you don’t really need to scale a homelab that much

Maybe. But you never know this beforehand.

if something breaks, you just want to quickly fix it manually because “doing the Ansible” is more of a pain

In most cases you just need to replay a playbook for quick fix. But I agree that the proper fix will likely take a longer time (while downtime is much shorter).

now idempotency and documentation-as-code is out of the window.

Let @BruisedMoose@piefed.social decide.

P. S. I don’t like Ansible, other tools can be easier to use. But I don’t want to recommend something concrete.

It is hard, if even possible, to keep documentation up-to-date. Better use a configuration management system (salt, ansible etc.) for your servers. Yes, you need to learn how to use it. Yes, it will take a longer time to make changes in your configuration. But as a result you’ll have a self-documented configuration-as-a-code that will allow you to scale your setup as you need. Reproducing something won’t require reading your notes, remembering your actions etc.

Absolutely wrong. Only the manual (I mean official documentation, not a “howto” in someone’s blog) can provide you a complete and up-to date information.

RTFM

It depends on what you mean by “local private network”. Probably, you need samba.

It doesn’t hide what’s under the hood and permits to fix/modify it. Yes, I’m a nerd.

I have no idea. It depends on your locale on mac.

You probably need to pass the iocharset mount option.

In matrix, chats with e2e encryption are protected from hoster even if they would try to steal your data.

I almost never use xargs. The most common case for it is find, but it is easier to use its -exec option. Also, with find your example is incorrect. You forgot that file names can contain special characters, the newline character in particular. That’s why you need to pass -print0 option to find and -0 option to xargs.

Antivirus wont protect you if you run everything you find in the interhet. You need to be smart enough to avoid cracking. But if you are smart enough, you don’t need an antivirus.

Have you tried NetBSD?

Debian.

Makin notes is good for sonething very simple. It’s better to automate deployment with salt, ansible or something similar. A bit more effort at first setup, much easier restoration. Self-documented.

I don’t think you gain much from OpenBSD. It is focused on preventing vulnerabilities that are hard to exploit and unlikely used by botnets. Most dangerous are vulnerabilities caused by software misconfiguration. The OS cannot prevent your mistake. Also, in OpenBSD you will be unable to use modern containers like docker, podman etc.

By default your OS is secure. You only have to think about what you expose and how can it be broken in. Disable SSH password authentication. Don’t run software that is provided by hobbyists who have no enough security expertise (i. e. random github projects with 1 or 2 contributors and any software that recommends install method curl <something> | sudo bash). Read how to harden the services you run, if it is not described in the documentation — avoid such services. Ensure that services you installed are not running under root. Better use containerized software, but don’t run anything as root even inside containers. Whenever possible, prefer software from your distro official repos because maintainers likely take care about safe setup even if upstream developers don’t. Automate installing security updates at the day they released.

What doesn’t help:

• Security through obscurity. Changing SSH port etc. Anyone can scan open ports and find where SSH is listening.
• Antivirus. It is simply unable to detect each of numerous malicious scripts that appears every day. It just eats your system resources.The best it can do is to detect that your host is compromised, but not prevent this. It is not security, just marketing.
• Making different rules for public internet and DMZ. Consider there’s no DMZ. Assume that your host can be accessed by crackers from anywhere.

What is Splitwise?

There is only one commit for two years. Seems dead.

LOLWHAT? Signals in Windows?

For Linux, I see only messages about SIGTERM handling, not SIGHUP.

Passphrase-protected SSH keys are definetely more secure than passwords.