I’m not sure if I agree.
You can’t easy man in the middle authenticated protocols like SSH or HTTPS.
Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users’ PCs.
As for SSH - you missed the “TOFU” bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn’t even mention it.
unencrypted/unauthenticated protocols are on their death bed.
I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it’s layers upon layers of half-solutions of wishful thinking, glued together with hope.
The layers should be independent to allow for maximum flexibility.
Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.
Step 1: be psychologically prepared to break it all. Don’t depend on your services, at first, and don’t host stuff for others, for the same reason.
Yunohost? Good for trying out stuff, I suppose. I haven’t tried it myself. You could also try Debian, Alpine, or any other. They’re approximately equivalent. Any differences between distros will be minuscule compared to differences between software packages (Debian is much more similar to Alpine than Nextcloud to Syncthing).
4GB of RAM? Don’t set up a graphical interface. You don’t need a desktop environment to run a server. Connect to it via SSh from your regular PC or phone. Set up pubkey auth and then disable password auth.
I recommend setting up SSH login first, then a webserver serving up HTTP, only, accessible via IP address.
Next comes DNS - get a name at https://freedns.afraid.org/
Then add HTTPS, get the certs from LetsEncrypt.
Finally, Nextcloud. It runs kind of “inside” your webserver. Now you can back up your phone, and share photos with family, etc.