It doesn’t hide what’s under the hood and permits to fix/modify it. Yes, I’m a nerd.

You probably need to pass the iocharset mount option.

In matrix, chats with e2e encryption are protected from hoster even if they would try to steal your data.

I almost never use xargs. The most common case for it is find, but it is easier to use its -exec option. Also, with find your example is incorrect. You forgot that file names can contain special characters, the newline character in particular. That’s why you need to pass -print0 option to find and -0 option to xargs.

Antivirus wont protect you if you run everything you find in the interhet. You need to be smart enough to avoid cracking. But if you are smart enough, you don’t need an antivirus.

Have you tried NetBSD?

Debian.

Makin notes is good for sonething very simple. It’s better to automate deployment with salt, ansible or something similar. A bit more effort at first setup, much easier restoration. Self-documented.

By default your OS is secure. You only have to think about what you expose and how can it be broken in. Disable SSH password authentication. Don’t run software that is provided by hobbyists who have no enough security expertise (i. e. random github projects with 1 or 2 contributors and any software that recommends install method curl <something> | sudo bash). Read how to harden the services you run, if it is not described in the documentation — avoid such services. Ensure that services you installed are not running under root. Better use containerized software, but don’t run anything as root even inside containers. Whenever possible, prefer software from your distro official repos because maintainers likely take care about safe setup even if upstream developers don’t. Automate installing security updates at the day they released.

What doesn’t help:

• Security through obscurity. Changing SSH port etc. Anyone can scan open ports and find where SSH is listening.
• Antivirus. It is simply unable to detect each of numerous malicious scripts that appears every day. It just eats your system resources.The best it can do is to detect that your host is compromised, but not prevent this. It is not security, just marketing.
• Making different rules for public internet and DMZ. Consider there’s no DMZ. Assume that your host can be accessed by crackers from anywhere.

What is Splitwise?

There is only one commit for two years. Seems dead.

Passphrase-protected SSH keys are definetely more secure than passwords.

Your family will hate you if you’ll change their distro and DE every time you visit them. Distro hopping is normal for the first couple of years, but do it on your own machine.

Why custom? There’s 6.17 in trixie-backports.

What is n8n?

I mean not much difference in hardware support.

Ubuntu is the wrong choice for any server.

In general, I agree. But I don’t want do participate in holy wars.

Don’t expect much difference between Debian and Ubuntu. I guess you just need to install a newer kernel package from backports.

I’ve read the article you pointed to. What is written there and what you wrote here are absolutely different things. Docker does integrate with firewalld and creates a zone. Have you tried configuring filters for that zone? Ufw is just too dumb because it is suited for workstations that do not forward packets at all, so it cannot be integrated with docker by design.

What does dpkg --print-foreign-architectures say?

What are passwordless solutions in Windows for remote access, disk/filesystem encryption, keyrings?

BTW in all that cases a password can be replaced with a hardware token, for instance. It is just the simplest, most widely used and one of the less secure options.