You can configure automated security updates like this:

sudo apt update && sudo apt install unattended-upgrades -y

The frequency of unattended-upgrades is controlled by the settings in this file: /etc/apt/apt.conf.d/20auto-upgrades

Inside it we want to paste in the following:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Meaning of the values

APT::Periodic::Update-Package-Lists "1"; → Updates the list of available packages daily (1 = every day).

APT::Periodic::Download-Upgradeable-Packages "1"; → Downloads upgradable packages daily.

APT::Periodic::Unattended-Upgrade "1"; → Actually runs unattended-upgrades daily.

APT::Periodic::AutocleanInterval "7"; → Cleans the local package cache once every 7 days.

Setting 0 as a value will disable that entry.

Want to check when it last ran, and what was installed?

You can check the log like this:

sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

• A box with qbittorrent web-ui reachable on LAN, behind a Mullvad VPN
• SMB share to host your files on LAN
• A script to test for dns leaks :)

This quick project is great for eg. a spare laptop or a VM!

I would recommend installing this on a dedicated Debian server instance. No need for a desktop environment. I would also recommend using LVM + LUKS encryption.

That said this will work on any Debian or Ubuntu-based system.

Let's install some packages

sudo apt update && sudo apt install curl screen samba avahi-daemon avahi-discover libnss-mdns qbittorrent-nox -y

To install Mullvad VPN:

sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc

echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list

sudo apt update

sudo apt install mullvad-vpn -y

Mullvad account

If you haven't already, please create a Mullvad account at https://mullvad.net/en

Then in your terminal:

sudo mullvad account login 'account number'

sudo mullvad auto-connect set on

sudo mullvad lan set allow

Now let's create a SMB share!

To begin with you need to create a dir that we want to share. Then we will change the permissions to 0775 I recommend placing it in /home. For this example we will call it share:

mkdir share

sudo chmod 0775 share

To tweak the .conf:

sudo nano /etc/samba/smb.conf

Paste the following at the bottom of the file:

[share]
path = /home/'username'/share
read only = no
guest ok = no
valid users = 'username'

Then set the smb password and restart the service:

sudo smbpasswd -a 'username'

sudo systemctl restart smbd nmbd

sudo systemctl restart smbd.service

Last but not least, dns leak test:

curl https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh -o dnsleaktest.sh && sudo chmod +x dnsleaktest.sh

To run the script:

sudo ./dnsleaktest.sh

Setting up and using qbittorrent:

Mental Outlaw actually has a great video about this and from 6:36 it's possible to follow along with some of these steps

Earlier we installed qbittorrent-nox which is great for headless systems, since we can access the app from a web-ui over LAN.

I recommend using screen to run qbittorrent-nox, since i think it is unwise to keep your box logged in 24/7. What if someone “broke in” to your network closet and gained access to your (encrypted?) system?

If it's just logged in, no point in securing anything.

It is safer to SSH into the box, launch and detach the qbittorrent-nox process and terminate the connection.

If you just ran qbittorrent-nox without screen, the app would close every time you terminated your session.

Either way:

screen qbittorrent-nox

As qbittorrent launches, take note of the IP+port displayed in the message on screen. Press Ctrl+A and then D to detach the process.

Open a browser and go to the IP

Last time i checked the default credentials were admin:adminadmin

In qbittorrent, go to preferences and change your password.

Then change your default download folder to the SMB share we created. This way you can stream from the box anywhere on your LAN.

Then at last go to Preferences > Advanced > Network Interface and change it to your Mullvad connection: tun0

That's it! Enjoy

Before You Begin: Back Up Personal Files!

If you have important personal data not included in your Timeshift snapshots (like documents, photos, or anything in /home), salvage and back it up now before continuing.

If you’ve already done that—or can’t—read on.

Step-by-Step Restore Process

1. Fresh Install on Target Drive

• Boot from your Live LMDE USB.
• Install LMDE 6, selecting LVM with full-disk encryption (LUKS) mimicking your old setup.
• After installation, boot into the new system once to verify it works, then shut it down.

2. Boot Back Into Live USB

• Plug in your backup drive and unlock it if it’s encrypted.

