optus that’s stuck in the past.

Yeah, you’re stuck with NAT66 with most commercial VPNs that support IPv6. If you’ve got ISP level ipv6 you can still allow inbound connections directly at least.

If you do go the NAT66 route, consider assigning a fake GUA from an unassigned prefix as if you use standard ULAs outbound connections will always prefer ipv4.

None of this is in the spirit of proper ipv6 but it “works”.

I don’t normally use Jellyfin for music but I do like that some subsonic clients like supersonic are supporting Jellyfin as an alternative, so if navidrome breaks for some reason I can just change over quickly.

Navidrome will only open your library in read-only

Are you sure that’s not just the default in the example docker-compose.yml? If there isn’t some additional handling, you can just remove the “:ro” from:

volumes:
      - "/path/to/your/music/folder:/music:ro"

This sort of setup is a bit more advanced since it requires static routes on the remote router at least. Doable with one or two networks, but not if you have a bunch of users.

Most ISPs that do use CGNAT also offer ipv6 in Australia at least. The problem is that there is always that one client network that only supports ipv4 so you end up needing to support dual stack one way or another. Most of these ISPs also support CGNAT opt out for free at least, but I suspect that will go away in the medium term (and maybe that will encourage more universal ipv6 rollout).

It’s probably a TOS violation but you can combine it with pinchflat to strip ads and sponsored content from YouTube. It’s not a general YouTube app though, rather you use it to preserve channels you’re interested in.

You can also use Jellyfin to serve legally purchased music from bandcamp etc, or movies and TV shows ripped from Blurays and DVDs.