There are quite a few mature projects in 0.x that would cause a LOT of pain if they actually applied semver

Depending on how one defines the “initial development” phase, those projects are actually conforming to semver spec:

Major version zero (0.y.z) is for initial development. Anything MAY change at any time. The public API SHOULD NOT be considered stable.

After looking at the site and trying to determine what to download to get Debian with non-free (I’m unfortunately working with an NVIDIA card)

FWIW, Debian 12 now includes non-free firmware in the installation media by default and will install whatever is necessary.

I agree that the Debian website has its weaknesses, but beyond finding the right installer (usually netinst ISO a.k.a small installation image on https://www.debian.org/distrib/) there isn’t much of a learning curve. I started out with Ubuntu too, but finally decided that enough was enough when snap started breaking my stuff on desktop.

Thanks, didn’t know about those deals!

+1 for own domain and some email hosting service. That also makes it pretty easy to switch providers because you can simply point your MX records etc. somewhere else - no need to change the actual email address.

I can also recommend mailbox.org as an alternative to mxroute, they’re even a little cheaper at $3/month (mxroute is $49/year at minimum).

Oh, I think we’re talking different orders of magnitude here. I’m in the <1TB range, probably around 100GB. At that size, the cost is negligible.

I do an automated nightly backup via restic to Backblaze B2. Every month, I manually run a script to copy the latest backup from B2 to two local HDDs that I keep offline. Every half a year I recover the latest backup on my PC to make sure everything works in case I need it. For peace of mind, my automated backup includes a health check through healthchecks.io, so if anything goes wrong, I get a notification.

It’s pretty low-maintenance and gives a high degree of resilience:

• A ransomware attack won’t affect my local HDDs, so at most I’ll lose a month’s worth of data.
• A house fire or server failure won’t affect B2, so at most I’ll lose a day’s worth of data.

restic has been very solid, includes encryption out of the box, and I like the simplicity of it. Easily automated with cron etc. Backblaze B2 is one of the cheapest cloud storage providers I could find, an alternative might be Wasabi if you have >1TB of data.

drive failure

Perhaps unintended but very much relevant singular. Unless you’re doing RAID 6 or the like, a simultaneous failure of two drives still means data loss. It’s also worth noting that drives of the same model and batch tend to fail after similar amounts of time.

Once again, you’re going off on an unrelated tangent. If you don’t want to listen, I can’t help you. We’re done here.

Funny how you claim to know so much about security but can’t even seem to comprehend my comment. I know root shell exploits exist, that’s why I wrote that it takes additional time to get root access, not that it’s impossible. And that’s still a security improvement because it’s an additional hurdle for the adversary.

I think you’re interpreting too much. Security is about layers and making it harder for attackers, and that’s exactly what using a non-root user does.

In that scenario, the attacker needs to find and exploit another vulnerability to gain root access, which takes time - time which the attacker might not be willing to spend and time which you can use to respond.

No problem. One more tip though: If you ever censor your public IP, don’t just censor the last two digits. Otherwise it will be easily brute-forced.

My preferred option is to have the VPS inside a VPC that blocks all external traffic by default. Then I can open up specific ports for specific IP ranges.

The reason I prefer this over a firewall configuration on the VPS itself is that the latter seems far more error-prone to me. For example, I’ve had problems in the past with ufw and Docker where container ports were still reachable even though access was denied via ufw.

If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.