I'd like to add that you can setup desktop shortcuts pretty easily for Mullvad and TOR browser manual installs. For TOR browser simply run this after opening a terminal in the folder it was extracted to:
Containers within a pod can use localhost to access each other. Containers outside of the pod needs to use the pod name to access the containers in the pod.
I looked up when pasta became the default networking backend for rootless and it seems to have been with podman 5.0. I do remember using podman 5.x versions, so I was most likely using pasta.
The reason why I seperated each app into their own network was indeed for security. The only container with access to all the networks is the reverse proxy.
Do you actually need to move the admin ui off of port 80/443 if you are just forwarding ports? I don't think you need to. That said I actually don't know much about port forwarding since I use Tailscale because of CGNAT.
My understanding of port forwarding is that you are forwarding connections to your WAN IP/port to a LAN IP/port. Since the router admin ui is available only on LAN by default, you don't need to change it's port from 80/443.
You don't need 2 reverse proxies as others have said. What I did is just add a DNS rewrite entry in my adguardhome instance to point my domain.tld to the LAN IP of my reverse proxy.
I remember back when I was a kid, playing these random games with my siblings and friends. I still remember some of those games like feeding frenzy, farm frenzy and big city adventure.
I actually use both in fish. I use aliases for some longer commands. For example I have la as an alias for eza -la --icons=auto --group-directories-first because I don't really want to see it every time I run la. I use abbreviations for some shorter commands. For example systemctl abbreviated to sys and systemctl --user abbreviated to sysu.
I ran a podman quadlet setup as a test some time ago. My setup was a little like this:
Create a pod if the app uses multiple containers
Create a seperate network for each app (an app is either a single container or multiple containers grouped in a pod)
Add the reverse proxy container to all networks
I don't expose any ports to the host unless necessary
If you create a new network in podman you can access other containers and pods in the same network with their name like so container_name:port or pod_name:port. This functionality is disabled in the default network by default. This works at least in the newer versions last I tried, so I have no idea about older podman versions.
For auto-updates just add this in your .container file under [Container] section:
[Container]
AutoUpdate=registry
Now there's two main ways you can choose to update:
Enable podman-auto-update.timer to enable periodic updates similar to watchtower
Personally, I always use MusicBrainz Picard to tag any music I download, so it doesn't matter if what I downloaded has incomplete metadata.
If I don't end up finding the correct release for metadata on MusicBrainz, then I just add it to the database myself (there's tools and scripts to make it easier to add digital releases).
I haven't had any issues with the kernel yet. The worst thing that I can remember doing is messing up the systemd boot entry on my Arch Linux install.