Antivirus wont protect you if you run everything you find in the interhet. You need to be smart enough to avoid cracking. But if you are smart enough, you don’t need an antivirus.

Have you tried NetBSD?

Debian.

Makin notes is good for sonething very simple. It’s better to automate deployment with salt, ansible or something similar. A bit more effort at first setup, much easier restoration. Self-documented.

I don’t think you gain much from OpenBSD. It is focused on preventing vulnerabilities that are hard to exploit and unlikely used by botnets. Most dangerous are vulnerabilities caused by software misconfiguration. The OS cannot prevent your mistake. Also, in OpenBSD you will be unable to use modern containers like docker, podman etc.

By default your OS is secure. You only have to think about what you expose and how can it be broken in. Disable SSH password authentication. Don’t run software that is provided by hobbyists who have no enough security expertise (i. e. random github projects with 1 or 2 contributors and any software that recommends install method curl <something> | sudo bash). Read how to harden the services you run, if it is not described in the documentation — avoid such services. Ensure that services you installed are not running under root. Better use containerized software, but don’t run anything as root even inside containers. Whenever possible, prefer software from your distro official repos because maintainers likely take care about safe setup even if upstream developers don’t. Automate installing security updates at the day they released.

What doesn’t help:

• Security through obscurity. Changing SSH port etc. Anyone can scan open ports and find where SSH is listening.
• Antivirus. It is simply unable to detect each of numerous malicious scripts that appears every day. It just eats your system resources.The best it can do is to detect that your host is compromised, but not prevent this. It is not security, just marketing.
• Making different rules for public internet and DMZ. Consider there’s no DMZ. Assume that your host can be accessed by crackers from anywhere.

What is Splitwise?

There is only one commit for two years. Seems dead.

Passphrase-protected SSH keys are definetely more secure than passwords.

Your family will hate you if you’ll change their distro and DE every time you visit them. Distro hopping is normal for the first couple of years, but do it on your own machine.

Why custom? There’s 6.17 in trixie-backports.

What is n8n?

I mean not much difference in hardware support.

Ubuntu is the wrong choice for any server.

In general, I agree. But I don’t want do participate in holy wars.

Don’t expect much difference between Debian and Ubuntu. I guess you just need to install a newer kernel package from backports.

I’ve read the article you pointed to. What is written there and what you wrote here are absolutely different things. Docker does integrate with firewalld and creates a zone. Have you tried configuring filters for that zone? Ufw is just too dumb because it is suited for workstations that do not forward packets at all, so it cannot be integrated with docker by design.

What does dpkg --print-foreign-architectures say?

What are passwordless solutions in Windows for remote access, disk/filesystem encryption, keyrings?

BTW in all that cases a password can be replaced with a hardware token, for instance. It is just the simplest, most widely used and one of the less secure options.

Install updates regularly. Don’t install software from unofficial sources. If you see a recommendation like run curl something | sudo bash, ignore it. And, in general, don’t run anything as root unless you understand what you are doing and why this cannot be done without root privileges.

Most of what you enumerated is not a terminal emulator job. There is tmux for multiplexing, search and persistent sessions, for instance. And if you want image rendering, what a hell you use TUI for this? GUI programs can also be controlled with keyboard.

If you mean HTTP server, what you need is a reverse proxy and name-based virtual hosts. I usually use nginx for such tasks, but you may choose another web server that has these features.