Joe

struts in his fancy pants

Be careful of dualstack and IPv4-only VPNs. The client can discover and advertise the real IPv6 address, even if adequately firewalled. I’m not sure if gluetun addresses this risk.

edit: this should be considered a risk even if you don’t have IPv6 support today, as this could be enabled by your ISP in the future, then automatically enabled on your network by your router.

Additional SPoFs: Your upstream internet connection, your modem/router, electricity supply, your home (not burning, flooded, collapsed, etc.). And you.

You have an opportunity. Give him a pre-installed Linux and a terminal, along with a page of commands that he can run to do neat things… including starting the GUI to watch his favourite (ideally pre-downloaded) videos, running some demos, etc.

Don’t make it too easy, but not too hard (2 you said? Can type a few characters though…)… Add to it over the years, unlocking the power, and guiding him to discover more by himself.

Kids won’t become tech savvy if we hand everything to them on a silver platter, with touch screens, controllers, and flashy games. It can be bland and boring, until they do something.

It might just be the most life changing gift they ever receive.

That was IRIX (SGI’s UNIX) with the “fsn” file browser, if the Internet is to be believed.

Some Competitive Multiplayer games that generally “just work” and perform well under Linux/Proton: Insurgency Sandstorm, Hunt Showdown, Hell Let Loose, Dead by Daylight, Battlebit

An apparmor profile is associated with an executable, based on its filesystem path. I think distributions tend to support either SELinux or Apparmor, but some (like Arch) support both.

Apparmor profiles are easier to reason about than SELinux, I find.

I have two apparmor profiles targeting shell scripts, which can run other programs. One is “audit” (permissive with logging) and the other is “safe” (enforcing).

The safe profile still has a lot of read access, but not to any directories or files with secrets or private data. Write access is only to the paths and files it needs, and I regularly extend it.

For a specific program that should have very restricted network access, I have some iptables (& ip6tables) rules that only apply to a particular gid, and I have a setgid wrapper script.

Note: This is all better than nothing, but proper segregation would be better. Running things on separate PCs, VMs or even unpriviliged containers.

Ha, mia samideano! Tre bon’!

25 or so years ago, I learnt Esperanto (my first second language) by chatting on the Internet. I’d have two windows open - one with the IRC client, and the other with a terminal and a shell script that would grep a txt file with consistent formatting. “esp esperantoVerbPrefix/” or “esp noun,” or “esp affix-” would typically return the correct result in a split second. Thanks to the simple grammar (that I had quickly memorized), I could hold conversations in near real time as a result.

I wish I could have learnt my other languages as easily.

</story time>

Anki ?

NFSv3 (udp, stateless) was always as reliable as the network infra under Linux, I found. NFSv4 made things a bit more complicated.

You don’t want any NAT / stateful connection tracking in the network path (anything that could hiccup and forget), and wired connections only for permanent storage mounts, of course.

How will running a CA limit access? eg. Do you want to do client side cert validation? That sounds like an overcomplication. Also not ideal to run a CA (have signing keys) on the proxy server.

I don’t know about these days, but I remember making a custom layout for Windows back in 2005 that was US Qwerty keyboard plus AltGR+auose for äüö߀ (German umlauts and euro symbol).

I forget how I did it, as I haven’t used Windows for serious work in years.

Deemix is a good way to build up your local cache from Deezer, at which point you can serve it locally.

It will mess with artist renumeration though (which seems important to you), so you might want to find another way to compensate your favourite artists.

Welcome to the world of Carrier Grade NAT. 100.64.0.0/10 is reserved for this.

If you are lucky, you also have an IPv6 address. The catch is you need IPv6 on the client-side too.

A VPS or similar running wireguard and a proxy might bridge the gap.

It might also be possible to ask your provider for some port forwarding. Probably not, but check anyway.

Good luck!