i store my ssh key on my yubikey using the gpg interface. On linux it’s natively supported, on windows you need cleopatra and on android you can you OpenKeychain together with TermBot.
This won’t sync the hosts you have, but at least you always will have your private key with you.
Yubikey. I dont want to trust my phone, so I use some separate hardware instead
Even safe rust can do it, if we allow compiler bugs
It seems to that it works. I don’t get any web-scrapers hitting anything but my main domain. I can’t find any of my subdomains on google.
Please tell me how you believe that it works. Maybe i overlooked something…
Of course i get a bunch of scanners hitting ports 80 and 443. But if they don’t use the correct domain they all end up on an Nginx server hosting a static error page. Not much they can do there
I use good ol’ obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works. And since i don’t post my valid urls anywhere no web-scraper can find them. This filters out 99% of bots and the rest are handled using authelia and crowdsec
I mounted my zfs dataset in a Jellyfin VM using 9p. All the features of the host ZFS while still running in a VM
A system like proxmox backup server can do this scurely. There you can create a user that can only add new backups and read the existing ones, but cannot delete any or read anything else on the remote host.
Otherwise if you only care to protect the remote machine, then something like an ssh chroot jail would also work.