and if everyone who asks that question has that mindset then we end up with no answers longterm.

its annoying to scroll through 15 threads asking the same thing looking for an answer, but its infinitely worse to find no threads related to what you’re trying to do.

I will push back on this a bit because Debian is great, but point release distros like Debian that focus on stability can be incredibly behind on important updates that include features users will want. I personally recommend Fedora to start because imo it’s the best of both worlds for new penguins and greybeards alike.

W answer (although im considering moving to neovim due to vim using AI code)

I do this for my containers. I have a completely domain-managed network, so my docker/podman host mounts an NFS share that contains all the data volumes for my services. Each one only has read permissions for the service account that runs it (and has nogroup). Each OCI container mounts their data volume(s) from their respective directory as well as a kerberos user TGT and credentials cache. Each OCI container runs as the service account, which uses the kerberized credentials to access the mounted data volumes (this is necessary), and thus I acheive separation. Even if a threat actor were to compromiee a service they would still be locked down to that service account and only able to access/modify the data of this service. This is still be very bad for services like keycloak, but for other trivial services it almost guarantees more than adequate segregation. This does fall apart a little bit with the recent copyfail and dirtyfrag exploits which allow for easy privilege escalation, but I don’t allow root squash so the data volumes on the NFS share are still service_account:nogroup even when accessing as root. Now an attacler could go through and use the KRBTGTs that are stored for each service account to access the data, but at that point I am dealing with a dedicated threat actor. Defending against someone explicitly seeking to compromise me is a different situation altogether, and still requires initial access through a vulnerable application that is sitting behind an SSL termination proxy and an NGFW with IPS capabilities.

It seems they literally meant what commands are your favorite. Bash is a shell but it is just as much a command (bash -c 'wall poop'), and ssh and man are some of the most widely used commands on linux (if you end up working with LXC containers many of them do not come with manpages preinstalled. I highly recommend installing them if you’re going to spend any of amount of time on thr LXC)

+1 to cockpit. My entire network is domain managed and cockpit makes managing everything so much easier

Tell me then why it took years for them to add a horizontal rule (literally just a horizontal line). I’m not kidding, it was only added in the last few weeks. How do I know? I commented on the github issue about like 3 or 4 years ago (the issue was already multiple years old) and have been getting notifications every time someone asks for it. And finally like a week or two ago I finally got the notification that it was added.

Debian had corporate funding, even if they those corporations don’t have any ibfluence. It being one of the oldest and mostly widely used Linux distributions means that by the virtue of it being an enterprise-level system it is somewhat more corporate. Debian can neatly fit into most corporate and enterprise systems and probably is somewhere in almost everyone’s stack. That’s not bad and doesn’t make it a corpo distro, but it definitely is more “corporate” than something like Arch which it is rightfully juxtaposed against

It’s not that difficult to get SELinux working with podman quadlets, especially if you run things rootless. I have a kerberized service account for each application I host and my quadlets are configured to run under those. I very rarely encounter applications that simoky can’t be run rootless but I usually can find an adequate alternative. I think right now the only thing that runs as root is one of the talk or collabora containers in my nextcloud stack. No selinux issues either.

Ladybird is on the horizon.

Also Firefox isn’t built from the ground up I don’t believe. It’s based on Gecko which iirc was based on KHTML. idk i can’t fully remember don’t take this as fact. i use firefox and prefer it to chomium based browsers but Mozilla has been making really weird moves lately around AI that I think is very unnecessary.

at least the positioning is being discussed in a wayland protocol, but its been heavily delayed due to wayland bureaucracy.

This is gonna take time but eventually we’ll see adequate replacements for smaller WMs like awesome. Especially because awesome is based on dwm, im hoping that as dwl (the wayland version of dwm) matures we’ll see projects like awesomewl come about.

are you using an nvidia gpu?

Large Wayland projects like KDE and Gnome that are considered member projects of Wayland had the ability to NACK new wayland protocols and proposals. This has historically been abused by a lot of a different projects, in many instamces Gnome because they didn’t want to implement things. A lot of wayland proposals were unnecessarily delayed because of this. The bylaws of how wayland projects are allowed to NACK things has since changed to make it so a single project cannot needlessly block protocols but this was only implemented in the past few years iirc so for a long time this happened. Thats a massive contributor to why wayland development takes so long.

i will say that wayland has solved a lot of multimonitor issues, although most games where i have monitor issues in my dual monitor setup can be fixed by ensuring the monitor i want to play on is at 0,0 on the layout. sone fames are weird about that

Thank you, it’s a lot of work and I could get by with a lot less but I’d like to essentially have enterprise level everything for me to just fuck around with and provide to friends as i see fit. It’s a bit if a hodgepodge of well implemented stuff stuck together with duct tape and bubblegum but im refining it slowly all the time.

I fr hate using AI to troubleshoot because I can feel how it makes me lazy, but sometimes using AI is better than banging my head against a wall for 10 hours. And usually i stop once I find a productive line of research or investigation to follow.

For local DNS i run FreeIPA since everything in my network is domain controlled. I’m gonna look into adding filtering through that, but we’ll have to see how it goes.

Theres so much I end up handling manually with my UDM that at this point i might rather just install open source routing software on it atp. I don’t even use the web UI for wireguard because I can’t even specify the allowed IPs for a connection.

I just turned off ad blocking. I can set up network wide filtering without relying on proprietary incompetence.