The main thing I see you can avoid with locking down the docker images into a separate low permission user that can only access what they really need is if someone successfully attacks a project and you get infected with some shit when your Synology pulls image:latest.
It could limit the traversal of a ransomware that successfully breaks free of the container but ends up having no permissions outside as an example.
I would probably purge the whole NAS and setup from my backup for my own peace of mind even with the user separation though.

edit: updating “low user” to “low permission user”, amazing how the brain can fill in words for you when reading your own texts.

Considering how my neck usually ends up after a day of gardening I should probably invest in one of those.

I mean unless specified otherwise most Synology container management dockers will run as root. With that said, if you want to secure things then there are guides.

An alternative path would be to setup a specific docker user and use docker compose to use that user when installing images
https://drfrankenstein.co.uk/step-2-setting-up-a-restricted-docker-user-and-obtaining-ids/

Jellyfin example
https://drfrankenstein.co.uk/jellyfin-in-container-manager-on-a-synology-nas-hardware-transcoding/

From there you could go further and use the guides above to create one user per docker image and give them different permissions depending on need.

Kinda the opposite, NAT Hairpinning allows you to use the external domain and public IP from the inside.
https://docs.opnsense.org/manual/how-tos/nat_reflection.html#reflection-and-hairpin-nat

Look into NAT hairpinning on your router/firewall and see if you can use the external ip. :)

The only thing I can think of then is to get your family members to start curating the photos into different albums using the Immich app. That way the sync gets to work and you get the usage statistics of the app up higher allowing the background task to run. If you create some shared albums and ask them to contribute photos to them f.e.
Or simply telling them about your shared album and getting them to check it out using the app.

After checking the german datacenter vps offerings I realize that Glesys can’t compete.

Have you tried keeping immich active for the initial large photo backup so that the background task backup only has the newly taken photos to take care off?
I imagine you’ve checked the Immich faq already:
https://docs.immich.app/FAQ/#why-is-background-backup-on-ios-not-working

Glesys (Sweden) has some affordable vps options.
https://glesys.com/products/compute-category-page/kvm-vps/

Curious what it is about Debian package management you found wrong, except for not having the newest stuff?
I run Fedora on my gaming station because I needed a newer kernel than Debian Stable has by default but on my other machines Debian has been working well.

I usually end up doing it very simple with huge /24 ipv4 networks, f.e.
10.100.10.0/24 = VLAN 10 = User devices and purely internal servers
10.100.20.0/24 = VLAN 20 = IoT
10.100.30.0/24 = VLAN 30 = Servers that are reachable from outside
10.100.40.0/24 = VLAN 40 = Guests

The main thing for me is to ensure that traffic that wants to pass between VLANs go through my firewall/router and allow Suricata to do its IPS work.

If you want a webui for the debian server that gives you logs, services, ssh terminal and more then I can recommend checking out Cockpit
https://cockpit-project.org/

If you decide you want to you can install KVM/Qemu on the debian host to get into full virtualization that way. The webui can be used to configure and manage the VMs too with https://github.com/cockpit-project/cockpit-machines

edit: Cockpit also has a Docker manager, though I feel it isn’t full featured yet. I mostly used it to stop and start dockers from my phone.
https://github.com/chrisjbawden/cockpit-dockermanager

Now I can start throwing more stuff on there once I figure out backup for the game world incase I bork it.

Step 1. Find out where the docker image you run saves the volumes
F.e. https://github.com/mornedhels/icarus-server saves here:
Volumes
Volume Description
/home/icarus/drive_c/icarus Server config files and saves
/opt/icarus Game files (steam download path)

Step 2. Find a backup tool you like, f.e. https://docs.borgui.com/

Thanks for mentioning the game, saved it to my wishlist and hope to grab it for some co-op gaming come autumn. :D

I get it and I would never buy a second hand laptop from a private seller. I’d go for one of those refurb-stores that promises at least 80% remaining battery and a limited 12 month warranty.
On second thought I might consider the private seller if I could check and test the machine in person before buying.

I hope you end up enjoying the chromebook until the currect pricing crisis has passed us by. :)

I’ve always been a fan of machines with more power to them so I never really tried those dirt cheap netbooks out. Lucking out and getting one that also lasts for 6 years sounds nice. :)

The ThinkPads are still being made that way though, the latest T-series one earned a 10/10 repairability score at ifixit.
At the same time most enterprises I’ve been in contact with replaces anything that is 3+ years old instead of troubleshooting and fixing the machine which ensures the refurbished supply.

I did a quick check and the x13 yoga do sound like a good fit for your wishes, except for it being an older and refurbished machine that is. Convertible, touch and 1.25kg for 421€
https://www.refurbed.de/en-de/p/lenovo-thinkpad-x13-yoga-10310u/114695b/

For me it feels like buying an 8 year old car instead of a brand new one. You get a lot more for a lot less.

With an average yearly inflation of almost 2.5% the 400€ in 2006 is the same as about 650€ now in 2026. I have to remind myself of this constantly to avoid being too much of a penny pincher.
Add in that all low cost computers are at least 50€ costlier 2026 than 2025 due to the AI datacenters hogging all the memory increasing the price of storage, ram, cpu and gpu.

I know you don’ t want a second hand ThinkPad but they are wonderful long lasting machines. I got a functioning T440 and a T480 both with Debian on them. Second hand from myself as I got them for cheap without storage from work. Saving up for one, second hand or not, might actually save you money due to longevity.
The keyboard replacement of the proper Lenovo T series is also simple
https://www.ifixit.com/Guide/Lenovo+ThinkPad+T480+Keyboard+Replacement/140096
Just watch out for the Lenovo TXXs series. The “s” makes them slimmer and much harder to replace parts in.

No coins, no card. Some allow sms as a secondary payment method.

Can’t really go home and start the PC up to pay for my parking and so on. :(
The high tech adoption in Sweden makes life really hard for those that don’t have Android/iPhone or lack the technical skill to use smartphone apps.

Not all foss, but alternatives are coming.
But at least in Sweden there’s too many apps that you need to function in society that can’t run on them that they can’t replace your primary phone yet.

https://commerce.jolla.com/products/jolla-phone-sep-ii-2026
https://pine64.org/devices/pinephone/
https://puri.sm/products/librem-5/
https://www.fairphone.com/the-fairphone-gen-6-e-operating-system
https://murena.com/smartphones/

Personally I’m curious about the Jolla Phone but haven’t made an order yet.

Prepare yourself for having to relearn a lot of “muscle memory”. I don’t use GrapheneOS myself as I don’t have a Pixel but I can answer regarding android phones longevity:
My Sony Xperia IV 10 from 2022 is a midrange phone I bought on sale for below 300 euro and it works well for me still. I think I might get through the AI memory crisis without switching phone.

Personally I’m looking forward to the Motorola offering that has been announced and would probably look at a pixel 9 pro refurbished if I wanted to buy now and not wait for the Motorola one. https://itsfoss.com/news/motorola-grapheneos-team-up/