While this is a risk, it is only a real risk if the system is already exploited for regular user access. Or if there is an untrustworthy user of the system. So for most, it is not a major concern.

I have determined that foot is best for me personally, like alacritty and a couple others, it is very barebones. No tabs or anything like that without tmux. But it doesn’t rely on GPU acceleration and is just as fast (or faster) than my experience using GPU accelerated terminals. Easy to configure and since it doesn’t have the GPU requirements it works on old hardware like a dream. Only possible issue is that it is wayland only but since that is all I like to use it is perfect.

I find a lot like ghostty and wezterm try to include too many features. All I need a terminal emulator to be is a terminal emulator. But then a lot of these then add tabs, build in multiplexers & more and it is more bloated than I like a simple utility to be. Additionally, I don’t need native tabs as a lot I do in the terminal uses SSH so it is easier just to use tmux/zilji and not have to manage it as much.

What does your compose file for CODE look like? It took me a while to get those environment variables set so it would work correctly.

Yes Yes I did, sorry! Collabora CODE server configuration in Caddy.

office.DOMAIN {
        @collabora {
                path /browser
                path /browser/*
                path /hosting/discovery
                path /hosting/capabilities
                path /loleaflet/*
                path /lool/*
                path /cool/*
        }
        @local-ip {
                remote_ip private_ranges
        }
        reverse_proxy @collabora https://nextcloud-office:9980/ {
                transport http {
                        tls_insecure_skip_verify
                }
        }
        reverse_proxy @local-ip nextcloud-office:9980 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

Nextcloud section, may look different from yours I use the FPM image but it should be similar, enough. There are also some limitations on the urls based on local vs public access but that is an attempt at hardening rather than necessary configurations.

nextcloud.DOMAIN {
        root * /var/www/html

        file_server

        php_fastcgi nextcloud:9000

        header {
                Strict-Transport-Security max-age=31536000;
        }

        @phpFiles {
                path_regexp phpfile ^/(remote|public|cron|core/ajax/update|status|ocs/v1|ocs/v2)\.php
        }

        rewrite @phpFiles {http.regexp.phpfile.0}

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

        @local-ip {
                not remote_ip private_ranges
                path /settings/admin
                path /settings/admin/*
                path /settings/users
                path /settings/users/*
                path /settings/apps
                path /settings/apps/*
        }
        #respond @local-ip 404

        @forbidden {
                path /.htaccess
                path /data/*
                path /config/*
                path /db_structure
                path /.xml
                path /README
                path /3rdparty/*
                path /lib/*
                path /templates/*
                path /occ
                path /console.php
        }
        respond @forbidden 404
}

Then in nextcloud you just point it to the CODE server domain above & you even have tls securing the communication layer.

deleted by creator

I have! But I don’t have time to post it now. I’ll try to send an update in the morning.

Wireguard could be helpful if you used a SSL terminating proxy in front of it but then you have to know the data format to parse it. So unless you are a researcher it is a long path ahead of you without any OOTB tools to do it for you.

Most cookies don’t store any data themselves. Instead it is a session/device token that tells googles servers what device is connecting and then they look up the data they have about you server side. Cookies can store more than that situationally but that is the most common use.

To get what data Google has on you check out Google takeout and you can get a “full” export of what data has been gathered.

As someone in a similar environment, there are others who care. It just isn’t worth the risk to my job & professional relationships to talk about. Most people who don’t care I won’t sway anyways and anyone who does care doesn’t need to talk to me. So, for the betterment of my family, I stay quiet at work. Outside of work though I’ll talk to my friends & anyone who will listen about the risks of the current regime.

It is the largest reason. Storing the password is one thing but to make the device reasonable to use I would likely store the key’s in TPM with a backup key. I don’t think she would be technical enough to use the backup keys were something additional to happen.

BioMyth

I understand that giving the keys can partially solve the access problem. But she would still possibly be unable to use the device. Additionally, I don’t know that she would be capable of using the keys without additional assistance and we don’t have other techies in our community who could step up in that capacity.

I don’t for a pretty simple reason. I have a wife, if something ever happened to me then she could end up a creek without a paddle. So by not having it encrypted then, anyone kinda technical can just pull data off the drive.

In the sand

Also apparently cron works in termux, so it could all probably be scripted there.

I think you could get something working using termux to install and run ffmpeg on your phone. Then using an automation app, e.g. if this then that, you could run a script in termux to re-encode the files. And automate it at night while charging.

Glofiber is great! I’ve used them for a few years now and they have been really reliable & easy to work with. If you do any self-hosting they do have double NAT but after a quick call to support I was able to get a public ip without any cost.

Holy cow, didn’t realize just how bad Microsoft is getting. That behavior is unjustifiable especially considering this is just for wallpapers.

OpenSUSE tumbleweed is a good compromise IMO. it is also a rolling release distro with built in snapshotting. So if anything does go wrong it takes ~5 mins to roll back to the last good snapshot. You can set the same thing up on arch but it isn’t ootb and YAST is a great management tool as well.