Short answer no, but you can add the source IP as part of the http header https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ then you have to log that bit of the header at the app level.
There can be ways of your are using ipv6, basically turning your cloud host into a router, but but ipv4 you would have to have a 1:1 mapping and setup the routing carefully to make it work.
You can add net_admin to the user running podman, I have added it to the ambient capability mask before, which acts like an inherited override for everything the user runs.
Wildcard DNS entries are not part of an RFC afaik, so the behavior is completely determined by the dns software in use. AD and I think bind state to only use them in an otherwise empty zones, though one case I have at work we have to have the wild and an A record in the zone. Hit strange intermittent failures to resolve without the record in for some reason.
Rereading what you have in the zone file, if that is a standard bind zone file, a subzone definition would look like
` ; sub-domain definitions $ORIGIN local.example.com.
What you have might work, but doesn’t follow the dns RFCs the dns label is “*.local” in the “example.com” zone/domain.
This may come up after you get the API to the public DNS provider working, as the software will add/update a “_acme-challenge” label in the zone you point it to which would be “example.com”
If the dns provider makes setting up a proper subzones hard, you can work around it by adding a cname record
_acme-challenge.local in CNAME _acme-challenge.example.com
I assume you have purchased as public domain (the example.com bit) and have it setup to be publicly resolvable, even if the records are hosted on cloudflare or something.
You don’t need any A records for the dns01 challenge from lets encrypt. You need a text record for _acme-challenge.local.example.com that you can update with what ever challenge string let’s encrypt replies with when you request the *.local.example.com certificate.
Guessing the error is from caddy and it is saying it can’t find the public provider of that zone to update the txt record for the challenge. Even if you have the correct provider configured, does local.example.com exist in the public DNS server config?
As a side note, after the cert is issued the _acme-challenge txt record can be deleted, just be aware all issued public certs are easily searchable by domain name.
You can, and for Linux generally have to, manage your own secure boot keys and signing your own kernal, united, modules, etc. Conacal and Red Hat have signing keys iirc, but distributions can and do get the shim boot loader signed so secure boot works. The arch wiki has a page on how to setup secure boot . Many distros installers do end up signed as well so you can go through the full install process with secure boot enabled.