3. Launch Timeshift & Start Restore

• Open Timeshift from the menu (LMDE includes it).
• Select your snapshot → click Restore.

Target Device Selection

• / → Select the encrypted root partition from your fresh install. Timeshift will ask for your encryption passphrase. Click the refresh button to display the LVM volume (e.g., vg-root or dm-2 ext4). This is typically slightly smaller than the full size of your drive.

• /boot → Set to “Keep on root device”

• /home → Set to “Keep on root device” (unless restoring separately)

4. Configure Bootloader (Advanced)

Click Advanced, then:

Reinstall GRUB2 → Select the small, unencrypted boot partition Update initramfs → Leave unchecked Update GRUB menu → Make sure this is checked

Let Timeshift restore your system.

If You Restored to the Same Drive

Great! Just reboot — you’re done.

Restoring to a Different Drive?

Your new disk will have a different LUKS UUID than your old one. The restored system still points to the old UUID in /etc/crypttab, which means it won’t boot unless you update it.

Step 1: Find the Correct Partition

lsblk

Look for your new encrypted LUKS partition, like /dev/sda5 or /dev/nvme0n1p3.

Step 2: Get the New UUID

Replace sdX with the correct device name:

sudo cryptsetup luksUUID /dev/sdX

Step 3: Update crypttab

Mount your restored system:

sudo cryptsetup luksOpen /dev/sdX mycrypt

sudo vgchange -ay

sudo mount /dev/mapper/<your-root-volume> /mnt

Edit the crypttab file:

sudo nano /mnt/etc/crypttab

Replace the old UUID with the new one from step 2.

Step 4: Update GRUB

sudo mount --bind /dev /mnt/dev

sudo mount --bind /proc /mnt/proc

sudo mount --bind /sys /mnt/sys

sudo chroot /mnt

update-grub

exit

All Done — Reboot!

My friend needed a similar solution, but needed to sync the backup files to an S3 bucket.

For this solution we will modify this guide, provided by Contabo

This guide is actually awesome, and you should read it. We will be changing some things, since we are backing up from the YunoHost core, and not the entire filesystem.

First of all, we need to set up automatic backups of your YunoHost VPS:

sudo crontab -e

Add this line, save and exit:

11 0 * * * yunohost backup create

This will create a full backup each night. If you want a different solution, please see the official YunoHost documentation

To install rclone enter:

sudo apt update && sudo apt install rclone -y

To configure Rclone with your S3 credentials please see this guide

To automate rclone we will make a script.

Either choose to copy the backups to the S3 bucket each night, keeping the files on your YunoHost VPS:

/usr/bin/rclone sync -P --update --verbose --transfers 30 --log-file=/var/log/upload.log "/home/yunohost.backup/archives/" "eu2:backup/"

Or move the files to S3, deleting them from the YunoHost VPS after the upload:

/usr/bin/rclone move -P --update --verbose --transfers 30 --log-file=/var/log/upload.log "/home/yunohost.backup/archives/" "eu2:backup/"

Make a file with one of the above commands, save it as rclone.sh and voila you have a script.

Make the script executable by entering:

sudo chmod +x /path/to/rclone.sh

To make the script run every night we need to create a cronjob:

sudo crontab -e

Paste in this line at the bottom, save and exit:

0 2 * * * /path/to/rclone.sh

If you chose to copy rather than to move your backup files to your S3 bucket, you might end up filling your precious drives rather quickly.

Consider using move if you do not want to keep any backups on your YunoHost VPS.

If you want to keep some backups on the VPS, consider using copy and follow the steps, in the last part of my previous post, to delete backups older than 'x' days

I started by creating an ECDSA key pair of 384 bits, with this command:

ssh-keygen -t ecdsa -b 384

Then i sent it to the YunoHost VPS with this command:

ssh-copy-id -i ~/.ssh/your-key-name.pub 'username'@'host-domain'

Then i created a cronjob that will sync two directories, over SSH, using rsync.

