I’ve been using fedora on a small intel 6th gen or newer mini pc. I then cook up some custom launch scripts that cause JMP to run at login. I use cockpit and a CMK agent for remote monitoring and management.

I got sick of the lack certificate management on Android TV and how much you need to do to make it reasonably private.

If you are on the latest mesa drivers (hence fedora over a more LTS release), and you install Jellfin Media Player via flatpak, everything should just work with hardware decoding.

Highly recommend restic. Simple and flexible. Plus I’ve actually used it on two occasions to recover from dead boot drives.

GrapheneOS also has this cool feature called Scramble PIN Layout to try and protect against guessing the pin from fingerprints on the screen.

Have you looked into policy-based decryption? Here’s an knowledge base page on the RHEL customer portal that goes over it well. I’m not sure if this will work on freebsd but it does offer a solution that allows for zero-touch reboots.

I stand corrected, its been quite a few years since I needed to use the ADB backup so I guess back then it was more complete.

Found a good detailed explanation here.

Shame that it seems to be getting phased out for cloud backup solutions. Makes sense that google would want to control more of your data and make you pay for it.

As installing a custom ROM typically involves using ADB anyways, I would suggest that you back up your device normally (copy files over to a folder on your computer), and then use the built-in backup function in ADB to make a secondary complete backup.

Also, depending on your threat model, you might not want to move any files from your old installation to your new one. Its possible that the old files, applications, and linked accounts could compromise your new installation privacy / security. I also generally enjoy starting with a clean slate after a new OS install.

CGNAT = Carrier Grade Network Address Translation. It makes it practically impossible to open ports to the public internet and in some extreme instances make zerotier very unstable. Typically you only have CGNAT if your internet connection is 4G or fixed wireless.

OpenVPN is just a VPN protocol. Roughly comparable to wireguard. It has been the gold standard for VPN technology for the past decade or so. Wireguard by comparison is much newer, and lighter to run. This typically results in faster throughput from a computational standpoint and devices where power is limited (cell phones), uses much less power by leveraging modern CPU encryption methods.

If you have the option to port forward on your home internet connection, its possible to setup a VPN connecting in a straight shot from your home to your roaming device. If you can’t port forward, you will need a main in the middle (the VPS) to establish and route the connections through.

Zerotier works off of a PTP style network and the free plan allows up to 50 devices when last I checked. I’m not sure on the availability of zerotier or wireguard on truenas as the last time I used TrueNAS was Scale 22.

My recommendation would be some kind of VPN. If your looking for something plug and play and free, look into zerotier.

If your home internet connection sits behind CGNAT, like me, just buy a cheap vps and set up your own wireguard network.

Both solutions avoid exposing your services directly to the public internet which reduces attack vectors and adds an extra layer of encryption.

If my understanding of how “force SSL” works for most proxies, it just simply issues a HTTP 300 redirect message for all http traffic coming in on port 80. It then sends everything to port 443 https.

Do you get a 502 when you try to connect with the force SSL turned off? It might me less of an issue with SSL and more that your proxy is not pointing to the right host / port of your nextcloud server.

Very interesting idea for a self hosted service! I will definitely take a stab at hosting it! I have a decent collection of DRM-free games from humblebundle and GOG that I always wanted in one place. Question, I know you dont currently have a native linux client. That being said, do you have a native linux client on the roadmap?

I second restic. Have been using it for a year now and have been generally very happy. Actually had to use it in a couple occasions to restore directory content and even recover a complete workstation drive. I have had relatively easy success in both scenarios.