Background on the Case

The DOJ first sued EZ Lynk in 2021, accusing the Cayman Islands-based company of violating the Clean Air Act by marketing and selling “defeat devices.”
These tools allegedly allow users to bypass factory emissions controls on diesel vehicles, primarily through the EZ Lynk Auto Agent app paired with an onboard diagnostic (OBD) hardware dongle.

The main thing I see you can avoid with locking down the docker images into a separate low permission user that can only access what they really need is if someone successfully attacks a project and you get infected with some shit when your Synology pulls image:latest.
It could limit the traversal of a ransomware that successfully breaks free of the container but ends up having no permissions outside as an example.
I would probably purge the whole NAS and setup from my backup for my own peace of mind even with the user separation though.

edit: updating “low user” to “low permission user”, amazing how the brain can fill in words for you when reading your own texts.

I mean unless specified otherwise most Synology container management dockers will run as root. With that said, if you want to secure things then there are guides.

An alternative path would be to setup a specific docker user and use docker compose to use that user when installing images
https://drfrankenstein.co.uk/step-2-setting-up-a-restricted-docker-user-and-obtaining-ids/

Jellyfin example
https://drfrankenstein.co.uk/jellyfin-in-container-manager-on-a-synology-nas-hardware-transcoding/

From there you could go further and use the guides above to create one user per docker image and give them different permissions depending on need.

From scrolling through the proposal comments it sounds like the proposals focus on NVidia/CUDA is the main thing to cause the angry comments when there are open source options to choose instead. That and the plagiarism from the AI models.

You can run Suricata on pfsense too

According to https://android.gadgethacks.com/news/chrome-weightsbin-file-what-the-4gb-ai-download-is-and-how-to-delete-it/ the machine needs 4GB of GPU VRAM among other requirements for Chrome to actually download the model.
My work laptop doesn’t have this so it seems I’ve blocked something that wasn’t gonna happen anyways.
Chrome has now successfully updated to the version 148.0.7778.97 that would’ve given me the weights.bin if I was running eligible hardware.

edit: apparently I was wrong. My intel igpu counts my system ram as vram. I can’t see that I’ve downloaded the weights.bin though.

Found this older thread on the fedora forums
https://discussion.fedoraproject.org/t/hp-printer-stopped-printing/87174/72

If your friend has no other printer then it might be worthwhile to remove the printer if it exists, then remove ipp-usb and hplip, reboot and finally reinstall the hplip packages from dnf again.
sudo dnf remove ipp-usb
sudo dnf remove hplip
reboot
sudo dnf install hplip hplip-gui

Personally I haven’t had the displeasure of touching a hp printer in a long time so my tip is based on the thread not experience.

For Windows 11 the folder to look for is %localappdata%\Google\Chrome\User Data\OptGuideOnDeviceModel\
On my work laptop that folder didn’t exist yet so for fun I created the folder and removed all permissions for everyone to it.
Not sure what’s gonna happen if Google Chrome wants to push the weights.bin file when the ntfs permissions deny it.

Kinda the opposite, NAT Hairpinning allows you to use the external domain and public IP from the inside.
https://docs.opnsense.org/manual/how-tos/nat_reflection.html#reflection-and-hairpin-nat

Look into NAT hairpinning on your router/firewall and see if you can use the external ip. :)

Vegetarians nowadays eat eggs, vegans wear leather and self-hosters do it on someone else’s computer.
I’m old and grumpy and will stick to calling the modern vegetarians lacto-ovo-vegetarians, tell the modern vegans that veganism is a lifestyle not a diet and insist that a VPS on Hetzner is hosted by Hetzner, even if you have to manage and maintain the VM.

Not that my tiny customers have enough of an IT budget to buy their own servers with the recent price hike on memory and ssds.

The only thing I can think of then is to get your family members to start curating the photos into different albums using the Immich app. That way the sync gets to work and you get the usage statistics of the app up higher allowing the background task to run. If you create some shared albums and ask them to contribute photos to them f.e.
Or simply telling them about your shared album and getting them to check it out using the app.

After checking the german datacenter vps offerings I realize that Glesys can’t compete.

I wasn’t, no. Seems like it can be useful but I’m probably gonna keep using notepad instead of risking having sensitive data saved in the clipboard history. :)

Have you tried keeping immich active for the initial large photo backup so that the background task backup only has the newly taken photos to take care off?
I imagine you’ve checked the Immich faq already:
https://docs.immich.app/FAQ/#why-is-background-backup-on-ios-not-working

Glesys (Sweden) has some affordable vps options.
https://glesys.com/products/compute-category-page/kvm-vps/

The notepad++ update infrastructure is secure now, yeah. Not that I ever did the in app updates tbh.

I went to Settings > Apps > Advanced app settings > App execution aliases and turned Notepad off so I can start the old one with win+r “notepad”.
I only use it as a clipboard, my .txt, .log and .csv are all bound to open with notepad++.

The stream detector addon often makes it easy to grab the media.
https://addons.mozilla.org/en-US/firefox/addon/hls-stream-detector/