On mobile I indeed also had that issue once. However I made sure they can’t lock me out completely. The db is stored using the opensource sqlcipher, so one can open it and extract everything manually, if absolutely necessary. As long as they don’t change this, I am fine. In the worst case that would still be a lot of effort for me, but not impossible.

The export has also improved a lot. You can now also export to JSON which includes all the data one could need.

If you don’t have a hard requirement of it being fully (!) OpenSource, then I would recommend Enpass. Relatively pleasing UI that runs native on Win, Mac, Linux, Android and iOS. It has browser plugins for Chrome and Firefox that talk directly to the running fat client (so no multiple authentication with different browsers necessary).

The password db is completely local, but it offeres several sync mechanisms like WebDAV or Dropbox or also iCloud; basically whatever can store files. If it’s a NAS in your home, it simply will sync once you are back home.

It also offers “WiFi Sync”, in which case you designate one machine running Enpass as the server and link other clients to it, then you don’t even need to run a separate hosting for it (but that machine needs to be on and running Enpass when you want to sync, obviously).

It’s basically a less open but much more convenient and beautiful KeePass(XC).

No, since at the moment it wants to manage certificates, but I don’t intend to run pangolin as my main reverse proxy.

Pangolin is the most user friendly self hosted alternative to Cloudflare tunnels. There are dozens alternatives, but none with that feature set and such a UI.

Use Stalwart as mailserver. Besides coming with sane defaults, it allows to put hooks into almost every mail stage. Those hooks can be sieve scripts, local binaries or http calls.

I talk fully about software. Add appropriate nftable rules to the container network and that’s it.

Well, a big advantage of containers is, that you can isolate them pretty aggressively. So if you run a container that is supposed to serve content on a single HTTP port, expose only that port, mount no unnecessary volumes and run it on a network that blocks all outgoing traffic. Ideally the only thing left will be incoming traffic on the one port the service is supposed to serve.

Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.

nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in /etc/nftables.conf, then I have a very simple systemd unit:

[Unit]
Description=Restore nftables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush table inet filter
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

and finally if I push updates via ansible I simply replace the file and run nft -f /etc/nftables.conf (via ansible; on-change event).

Edit: oh and as an example how the actual rules file looks like:

#!/usr/bin/nft -f

add table inet filter
flush table inet filter

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # core services
    tcp dport {80, 443} accept comment "allow http(s)"
    udp dport 443 accept comment "allow http3"

    # everything else
    reject with icmpx type port-unreachable
  }

}

and with that I have my ipv4+6 firewall that allows pings and http