So Tailscale has this whole series about hosting services on one's Tailnet using Docker. Their approach is to run Tailscale in Docker and have the services' containers share its namespace by setting network_mode: service:<tailscale_service_name>.

I am trying to understand why this is better than just binding the service's port to the Tailscale IP of the host device, given that option is not even mentioned in any of their blog posts.

The only advantage I can think of is that you get to have different Tailscale rules/configurations for different services. In my case, this is not an advantage because I will run Tailscale on the host anyway and I won't have different configurations for each service.

Can anyone help me understand?

https://tailscale.com/kb/1282/docker

I have a WebDav server that contains some movies and shows. I use Infuse on Apple stuff and NOVA Video Player on Android to watch these. The directory is not organized, file names aren't manually adjusted, and the movies and shows are mixed together. Yet, both of these programs are able to index recursively, get metadata, create a library and let me watch my media without issues.

Kodi, on the other hand, seems to be unable to index nested directories, requires you to tell it what type of media is in the individual directories and cannot identify anything correctly unless I go and manually rename directories/files. It also is exclusive for TV usage and not very suitable for desktop.

So, are there alternative programs to Kodi, ideally better suited to desktop usage or extensions I can install to make it work properly?

I've looked through Obtainium source code a while back and there seems to be no hash verification whatsoever. Looks too susceptible to supply chain attacks to me.

I don't like that Aurora Store sends a list of installed applications to Google and the only way to stop it is to blacklist.

Is there an option that combines multiple sources together like Obtainium but contains automatic hash verification for added security (I am aware updates are protected by Android)? Something I can use to download non-FOSS apps from a mirror but make sure it's the APK from the Play Store?

I noticed Debian does this by default and Arch wiki recommends is citing improved security and upstream.

I don't get why that's more secure. Is this assuming torrents might be infected and aims to limit what a virus may access to the dedicated user's home directory (/var/lib/transmission-daemon on Debian)?

I'm seeing thepiratebay org is discouraged because it has lots of viruses due to lack of moderation. I was wondering how could an mp4 or an mkv etc. could be harmful? Are people talking about executable stuff?

I'm looking into self-hosting a SearXNG instance for my own use. One thing I don't get is how the results are aggregated if I'm using a local instance. Is it just going to all the configured search engines and making requests? If that's the case, what's the benefit of using SearXNG instead of just going to that search engine myself from a privacy perspective?

There was a cover of Hollywood's Bleeding by VUKOVI as an Amazon Original. For some reason, it's been removed from Amazon. I've been looking for some other way to listen to it but the only thing I can find is their Tweet announcing the song a while back. Nothing about why the song is removed. Given this wasn't a popular song, I also can't find any torrents or anything. Where should I look?

I have recently realized that I will occasionally hear notification sounds from applications that I had previously opened but no longer has any active tabs (email client, discord, etc.). I'm assuming this means they are allowed to keep some sort of connection in the background until I close all Firefox windows. Is this a bug or a "feature"? How do I turn it off? I don't want any application running at any capacity except when I have tab(s) open for them.

Solution:

Hm, Discord didn't have anything registered there. After some digging, I found about:debugging#workers which does list Discord stuff under "Other Workers". It's unsettling to see there's no way to force confirmation and/or disable these stuff. I use Discord when I have to every once in a while. I don't want their code running all the time in my browser..

edit: you can disable service workers with dom.serviceWorkers.enabled = false but this has no effect on Other Workers.

edit2: uBlock can disable Other Workers by setting the filter ||$csp=worker-src 'none' in My Filters and enabling Suspend network activity until all filter lists are loaded in Filter lists. It funny how this "trick" is written for Chromium-based browsers with the note that Firefox allows global disabling of service workers when the sites can just register a different type of worker with no way of disabling them. I am sure the api is less powerful than service workers bla bla bla, let me decide what runs on my browser without needing third party tools, please.

If I globally disable filesystem access to home (i.e. filesystems=!home;), and an app declared that it needs home/some-dir, do I need to explicitly prevent access or do my global settings take precedence?

I am on a shared network. I'd like to self host services and access them from all my devices but I do not want these exposed to other people in my network. I've noticed that I can just change the port mapping in Docker to <Tailscale IP>:<port>:<port> from <port>:<port> and it just works. Works as in the service is accessible from my Tailnet, inaccessible from the local network or the internet. Is it really this easy or am I missing something? Just sounds too good to be true so I am suspicious it might somehow be insecure.