tarneo

I use Iceraven with ublock, privacy badger, decentraleyes and canvasblocker.

Oh right

Because it's a decent competitor to the GitHub monopoly. It also has a few unique features when compared to it. Just guessing why OP uses it though (many people do)

Seeing how unethical the company is in general, it would'n't surprise me if the anticheat was just the worst. Even forgetting the anticheat part, I would NEVER play it.

(Unethical is actually a pretty big euphemism here)

Yeah, most anticheats are actually just rootkits (running at kernel level with unlimited privileges). This is also a big security issue, some games like genshin impact have also been used to create botnets since there is only one privilege escalation from the game itself to the kernel.

Whenever you use an anticheat, you just have to take the company's word for what they are doing with that kernel-level access.

Use librewolf instead of Firefox to get rid of the whole spyware part of it. Librewolf only has a single request when starting, to "check for updates". But using Firefox is the second best thing you can do both for your privacy and to fight Google's " Web Environment Integrity" crap.

Framaforms + framacalc.

what is the reason you shy away from ubuntu? Canonical. Snaps. Ubuntu is the first server OS I used, and while it was quite good I think I prefer using a base distrobox instead of a derivative. If I'm going to use Debian, I'll use Debian. Not Debian with corporate stuff on top.

As for SELinux: I've tried around a year ago. But as soon as I started doing stuff with users and tweaking docker permissions things went wrong and I just set it to permissive. Maybe I'll try that again soon, because other parts of managing servers have become much easier over time as I learned. I agree that having a server without SELinux is quite dumb and not very professional.

You convinced me for immutable fedora. Maybe I'll try it out sometime on our backup/testing server and maybe it will make its way to production if I'm happy with it.

As for distrobox I'll see.

The main reason I used Gentoo is because of being able to reduce the attack surface with USE flags. But as it seems the tradeoffs with it are greater than the advantages (the mastodon issue I mentioned). If I don't switch the server to immutable fedora, I'll just use something like plain fedora or debian I think.

To me, this is only one of the few advantages of immutability. I have already used nixOS on a server and I really didn't like having to learn how to do everything the right way. As for distrobox, to me it sounds quite like an additional failure point: it is an abstraction over the containers concept that hides the actual way it is done from you. I'd say if you run an app in a container, go all the way: make the container yourself. To me it just sounds like a bad idea, and I didn't really like distrobox when I tried it. I just want to say that both of these concepts (immutability, distrobox) would be great if it was perfectly done. But the learning curve of nixos and the wackiness of distrobox drove me away.

I totally agree. But I just wouldn't necessarily say gentoo is a bleeding edge distro: it's kinda up to the user. They are free to configure the package manager (portage) however they want and can even do updates manually. I just like the idea of having newer packages at the cost of stability, because I also use the server as a shell account host (with an isolated user ;-)) and need things like the latest neovim. These days I would know if an update failed because I would literally be in front of the process and test services are working after the updates, so I'd know if I have to rollback. This makes it basically like a stable distro IMO (even though the packages aren't battle tested before being pushed as updates).

I'm surprised this strategy was approved for a public server

The goal was to avoid getting hacked on a server that could have many vulnerable services (there are more than 20 services on there). When I set this up I was basically freaked out by the fact I hadn't updated mastodon more than a week after the last critical vulnerability in it was found (arbitrary code execution on the server). The quantity of affected users, compared to the impact it would have if hacked, made me choose the option of auto-updates back then, even if I now agree it wasn't clever (and I ended up shooting myself I'm the foot). These days I just do updates semi-regularly and I am subscribed to mailing lists like oss-security to know there's a vulnerability as early as possible. Plus I am not the only person in charge anymore.