Where are these OEMs that allow proper bootloader unlocking on most of their range?

Google, Sony …? Huawei stopped doing it, Oppo & Samsung doesn’t last I checked.

IIRC docker on Windows lives inside WSL, so everything is done on Linux anyway. What’s the issues you’re getting?

The typical way involves something outside your network acting as a proxy. Your home network VPNs to this proxy, then the proxy sends requests down to your homelab.

I used a VPS and a VPN, I would connect to the VPN endpoint on the VPS, and then route all traffic back down to home.

You can also run a reverse proxy on the VPS, so it does TLS for clients, and speaks to the servers direct over the VPN.

Another option is things like Cloudflare tunnels, which means cloudflare does the “VPS and VPN” part of the above, but the tradeoff is that your have to trust cloudflare, rather than yourself (may be a positive or not depending on your perspective).

Lastly you could use something like tinc (which needs something on the outside to act as a negotiator) to form a mesh between NAT’d devices.

It means that if someone breaks out of your container, they can only do things that user can do.

Can that user access your private documents (are these documents in a container that also runs under that user)?

Can that user sudo?

Can that user access SSH keys and jump to other computers?

Generally speaking, the answer to all of these should be “no”, meaning that each group of containers (or risk levels etc) get their own account.

There’s mt32-pi, a baremetal app that emulates the classic MT-32 MIDI synthesizer.

For better or worse, the Pi (2+) seems to be the only SBC with a video output that can do 240P or other funky CRT resolutions (the DPI interface on the GPIO).