In the US, most IPSs have remote access to your modem as well, even if you purchased it yourself from a store unaffiliated with your ISP.

The education system has been killing critical thinking for decades. Why start trying to save it now?

Enabling SSH password authentication is unnecessary and not a good idea, especially if your temporary passwords are simple. I haven’t used Hetzner but there is probably a way to upload a file or to paste into the console, or else if you fix your keyboard you could at least type a URL to download the public key from the internet. You may want to look into cloud-init instead of manually installing and configuring your VMs.

LUKS may not make your server meaningfully more secure. Anyone who can snapshot your server while it’s running or modify your unencrypted kernel or initrd files before you next unlock the server will be able to access your files.

Techdirt says 2,456 files as if it’s 2,456 separate things, but it’s actually just the source code for their web frontend and that source code is comprised of 2,456 files. Normally, the source code for the web frontend isn’t a big deal, but apparently the frontend that they’re exposing is for a service that normal people aren’t supposed to be able to see, and the capabilities of the service are made public. There’s still a lot that could be going on behind the scenes and not surfaced through the frontend.

curl bash is not as bad as people think. Nobody downloads and reverse engineers binary packages off of these websites before running them with the same permissions.

If you’re running insecure services, you can restrict them to be accessible by vpn. I have a mix of internet accessible and vpn accessible services using the tailscale nginx plugin.

If you want to send all your traffic over a vpn, you will either need to route all your traffic through your own vpn or use some sort of multiplexed vpn. tailscale can do this with mullvad, but it’s not yet possible with headscale.