I think in the context of containers you're right, there's a level of isolation and secrets are probably fine. But I think under other contexts that lack that isolation (e.g. bare-metal processes, local dev tooling) there are extra concerns.
(inb4: container env-vars are isolated from other containers, not from processes on the host system)
Nobody thought an RPI cluster would ever be competitive, and Geerling never expected anybody would. But it's fun to play "what if" and then make the thing just to see how it stacks up and that's his job. Any implication or suggestion of this being a good idea is just part of the story telling.
How do you expose the service for your SO when away from home? Do you use tailscale/cloudflare tunnel/vpn? public port on your router? I've been trying tailscale for myself, but there's a hair more friction than my SO would accept.
Not op, I use cloudflare tunnel. The Immich mobile app supports "local" and "external" connection settings, so it can connect to the Immich instance directly when on home wifi, and use the tunnel when out and about.
I use Tailscale for this, always connected and Immich pointing at the TS IP. I haven’t yet made the jump to full syncing, so I have a manually curated library of photos that I access anywhere but I am planning on starting to test this feature soon (I take a lot of junk throwaway photos with the phone and don’t want to sync everything). I’ll have to see how it best works for me.
But Immich is a great app, minimal to no fuss setting it up in a container on my NAS. My only potentially unfounded concern is when I upgrade the images. They changed the different component containers images over time, sometime with breaking changes. So I always half expect that an upgrade will screw up the setup and I’ll have to start from scratch with the indexing.
Not OP, Tailscale is easiest, quickest, and free up to 100 devices as of today. It also has a feature to provide a public URL if needed, or can be run with Cloudflare Tunnel at the same time.
As other's have already mentioned, currently I am using Tailscale. But I plan to somewhere in the future change that to something a bit more controlled by myself. Like a self hosted Wireguard VPN on some VPS.
I was also thinking about just reverse proxying my local instance to some public domain. But currently do not trust immich to be safe enough to allow for public exposure.
Maybe, although there are services that will accept your mail and then scan/email it to you. But I believe OP has stated that they live in Germany full-time.
As someone who has a few bank accounts in different countries of which I'm not a resident of, and also a user of the services you mention, its next to impossible to use them for banking purposes.
In US, for example, their addresses are classified as Commercial Mail Receiving Agencies, and have a "Commercial" address designator. USPS has an API for that. If you get a bank to accept this address somehow, then the next trouble comes - they're gonna ask for utility bill for address verification and you can't have any utility bills for it.
A bit off-topic, but in a shell pipeline like that, if you put your pipe chars at the end of the line you don't need backslashes and you can comment out bits of the pipe for devving.
This little change was mind-blowing for me so I always try to share when I can :)
> You should be rejecting the PR because the fix was insufficient
I mean they probly could've articulated it your way, but I think that's basically what they did... they point out the insufficient "fix" later, but the root cause of the "fix" was blind trust in AI output, so that's the part of the story they lead with.
Not that weird. Idle desktop isolates the effects of the change to get a worst case scenario. Would be interesting to see a light activity test too though - see if you still get a noticeable difference.
(inb4: container env-vars are isolated from other containers, not from processes on the host system)