Let’s Encrypt is just as secure as paid certs. They’re held to the same security standard.

Ceph is a huge amount of overhead, both engineering and compute resources, for this usecase.

Sometimes I think this community should be called homelab instead of selfhosted based on the kinds of questions

What’s the cost and impact of downtime for you? If you’re doing this for personal use it’s probably minimal for both so doesn’t really matter. If you want to try the new thing and you’re not afraid of the time investment or potential downtime then go for it

10mb is pretty much nothing. May as well just use Fail2Ban.

How many if you include kbin?

FWIW that’s illegal and is considered hacking in the US and can result in jail time. You should only do this on equipment you own. Not saying you did anything particularly nefarious or that the chance of getting caught is high but just FYI.

It’s fun to learn a bit more about how wifi and encryption works by cracking it using something like aircrack-ng. There’s not really any other practical use unless you have bad intent or are planning on entering the security field.

If you don’t trust your VPS host then you shouldn’t use them. They have physical access to the hardware so it’s impossible to prevent them from accessing your stuff if they really wanted to (realistically they probably don’t want to).

I was wondering if an encrypted volume would make no difference for protecting any data uploaded there.

This is known as “encryption at rest” (as opposed to “encryption in transit”). In order for an application to use the content then it has to be decrypted using the private key (decryption key). Where are you storing the private key? If it’s on the VPS they have access to it. If you transmit it to the VPS at runtime they can access it via network monitoring. If you kept the private key only on your end-user devices (phone, desktp computer, etc) and then decrypted the content locally, then encrypted it before it was uploaded to the VPS then the provider would have no way of accessing that.

I’m not sure how is my data protected inside a VPS.

Ask your provider. The larger ones have a lot of security certifications and periodic audits showing that they’re in compliance with best practices for securing the clients’ data, including from their own employees. If what you find isn’t satisfactory then pick another provider.

Am I being too paranoid? Or should I be investing in a small physical server?

IMO yes but you need to determine how sensitive the data you’re storing actually is. Chances are that no one really cares about your personal photos or private git stuff. If you want to store the passwords for all of your email accounts and banking then I’d be more concerned - though I think that’s still fine to store on a VPS if you trust the provider.