To do this, you first have to create a cronjob with this command:

sudo crontab -e

Then modify and paste this line into the crontab, save and exit:

11 1 * * * rsync -avz -e "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" 'username'@'host-domain':/home/yunohost.backup/archives/ /home/'username'/archives/

For your information:

-avz Archive mode for preserving metadata, verbosity for detailed feedback, and compression for efficient transmission.

-e Specifies the remote shell to use, in this case, SSH.

-o StrictHostKeyChecking=no Tells SSH not to bother checking if it has connected to the same host before.

-o UserKnownHostsFile=/dev/null This says, “Hey SSH, don't bother looking for known hosts in the usual place/known_hosts, we already know what's good”

Now, the remote storage VPS looks for new backups to download, everyday at 01:11

On your YunoHost VPS, you have to add a cronjob, creating backups every night, around midnight. Same procedure as last time:

sudo crontab -e

Add this line, save and exit:

11 0 * * * yunohost backup create

With this method, the YunoHost VPS backs up everything, and syncs to remote storage, everyday around midnight.

Rsync will not delete any backups from remote storage, in case they get deleted on the YunoHost VPS. (This way, if anything bad happens to the YunoHost VPS, or the yunohost.backups directory, you won't lose the backup files on the remote storage VPS next time it syncs)

This does mean, that you will have to delete backups, both on the YunoHost VPS and the remote storage VPS, as they become outdated to preserve precious space on your drives.

See the official YunoHost documentation if you want a different solution

How to automatically delete outdated backups.

I made a script that looks for any file older than 7 days, then removes it.

Please change the 'backup dir' path, and the 'days to keep value' to suit your needs!

https://raw.githubusercontent.com/tr00ls/tr00ls/main/cleanup_backups.sh

One-liner to download the script and make it executable:

wget https://raw.githubusercontent.com/tr00ls/tr00ls/main/cleanup_backups.sh && sudo chmod +x cleanup_backups.sh

To add a cronjob running this script every night at 02:00 enter:

sudo crontab -e

Then modify and paste in the following line, save and exit:

0 2 * * * /path/to/cleanup_backups.sh

sudo echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list

sudo echo "deb-src http://http.kali.org/kali kali-rolling main non-free contrib">> /etc/apt/sources.list

sudo wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-keyring.asc

sudo apt update

When you loose track of what t00ls you have installed, use this command:

comm -23 <(apt-mark showmanual | sort -u) <(gzip -dc /var/log/installer/initial-status.gz | sed -n 's/^Package: //p' | sort -u)

Get it here: https://raw.githubusercontent.com/tr00ls/tr00ls/main/zsh-script.sh

wget https://raw.githubusercontent.com/tr00ls/tr00ls/main/zsh-script.sh && sudo chmod +x zsh-script.sh

sudo ./zsh-script.sh

To install zsh, open your terminal and enter:

sudo apt update && sudo apt install zsh -y

To make zsh your default shell enter:

sudo chshs -s /usr/bin/zsh

We need git for these next steps, so if you haven't already, please install git by entering:

sudo apt install git -y

Now let's get those Fish-like Autosuggestions:

git clone https://github.com/zsh-users/zsh-autosuggestions ~/.zsh/zsh-autosuggestions

sudo echo "source ~/.zsh/zsh-autosuggestions/zsh-autosuggestions.zsh" >> ~/.zshrc

Next let's get Syntax Highlighting

cd ~/.zsh && git clone https://github.com/zsh-users/zsh-syntax-highlighting.git

sudo echo "source ~/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" >> ~/.zshrc

Now this could be it – you could close your terminal, log out or reboot to finalize – but if you want even more pretty, i suggest you add a custom .zshrc file

You could add the one from Kali Linux

Or the one i use

Before we do anything though we should backup your current .zshrc:

cp ~/.zshrc ~/.zshrc.bak

Whichever .zshrc you choose, simply fill your .zshrc with the new custom content.

To do that open your current .zshrc in a text editor (GUI or CLI) and replace the contents with one of the above choices – or even make/modify one on your own!

To finalize all of this enter:

source ~/.zsh/zsh-autosuggestions/zsh-autosuggestions.zsh

source ~/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh

Then close your terminal, log out or reboot and enjoy