I've only ever used desktop Linux and don't have server admin experience (unless you count hosting Minecraft servers on my personal machine lol). Currently using Artix and Void for my desktop computers as I've grown fond of runit.
I'm going to get a VPS for some personal projects and am at the point of deciding what distro I want to use. While I imagine that systemd is generally the best for servers due to the far more widespread support (therefore it's better for the stability needs of a server), I have a somewhat high threat model compared to most people so I was wondering if maybe I should use something like runit instead which is much smaller and less vulnerable. Security needs are also the reason why I'm leaning away from using something like Debian, because how outdated the packages are would likely leave me open to vulnerabilities. Correct me if I'm misunderstanding any of that though.
Other than that I'm not sure what considerations there are to make for my server distro. Maybe a more mainstream distro would be more likely to have the software in its repos that I need to host my various projects. On the other hand, I don't have any experience with, say, Fedora, and it'd probably be a lot easier for me to stick to something I know.
In terms of what I want to do with the VPS, it'll be more general-purpose and hosting a few different projects. Currently thinking of hosting a Matrix instance, a Mastodon instance, a NextCloud instance, an SMTP server, and a light website, but I'm sure I'll want to stick more miscellaneous stuff on there too.
So what distro do you use for your server hosting? What things should I consider when picking a distro?
My server is running headless Debian. I run what I can in a Docker container. My experience has been rock solid.
From what I understand Debian isn't less secure due to the late updates. If anything it's the opposite.
I run NixOS. It (or something like it, with a central declarative configuration for basically everything on the system) is imo the ideal server distro.
I think I can sense your love/hate relationship with nixos from here :) you are not alone
Very true haha. NixOS is great and the best I've got right now but I would lie if I said it has never been painful.
Especially for desktop use I want to build my own distro which takes a lot from NixOS, mostly in terms of the central configuration but not much else (I definitely want a more sane package installation situation where you don't need stuff like wrapper scripts which are incredibly awful imo), but also other distros, and also with some unconventional things (such as building it around GNUstep). But who knows if that ever gets off the ground, I have way too many projects with enormous scale...
CentOS Stream 8. Which I regret. Because they ended support without upgrade path.
I thought you could still go Centos Stream 9?
Anyway, I'm pretty sure almalinux-deploy allows migration from Centos Stream 8... it's your second chance to be done with fickle management decisions from RedHat/IBM: don't miss it this time :)
Debian has been rock solid for me.
It's not insecure. Quite the contrary debian repositories only include packages that has been through extensive testing and had been found secure and stable. And of course it regularly introduce security updates.
Debian backports security updates to most software, including popular server software. Stable also always uses an LTS kernel, which stays supported upstream. So long as you’re using latest Debian Stable (Bookworm as of this writing), run apt update often (in fact, ‘’’unattended-upgrades’’’ is probably not the worst idea in this case) and do common sense security practices like a firewall and (brain is not working), you should be good.
In brief, it’s totally fine to use Debian and in fact one of the best options in my opinion.
I just use debian cause it's rock solid and most of what I set up are in containers or VM'S anyways
I have tons of experience with enterprise linux, so I tend to use Rocky linux. It’s similar to my Fedora daily driver, which is nice, and very close to the RHEL and Centos systems I used to own.
You are slightly mistaken with your assumption that debian is insecure because of the old packages. Old packages are fine, and not inherently insecure because of its age. I only become concerned about the security implications of a package if it is dual use/LOLBin, known to be vulnerable, or has been out of support for some time. The older packages Debian uses, at least things related to infrastructure and hosting, are the patched LTS release of a project.
My big concerns for picking a distro for hosting services would be reliability, level of support, and familiarity.
A more reliable distro is less likely to crash or break itself. Enterprise linux and Debian come to mind with this regard.
A distro that is well supported will mean quick access to security patches, updates, and more stable updates. It will have good, accurate documentation, and hopefully some good guides. Enterprise linux, Debian and Ubuntu have excellent support. Enterprise linux distros have incredible documentation, and often are similar enough that documentation for a different branch will work fine. Heck, I usually use rhel docs when troubleshooting my fedora install since it is close enough to get me to a point where the application docs will guide me through.
Familiarity is self explanatory. But it is important because you are more likely to accidentally compromise security in an unfamiliar environment, and it’s the driving force behind me sticking with enterprise linux over Nixos or a hardened OpenBSD.
As a fair word of warning, enterprise linux will be pretty different compared to any desktop distro, even fedora. It takes quite a bit of learning, to get comfortable (especially with SELinux), but once you do, things will go smoothly.
you can also use a pirated rhel certification guide to learn enterprise linuxIf anything, you can simply mess around in a local VM and try installing the tools and services needed before taking it to the cloud.
You don’t wanna use rolling release distros trust me, the whole point of server is automation and less maintenance. I got couple personal servers running, after things i need got setup and all of them running at a decent capacity, i just turn them on and never worry about them. Old package and software doesn’t necessarily mean less security, quite opposite actually, i suggest you take a look at how stable distros distribute their software, such as Debian. For a Debian package becomes stable, it has to go through several stages, experimental, unstable, testing, and finally stable, that’s why their packages are old, and because they are old, they are secure. It might be quite opposite than what you expect.
Mostly i use Debian for my personal servers, some of them are stable and some of them are testing, because of Podman’s new feature Quadlet. Honestly many features of Debian feel really old, like APT’s source list, preferences, and the way to deal with unattended upgrades. It’s kinda hard to get it at first and it’s easy to shoot yourself in the foot, especially many people tend to unintentionally mix and match packages from different suites for new software. But once you get comfortable with it things just work.
As my experience, no matter what distros i use, the worst distros are always those that i don’t understand and in a hurry to put them into production. Just pick one popular server distro and learn the ecosystem, you will find out what distros you like really soon.
Servers are the one thing I've generally heard people agree that snaps are good for, so given its history it's a bit of a strange thing to hear of Ubuntu being a better server distro than desktop distro nowadays.
I've been running arch for like 3 years now. Why arch? Because it just works (and its the only one i have esperience with). Maybe ill try nixos one day.
Personally, I use Rocky Linux on my servers. It’s stable, and has plenty of support since it’s RHEL-based. It’s supported until 2030 or so, and it doesn’t have any of the cloud-init or netplan stuff that Ubuntu Server has.
It’s also pretty simple to set up docker/podman containers, although you need the EPEL for podman-compose and for a lot of other packages, but once you get your setup the way you like it, it just keeps running and running.
Seonding the security point. It's probably riskier to use bleeding edge distros because the "old" Debian packages are well cured and don't have a lot of new issues. And as you said also old packages get security updates. Even in debian.
Been running Debian on my server for 10+ years.
openSUSE Leap - YaST is the greatest thing since sliced bread, and works great on command line over SSH. Yes, sometimes installing some software is difficult, but generally most stuff you would want is there and a lot of stuff runs on Docker anyway now. Very stable too, have had nearly zero issues.
