It’s more than that, you have to make sure a certain directory is owned by the “node” user and it has to have uid 1000. That’s a small but very important step in said migration guide, which I overlooked initially. Nothing happened though, container wouldn’t start and its logs kept pointing to this directory, then I saw it in the docs.

I see. For this scenario, I have another Syncthing server, which is on 24/7, responsible for offsite backups.

Ad encrypted files: true, but why expose them to a potential adversary? If there should be a flaw in the encryption (now or future) the other party already has access to the file.

Why would you do that? Just sync thr database with Syncthing and keep it locally on your devices. I’d never put my pw dB in a publicly available cloud online, even though it’s encrypted.

Nginx in front of it, open ports for https (and ssh), nothing more. Let’s encrypt certificate and you’re good to go.