AMD published a list with the mitigation on Sinkclose on all their processor ranges, and the ComboPI version that will have a patch:

Security bulletin 7014

Use of hardware enablement package kernel might help here? It is called linux-generic-hwe or something like that. It will install a much newer kernel with more support for newer hardware.

You can easily selfhost Seafile and make a ‘dropbox’ like system with as many users you like, and as large a storage you can handle / afford. Although there is an enterprise version, the community edition provides with many features to make it really a great service. It is mighty fast, and has native clients for many different platforms, in addition to using the Seafile website to acces, upload and download files.

I never hosted Nextcloud, but from what I read, it is a beast with way too many features to fit my use case. Seafile is doing one thing very well.

Ah, that is a good point. I am using 6.5.0 kernel atm, as part of the HWE (hardware enablement) package, which supports QuckSync / hardware encoding of my 12th gen intel processor. I did a quick search, but did not find HWE for Debian is that correct?

Yes, I am running unattended-upgrades, and basically my current server is running 24/7 just fine! It is indeed like set and forget already. More reason to move to Debian!

It seems to be the most logical move to go from Ubuntu to Debian indeed. As I understand it maintains the core Linux system as I have it now (systemd / apt / stable kernel) while truly community driven. I have to look into transitioning into the latest stable Debian release.

interesting! So I should be able to throw my docker-compose yamls directly at Podman and be good to go?

just curious; why would you like to use podman over docker? I have a lot of docker containers running, wondering if I should switch to podman.

If you are just looking for a way to SSH into your machines from outside your network, you can setup a more recent VPN or Wireguard yourself. If you have a Raspberry Pi lying around, using PIVPN makes things super easy. You can have both OpenVPN as well as Wireguard running if you want, using the same script. If that is the only thing you like to do, then there is no need to reverse proxy your servers and expose them. Just having a VPN or Wireguard connection should be enough to access your servers when outside of your network. It is recommended to have a fixed IP btw, to find your VPN/Wireguard server easily.

Also, you can leave all your servers locally (and not exposing them) when you can reliably setup a VPN/Wireguard connection. That is the most secure I guess.

This also looks similar to Tailscale (https://tailscale.com/). I have not used this but saw it popping up in youtube recently.

Hosting an email server is pretty sure a magnet for half the Chinese IP range… So I would refrain from hosting that myself.

Not sure if it answers your question, but I use Portainer to check the different docker containers I am running. It does not allow me to check the ‘docker-runtime’ logs themselves though, only the logfiles of each of the running containers. It also allows easy term connection if you want, although I usually do that directly form the terminal itself.