Yeah… Just wow. I disabled pictrs and deleted all its images, which also means all my community images/uploaded images are gone, and it’s more of a hassle to see other people’s images, but in the end I think it’s worth it.

Through caching every image pictrs was also taking up a massive amount of space on my Pi, which I also use for Nextcloud. So that’s another plus!

A bit of reverse image searching reveals this was the original XKCD comic (more specifically, the top middle panel): https://xkcd.com/1269/

Yeah, Podman is definitely one of those things I would say to do the latter with. It’s functionality is the same as Docker though (commands work almost 1:1, and even docker-compose works with Podman), it has better integration with other system components (like automatically creating systemd services to start containers when a computer is restarted), and it gets you away from Docker as a company while still being able to access their containers on Docker Hub.
In the end though, I’d recommend sticking to what you’re familiar with. It’s always better to administer commands to your server that you know will work rather than learning as you go and hoping something doesn’t break.

I may not be able to answer some of the more security-oriented questions, but one of the things I recommend is using a proxy to “hide” your home IP address. IP addresses can contain a lot of information including location data, so it’s a good idea to make things harder for attackers to figure out where you live. I’m pretty sure you can do this with a basic VPS setup, but I know for sure you can do this with Cloudflare (as I have it enabled on my server).

As for getting reverse proxies set up from your Docker containers to the outside world using Apache, I can help. I use (rootless) Podman on my Raspberry Pi, meaning when I expose ports from my containers I have to choose port numbers greater than 8000. Once I have a port (let’s say 8080), and a subdomain (I’ll use subdomain.example.com), I just need to create a file in /etc/apache2/sites-available/ which I’ll call site.example.com.conf. The content usually looks something like this:

  ProxyPreserveHost On
  ProxyRequests Off
  ServerName subdomain.example.com
  ServerAlias subdomain.example.com
  ProxyPass / http://localhost:8080/
  ProxyPassReverse / http://localhost:8080/

Then you just need to enter the commands sudo a2ensite subdomain.example.com and sudo systemctl reload apache2 and you should be able to access your container as a subdomain. You should just need to forward port 80 (and 443 if you want to set up Let’s Encrypt and HTTPS) on your router.

Hope this helps!