I would advise you to remove the rule on your router and expose your services with cloudflared instead. It should get you started with securely hosting your websites. Then you can build up on this self-hosting knowledge and later decide if you want to manage this yourself.

You should learn how to use ssh. Running Firefox on top of Xorg is a disaster waiting to happen.

Looks like you are running rootless.

You are reading too much into the comment.

1. Am not promoting Linux, I don’t know where you got that idea from.
2. How is it hostility when am letting OP know that’s exactly what’s included in the package when he chose Linux? And that unlike Windows where you install downloaded files as programs, things work differently over here?
3. You can install malware by blindly copypasting commands on any terminal, the OS doesn’t matter.

I’ve had my Nextcloud exposed for a long while now without any incidents (that I know of). I know automatic updates are not generally recommended but if you want a lighter load, you could use LSIO’s docker container (I use the standard db in the sample config). I run mine that way with watchtower and can’t recall ever in recent times when an update broke Nextcloud. Other than that, nextcloud has a brute-force plugin and you could consider overall hardening the entry points of the machine hosting Nextcloud (e.g ssh).

Yes and with good reason. To prevent people like yourself from downloading and running malware.

None. I don’t make a habit of keeping “misbehaving” apps around. If I can’t get to the bottom of a specific issue that app is getting the boot from my stable.

They got hit with their first cloud AI GPU compute bill…

Not exactly. OP mentions he’s interested in using cloudflare/github pages where the security is managed by those platforms not the user.

If you concerned about your exposed services being hacked, why not learn how to protect them properly from bad actors? There exists a wide range of solutions that attempt to specifically solve this problem.

Most modern devices should support x265 playback which has the compression sizes you are looking for.

In addition to setting the cap to file sizes for media, you can also blacklist tags like REMUX etc.

This is an example of a custom format for hevc/x265 files that are no larger than 6Gigs. You just need to create a new custom quality profile and give below custom format a positive/higher score.

{
  "name": "Minima",
  "includeCustomFormatWhenRenaming": false,
  "specifications": [
    {
      "name": "No mo than 6 Gigs",
      "implementation": "SizeSpecification",
      "negate": false,
      "required": true,
      "fields": {
        "min": 0,
        "max": 6
      }
    },
    {
      "name": "1080p",
      "implementation": "ResolutionSpecification",
      "negate": false,
      "required": true,
      "fields": {
        "value": 1080
      }
    },
    {
      "name": "eng",
      "implementation": "LanguageSpecification",
      "negate": false,
      "required": false,
      "fields": {
        "value": 1
      }
    },
    {
      "name": "Preferred x265",
      "implementation": "ReleaseTitleSpecification",
      "negate": false,
      "required": false,
      "fields": {
        "value": "[xh][ ._-]?265|\\\\bHEVC(\\\\b|\\\\d)"
      }
    }
  ]
}

The free version of ProtonVPN is sufficient enough for my use.

I am on my browser a lot. I use VPN most of the time. Am blocking ads system-wide with DNS on all my devices.

I have like only 30-40 sites that I allow to save cookies. Any site that won’t work without cookies is opened in a guest/temp profile, if I use such a site frequently it makes to the allowlist. Same allowlist principle is applied to the number of apps I install. If the service works well on the browser am not installing it.

I also use Jshelter and NoScript to allowlist Javascript, WebGL (farbled with Jshelter) and other browser properties. My browsers are mostly on a Javascript allowlist for my PC and on a denylist for my phone because I don’t use it as much as my PC and am fine with the hardened levels on Cromite.

I self-host most of the services I constantly use (those that I can) and use community alternatives whenever I can just to avoid giving data/analytics to FAANG. That said I sometimes cheat with Twitter & Instagram (haven’t opened this in forever) all on PWAs with a separate browser (Mulch).

It’s a bit overkill but am safisfied with the level of control.

OP couldn’t be more wrong. When you pay for a product you pay to get support on the platforms the vendor supports. He should be switching platforms to those supported by the vendor or switch to a competing product that has support for the platform he wants to use.

Docker is not optimized for desktop and Flatpaks aren’t optimized for running services. You’ll spend more time & effort making both of them work and still end up with sub-optimal experiences.

NixOS. Every simple update (nixos rebuild switch) was just eating RAM & CPU. I managed to brick it when updating to 23.11 and couldn’t find a way out of the mess I created (even with the saved snapshots) so I said adios.

This is what I use as well.

Yes. I get the LUKS prompt with the plymouth theme as well. But I should probably mention am using dracut and systemd-boot as my bootloader.

The only time the flicker-free boot doesn’t work as expected is when I interrupt the boot process to go to the bootloader menu.

It is if that’s what you are comfortable with.