Are you running nmap from the system itself? Depending on the network type you use docker does some pretty complicated things with NAT, so scanning a machine from itself isn’t always very useful.

Some VPS will manage your kernel for you and use a ‘optimized’ kernel. You can often change it to what you want. But sometimes you have to go into the control panel to change it.

My primary ‘backup’, or easy recovery method is that I use ZFS, and take snapshots via sanoid frequently. I have a mydumper jump making backups of my mariadb server. I use syncoid to doing sends to external storage. So most things can just be fixed by copying the files from an older snapshot.

I also have a completely separate backups of my system made using borg to storage I have at borgbase.com, but this only happens a couple times a week, and is only my ‘important’ data and not large things like downloaded video/music/etc. I am thinking about switching borg out for restic though, since restic is also compatible with borgbase.

There are risk, that a newer version of an image will accidentally, break things, apply breaking changes and so on.

Good, frequent, tested backups, could be a mitigation to this. If an image breaks, you just restore your data from the backup, and pull the older image.

I use the klausmeyer/docker-registry-browser, and that recently broke, but it just needed me to provide an additional configuration variable.

I use advplyr/audiobookshelf, which upgraded to a different database engine and schema a couple months ago. For some small subset of people (including me) the migration to the new database didn’t go well. But I had a backup from 6 hours before the update, so restoring and then using the older image until the fixes were released was easy.

Even with the occasional issues I prefer letting watchtower automatically update most of my images for my home. I don’t really want to spend my time manually applying updates when 98% of the time it will be fine. But again, having a reliable and tested backup system is an essential part of why I am comfortable doing this.

Do I need to attach a few external HDDs to my Pi,

Provably would be a really good idea to attach some kind of additional. The write endurance on microSD cards tends to be relatively low. So depending on your usage, it might die pretty quickly.

Well enterprise content filters are able to do something like this.

I don’t know of any set of tools that would give you a full setup, but you would probably need to start doing the same kind of setup as a squid+squidguard content filter. You have to run it in interception mode, which means generating and distributing your own CA.

After you get all that configured, you swap out the squidguard with some magical tool that does content editing.