The DMA doesn’t seem to have ever been about consumer choice, it’s about the choice of other competitors to have access to Apple’s customers without having to play by Apple’s rules. Just look at who was pushing for sideloading on iOS, I mostly saw Meta and Epic Games at the forefront. Why should Apple compromise my device’s integrity so that Meta can spy on me? I have no good answer to that.
My recommendation would be to utilize LVM. Set up a PV on the new drive and create an LV filling the drive (wit an FS), then move all the data off of one drive onto this new drive, reformat the first old drive as a second PV in the volume group, and expand the size of the LV. Repeat the process for the second old drive. Then, instead of extending the LV, set the parity option on the LV to 1. You can add further disks, increasing the LV size or adding parity or mirroring in the future, as needed. This also gives you the advantage that you can (once you have some free space) create another LV that has different mirroring or parity requirements.
I use the first option, but with the addition of using an LVM snapshot to guarantee that the database (or anything else in the backup) isn’t changed while taking the backup.
I see an option to allow time sensitive notifications for apps not in my list of allowed apps, it shows up once the “allow notifications from” option is selected. I have no idea if it actually works though, as I’ve never used it.
For no 1, that shouldn’t be dind, the container would be controlling the host docker, wouldn’t it?
If so, keep in mind that this is the same as giving root SSH access to the host machine.
As far as security goes, anything that allows GitHub to cause your server to download (pull) and use a set of arbitrary of Docker images with arbitrary configuration is remote code execution. It doesn’t really matter what you to secure access to the machine, if someone compromises your GitHub account.
I would probably set up SSH with a key dedicated to GitHub, specifically for deploying. If SSH is configured to only allow keys for access, it’s not much of a security risk to open it up to the internet. I would then configure that key to only be able to run a single command, which I would make a very simple bash script which runs
git fetch, and thengit verify-commit origin/main(or whatever branch you deploy), befor checking out the latest commit on that branch.You can sign commits fairly easily using SSH keys now, which combined with the above allows you to store your data on GitHub without having to trust them to have RCE on your host.