phx

Yeah but if the primary maintainers are in the US it'll take a bit before a new group can really work on it in a productive manner

It depends on where the encryption data is stored. If the bootloader and bios/efi are locked down and the data to unlock is stored in an encrypted enclave or one is using a TPM (and not an external chip one that can be sniffed with a pi), that's a reasonable protection for the OS even if somebody gains physical access.

You could also store the password in the EFI, or on a USB stick etc. It doesn't help you much against longer-term physical access but it can help if somebody just grabs the drive. It's also useful to protect the drive if it's being disposed of as the crypto is tied to other hardware.

Even just encrypting the main OS with the keys in the boot/initrd has benefit, as ensuring that part is well-wiped makes asset disposal safe(r). Some motherboards have an on-board SDCard or USB slot which your can use for the boot partition. It means I don't have to take a drill to my drives before I dispose of them

Not too many users, but an ever changing variety of devices and services :-)

Update: Based on some other sources, it sounds like giving another shot at freeIPA might be worth investigating. It's still got Samba etc and the last time I tried it things weren't more RedHat exactly friendly to my favored flavor (Debian) but it sounds like it might be better supported now

Update #2

OMFG it's years after I tried and FreeIPA on Debian is even more of a pain. Docker container issues galore, and it basically won't start without adding a bunch of options that reduce the container security to a smoldering ruin

I haven't played with tailscale, and most of my wireguard shenanigans have involved connecting to others' systems. Wouldn't those mostly control the network-level access but not the account-level access (centralized account/UID/gid and remote permissions) part?

I do actually have a NextCloud instance, which I primarily use for editing Documents (via Collabora) or syncing backups of folders like Pictures etc from the phone.

SMB/Samba by itself for just sharing folders I've had little issue with. Samba as a domain controller with domain-joined clients tied to domain logins is a more complicated beast and - in my experience -prone to breakage in my experience (expired tokens, certificate lifetimes, DNS integration, upgrade issues, etc) BUT it can provide a fairly complete package end-to-end when it works. I just feel that there should be a more Linux-centric/friendly and less bloaty solution that still others decent account-level security.

When you ask "only on LAN" the answer is yes with the caveat that I do also work through VPN, but that's often functionally the same thing save that the VPN login occurs after the user-login

Yeah that was what I said.

The upside over Snaps is that they're not so controlled by a central source

I'd say they still share a couple downsides: a) use a lot of them and stuff is gonna get bloaty vs native packages

b) updating a library etc for security on your system can still leave you with vulnerable apps where the packages aren't updated

RustDesk is pretty simple and has a fairly friendly interface. I'm hoping they bring back the play store installer though since getting relatives to install from an APK wouldn't be much fun

I tried that one as well recently. It seems decent but the Android client is a tad broken (crashes on screen share).

Yeah, but it's often in the form of a YouTube video with narration that's not always so easy to understand. I miss written tutorials, but most of the good ones I find these days tend to come from Central/Eastern European forum posts.

I'm not sure about Amazon, but in the one eBay days stuffing the price of shipping versus the price of the item was a way sellers avoided percentage-based fees based on the item price.