Unless you have actual tooling (i.e. RedHat erratas + some service on top of that), just don’t even try.

Stop downloading random shit from dockerhub and github. Pick a distro that has whatever you need packaged, install from the repositories and turn on automatic updates. If you need stuff outside of repos, use first party packages and turn on auto updates. If there aren’t any decent packages, just don’t do it. There is a reason people pay RedHat a shitton of money, and that’s because they deal with much of this bullshit for you.

At home, I simply won’t install anything unless I can enable automatic updates. Nixos solves much of it. Two times a year I need to bump the distro version, bump the nextcloud release, and deal with depreciations, and that’s it.

I also highly recommend turning on automatic periodic reboots, so you actually get new kernels running…

Just going off the marketing here:

Git server with CI/CD, kanban, and packages.

From the looks of it, they also seem to bundle the vscode server and a bunch of other stuff. I’m actually kinda surprised they do it with only 1G of RAM.

Not to be that guy, but 12% of 8G isn’t even close to ”heavy as fuck” for a CI/CD and collaboration suite that seems aimed at enterprise users.

You can also tweak how much memory you’d like the jvm to grab with ’-Xms100m’. Any defaults are most likely aimed at much larger deployments than yours.

But yes, Java is a disease.

You mean ”hardcore WAF challenge”?

If you’ve taken care to properly isolate that service, sure. You know, on a dedicated VM in a DMZ, without access to the rest of your network. Personally, I’d avoid using containers as the only barrier, but your risk acceptance is yours to manage.

Well, I’d just go for a reverse proxy I guess. If you are lazy, just expose it as an ip without any dns. For working DNS, you can just add a public A-record for the local IP of the Pi. For certs, you can’t rely on the default http-method that letsencrypt use, you’ll need to do it via DNS or wildcards or something.

But the thing is, as your traffic is on a VPN, you can fuck up DNS and TLS and Auth all you want without getting pwnd.

Then you expose your service on your local network as well. You can even do fancy stuff to get DNS and certs working if you want to bother. If the SO lives elsewhere, you get to deploy a raspberry to project services into their local network.

I’d recommend setting up a VPN, like tailscale. The internet is an evil place where everyone hates you and a single tiny mistake will mess you up. Remove risk and enjoy the hobby more.

Some people will argue that serving stuff on open ports to the public internet is fine. They are not wrong, but don’t do it until you know, understand and accept the risks.(’normal_distribution_meme.pbm’)

Remember, risk is ’probability’ times ’shitshow’, and other people can, in general, only help you determine the probability.

ROS

Fly you fools!

I’m assuming you use DisplayPort? Try using an HDMI output if possible.

I both agree with you, and kinda disagree.

If you venture into installing Flatpaks on such a system, just keep in mind that:

• Auto updates must be on
• The Maintainer of the Flatpak in question must be expected to provide security updates for the next five years or so. Personally, I’d only use it for packages provided directly by project maintainers (i.e. Dropbox from Dropbox Inc. as packaged by Dropbox Inc.).

Keep in mind, like 95% of normal people (we are not normal) don’t know what a package manager is and only use

• ”The internet”
• Webmail
• Google Docs
• Spotify

For that, we need the default desktop install and the Spotify app (probably a Flatpak). That’s about it. It’s a glorified web browser with batteries. Treat it that way and keep it that way, unless your SO has any specific needs and requirements.

The limited and dated package set is kind of a feature. Only packages that should work until the laptop breaks, and only packages that won’t change randomly when you update (mostly).

Two things I never want to work with and will just pay someone else to deal with whenever possible:

• Email
• Printers

And that’s about it, almost everything else I’m fine doing myself.

I’m gonna be the boring guy.

RedHat Enterprise Linux. (Or Rocky)

Most boring distro ever. Install it, turn on all the auto updates and be happy. Install something to take backups. Ignore any new major-releases, that laptop will die before the OS hits EOL.

Benefits:

• Boring. It’s their tool, not your plaything.
• Actually works
• Will be reasonably secure over time with minimal effort and manual intervention.
• If any commercial Linux software is required, it will most likely only be supported on RHEL or Ubuntu.
• Provides web browser and word-processing. And we don’t need anything else.

Drawbacks:

• Boring (for you)
• Not ideal for gaming

If you install anything else than RHEL-derivatives or possibly Ubuntu on a machine that someone else will use, you are both in for a world of pain. It has to ”just work” without intervention by you, and it needs to keep working that way for the next 5 years.

Source: Professionally deploying and supporting multiuser desktop Linux to a few thousand users other than myself.