This is a consequence of user namespaces, which tripped me up until I read this article from Red Hat about running rootless containers as a non-root user. At that point I got that (the default options) map UID 0 in the container to my UID (i.e. 1000), but the other mappings were confusing.

The short version of the useful part (for me) of that article was podman unshare (man podman-unshare), which launches a shell in a user namespace, like when you start a container. You can run the following command to see how the UIDs are mapped inside of the namespace:

$ podman unshare cat /proc/self/uid_map
         0       1000          1
         1     100000      65536

This is read (for this purpose, see man user_namespaces for a more detailed explanation of this) as “inside this namespace, the UIDs in column 1 map to the UID in column 2 on the caller process, for (column 3) IDs”. There is also gid_map which works the same way, but for groups.

The snippet above is from my machine, so in a podman container, UID 0 maps to UID 1000 on the “host”, which is me, and this is “good” for only 1 user. Then, starting with UID 1, the container maps to UID 100000 in the container, and is good for 65536 UIDs. This is why when you set the PUID and GUID environment variables, on your filesystem you see the files are owned by 100999:100999 - you can use the mapping to figure the math out: 100000+1000-1=100999.

Since podman unshare puts you in a shell that has the same (? terminology might not be totally right here) user namesapce as your containers, you can use it for lots of stuff – like in your comment you mentioned using chown to change the permissions to 100999:100999. Instead, you could have used podman unshare chown 1000:1000 which have correctly set the permissions for your volume mount, and on your filesystem outside the container, the permissions would be 100999:100999.

Maybe take a look into Cloudflare Tunnels, which sounds like will do what you want (maybe not VPN though).

The short version is you run a daemon on your local network that Cloudflare talks to. So, outside requests only see Cloudflare, and communication from your network only goes to Cloudflare. Your IP is not exposed to consumers. This is free! Though you are not supposed to send video/pictures though the tunnel and have them cache it without using one of their (paid) services, but it’s simple to disable caching for a host. I do use their DNS, though I cannot recall if that’s a requirement for Tunnels, though.

Keep in mind you should still set up some sort of firewall, as people can and do just scan the entire IPv4 address range looking for open ports.

I would probably not do what I do.

I have two machines that host everything I use, a Thinkpad x220 (i5-2540M, 8GB RAM) which lives on the floor near my router, and an RPI4 (4GB) which lives next to my router on the table. Which one does what usually is dictated by what machine I happen to SSH into. The RPI4 is attached to an 8TB Easystore I originally bought to shuck but didn’t, and wears a NAS hat. Soon-ish I’ll probably get some extra drives and set up a “proper” server which is less trepidatious.

I run almost everything I use in containers, and Podman is my container engine of choice. Originally it was because Fedora made me, but now I am a big Podman fan.

Logging and updates are not something I like to talk about because I handle both poorly, and normally just let her rip. I do updates weekly or so whenever I get around to it, but logs are a wasteland. I’d like to get a good monitoring system set up, but for me it feels like way more work than running the things I actually want and use, so I usually end up just letting them accumulate on the disk and grep them whenever I need to.

Another Kobo Libra 2 user here. In addition what other’s have said about wanting to escape Amazon’s reach, its also pretty open as far as these types of devices go. I use Overdrive (Libby) a lot and it’s integration is pretty nice, though it is certainly not hard to use with a Kindle anyways.

If you like to tinker with your devices, Kobo devices won’t try and stop you from doing so. The following projects give you a lot of customization options to get exactly what you want out of your Kobo:

• KOReader - This also works with a jailbroken Kindle, though it’s much easier to get going on Kobo. Tons of customization options and has very flexible style overrides and lots of plugins.
• Plato is another reader application though only supported for Kobo devices. Does not feature as much customization as KOReader, but does more than the stock reader and has a very nice UI.
• Even if you stick with the stock reader, there are a number of patches you can apply if there are things about the stock software that bug you.