And I would argue that all data should be encrypted now, even the working copy. If you have data that's worth backing up, you probably don't want it in the hands of criminals or weirdos either.

It's better than no backup at all, but ideally it shouldn't be your only backup. Still, having any backup puts you ahead of the vast majority of computer users. If the data is truly of value to you, consider also keeping a second backup within your custody and away from your home.

I rotate two encrypted hard drives between work and home, performing a backup monthly and taking the newest backup to work before bringing home the previous.

I can't provide specific advice for tailscale, but I can share my notes for my own use case, which is for PCs that are safely behind the home firewall. You'd want to adjust your ssh/smb settings accordingly. You shouldn't need any rules for ProtonVPN, as you're likely just trying to block incoming connections, not outbound.

It's my understanding that Fedora opens ports 1025-65535/tcp and 1025-65535/udp by default.

To lock down to sane defaults (--permanent saves the settings directly, avoiding the need to run firewall-cmd --runtime-to-permanent separately):

sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
sudo firewall-cmd --permanent --remove-port=1025-65535/udp
sudo firewall-cmd --permanent --add-port=27031/udp  # steam remote play
sudo firewall-cmd --permanent --add-port=27036/udp  # steam remote play
sudo firewall-cmd --permanent --add-port=27036/tcp  # steam remote play
sudo firewall-cmd --permanent --add-port=27037/tcp  # steam remote play

Ensure that ssh and samba-client are listed as allowed services too (sudo firewall-cmd --list-all).

• Firewalld must be reloaded before rule changes will take effect: firewall-cmd --reload
• Changes will reset upon reboot unless made persistent by using --permanent or by committing all changes with --runtime-to-permanent

Common commands:

sudo systemctl enable --now firewalld   # enable and start firewalld service
sudo systemctl disable firewalld
sudo systemctl stop firewalld

sudo firewall-cmd --state               # show running state of firewalld
sudo firewall-cmd --get-active-zones    # list active zones
sudo firewall-cmd --get-zones           # list all zones
sudo firewall-cmd --get-default-zone    # list default zone
sudo firewall-cmd --list-ports          # list allowed ports in current zone
sudo firewall-cmd --list-all            # list all settings
sudo firewall-cmd --reload              # reload firewall rules to activate any rule modifications

Add/remove ports, services, IPs:

sudo firewall-cmd --add-port=port-number/port-type      # allow incoming port  (tcp,udp,sctp,dccp)
sudo firewall-cmd --remove-port=port-number/port-type   # block incoming port
sudo firewall-cmd --add-service=<service-name>          # allow incoming service (see /etc/services)
sudo firewall-cmd --remove-service=<service-name>       # block incoming service (see /etc/services)
sudo firewall-cmd --add-source=192.168.1.100 (or 192.168.1.0/24)    # whitelist incoming IP or IP range
sudo firewall-cmd --remove-source=192.168.1.100 (or 192.168.1.0/24) # remove whitelisted IP or IP range

Block an IP or IP range (rich rules):

sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

Whitelist IP for specific port (rich rule):

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Removing a Rich Rule

sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Hah, I can absolutely see myself doing this if we didnt keep our "baking" spices and related ingredients in a different cupboard.

One of these days I'll get around to setting up my own email server, but in the meantime I just take advantage of introductory offers on shared hosting plans. I purchase the 3-year plans and end up paying about $3-4/mo (CAD). When the plan is nearing expiry, I take my data and move on to the next web host. Been doing this for about 28 years now.

We use markdown notes extensively. Everything is synced to our desktops and mobile devices with Syncthing. Markor editor for Android, and VSCodium/vim on the desktop. Works great for tech notes, medical info, shopping lists, recipes, etc.

Thanks for sharing these links! I'm glad to see so much consideration being put into a better solution.

Manual password entry. I feel that any other method offers insufficient security.

For my desktops, this means interactive decryption before the OS loads. For my servers, only the data drives are encrypted, and I decrypt them manually over SSH whenever a reboot is needed (kernel updates, etc.).

Gmail will work fine, including push notifications, assuming you enable Google Play Services. Using either will of course come at the cost of privacy.

Are there plans to bump to v0.18.1 at the same time? Only asking as my themes will need to be updated when we do.

Yet another workaround is to just click the community title. The subscribe button will then appear on refresh (but won't on the usual F5 or Ctrl+R refresh). I haven't had a chance to dig deeper and see what's going on.

Dig the vibe, and I love that moon stand!