Is there a specific reason you’re looking at shadowsocks? The original developer has been MIA for years. People who used it in the past largely consider it insecure for its original stated purpose
trojan-gfw is a better modern replacement. However that requires a certificate in order to work. You can easily get one via lets encrypt.
At this point, let Shadowsocks, obfs, and kcp die a graceful death like GoAgent before it did.
Another thing you can look into is apptainer/singularity. Basically portable container binaries. Executing the binary automatically runs a program/drops you into a shell inside the container with your $HOME mounted inside. Stuff like cuda also work as long as your host system has appropriate drivers.
You can also port docker containers to apptainer directly via cli.
Just in time to move to IPv6!
What someone does with their 16,777,215 private IPv4 addresses is none of our business…
Now just connect all of that with dumb L2 switches and watch those broadcasts fly!
Can’t comment much about the docker side since it’s not something I’m familiar with.
For the kernel part, assuming what you’re referring to as UUIDs is the pid namespace mechanism, I’m failing to see how that would add overhead with containers. The namespace lookups/permission checks are performed regardless of whether the process is in a container or not. There is no fast path for non-containerized processes. The worst overhead that this could add is probably one extra ptr chase in the namespace linked list.
Make sure to test your setup if you are using DAV. Large files can fail if your nextcloud setup is done incorrectly.
Source: idiot who misconfigured PHP that resulted in a DAV client stuck in a retry loop, then getting banned by my own firewall for DoS.
Isn’t the whole point of these things the “bloated” (CI/CD, issue tracker, merge requests, mirroring, etc) part? Otherwise we’d all be using bare git repos over ssh (which works great btw!)
It’s like complaining about IDE bloat while not using a text editor. Or complaining there’s too many knives in a knife set instead of buying just the chef knife.
CrowdSec has completely replaced fail2ban for me. It’s a bit harder to setup but it’s way more flexible with bans/statistics/etc. Also uses less ram.
It’s also fun to watch the ban counter go up for things that I would never think about configuring on fail2ban, such as nginx CVEs.
Edit: fixed url. Oops!
Also if the router blocks icmp for some reason you can always manually send an ARP request and check the response latency.