I’ve seen XML parsers that will convert element content from strings to native types by default. So “0” becomes an int, “true” becomes a boolean, and “null” becomes an actual null. I had to take extra steps to keep everything as a string unless explicitly told not to.

JSON does not have this problem, BTW.

You can permit absolutely everything and make it just as bad as the stock OS if you want to.

I disabled ssh on IPv4 and that reduced hacking attempts by 99%.

It’s on IPv6 port 22 with a DNS pointing to it. I can log into it remotely by hostname. Easy.

That’s basically it. My Ubuntu server is a router, NAS, plex server, public statum-1 NTP server, wordpress server, nextcloud server, security camera NVR, SMTP/IMAP mail server, CUPS print server, tor relay, and probably a few other things I forgot about.

You can do a lot with a single CPU from 2015.

I don’t have hostapd on it anymore. I now have dedicated APs on OpenWRT. The main problem with using a WNIC for an AP is that they don’t typically have a very strong broadcast output. I had to add an amplifier, and even then it wasn’t great.

I’ve done this before on Ubuntu. You can install nftables for routing, then install hostapd for a wifi AP.