Ssh with ed25519 pubkey access and password login disabled works fine for me. I have access from my phone via termux and any other terminal software.

As far as your changing ip goes, you could have a cron job that periodically checks your current IP and notifies you of changes over telegram or other method.

I was thinking of creating a power management module myself that would have had a raspberry pi receiving periodic battery level readings and controlling a relay accordingly but the battery on the laptop was already messed up.

I don't know whether it's possible to recondition a messed up battery by managing the charge cycles.

Depending on your laptop's battery management system, keeping the laptop constantly connected to your charger could damage the battery and severely reduce its capacity. That happened to 2 batteries on my Dell xps 13

sudo certbot certonly --manual --preferred-challenges dns -d

And it's a TXT record that you need to add.

Because it's "everyone's MITM" it would make it a perfect spot for state actors to tap into in order to surveil pretty much everything without anyone being able to notice.

Yep, that's my main point

You trust your employer, don't you friend citizen?

This is exactly the original point I was trying to make regarding cloudflare.

The point that i take from this tongue-in-cheek sentence of yours is that no, we should absolutely not trust our employer with our unencrypted traffic.

But then on the other hand there are loads of people on here saying that, yes, of course we should trust cloudflare with having access to all of the data flowing through it.

Maybe it's my fault for posting this in selfhosted. My question was of a more generic nature about security and privacy in general. You're right, r/privacy might be a better sub for this conversation.

In my case my reverse proxy (nginx) runs on the same machine as my backend. In fact nginx also serves all static data with the backend only serving api requests.

To clarify, I did not mean MITM attack. It actually wouldn't make sense to say that cloudflare is a man in the middle attack, since it is a company and not an action.

I didn't include the word "attack" anywhere.

MITM is commonly used together with attack, so your misunderstanding is understandable. However the acronym just stands for Man In The Middle, which is why it is followed by "attack" in such situations.

nginx can be configured to throttle connections and fail2ban to refuse them to mitigate this

The question was a more general one, and not specific to my personal data needs.

The existence of such a ubiquitous centralised service that actually IS a MITM, whether they are malicious or not, seems curious to me.

As they say, if the product is free, then you are the product. If people accept, but recognise, a loss of privacy when using free services from Google and meta, for example, knowing that the data they provide is used for personalised ads, then how come CF's free tier isn't viewed with the same level of scrutiny?

Isn't this also what many companies do to monitor web-traffic from their network?

Then trusting root CAs is a non-issue?

Good point. Who's to say that LetsEncrypt doesn't keep a copy of my private keys?

When I visit one of the sites I manage, that goes through CF (my personal ones don't), I see that the certificate that the browser sees is one provided by CF and not the one that I create using LetsEncrypt.

Thanks for the links