I use a little mini PC with a DAS connected via USB. So you don’t need to go full server to expand the storage.

The other poster gave you a lot. If that’s too much at once, the really low hanging fruit you want to start with is:

• Choose an active, secure distro. There’s a lot of flavors of Linux out there and they can be fun to try but if you’re putting something up publicly it should be running on one that’s well maintained and known for security. CentOS and Debian are excellent easy choices for example.

• Similarly, pick well maintained software with a track record. Nginx and Apache have been around forever and have excellent track records, for example, both for being secure and fixing flaws quickly.

• If you use Docker, once again keep an eye out for things that are actively maintained. If you decide to use Nginx, there will be five million containers to choose from. DockerHub gives you the tools to make this determination: Download number is a decent proxy for “how many people are using this” and the list of updates tells you how often and how recently it’s being updated.

• Finally, definitely do look at the other poster’s notes about SSH. 5 seconds after you put up an SSH server, you’ll be getting hit with rogue login attempts.

• Definitely get a password manager, and it’s not just one password per server but one password per service. Your login password to the computer is different from your login to any other things your server is running.

The rest requires research, but these steps will protect you from the most common threats pretty effectively. The world is full of bots poking at every service they can find, so keeping them out is crucial. You won’t be protected from a dedicated, knowledgeable attacker until you do the rest of what the other poster said, and then some, so try not to make too many enemies.

Correct, horse battery staple.

You are correct that a reboot will trigger a full rescan. I’m always on the lookout for better sync. I just don’t think it’s out there right now for easy bidirectional sync.

Basically, if you want to set and forget, Syncthing is the best option. If you want more control, you’ll need to look into setting up rsync scripts or similar, which will at least better let you control how often to sync.

For me, the worst part of setting up some new distro or service is when it’s done and everything works. Then it just… Sits there. Working. Usually at some task I don’t need very often. Very anticlimactic and boring. Then I have to find some other new thing to try, which is why my HTPC has been through like 4 distros in the past year.

I’m with you in some cases. Who you take money from is not the same as who you give money or support to, necessarily. I think the worry in this case is that it’s a surveillance company.

In theory I guess it provides better security in some ways, but certainly not all over giving you hardware and a VPN. So there’s that. But yeah, it sucks.