It’s not always possible but it’s generally good practice to configure your applications to use external storage rather than file systems - MySQL/PostgreSQL for indexable data, and S3-clones like MinIO for blob storage.
One major reason for this is that these systems generally have data replication and fall over redundancy built-in. So you can have two or more physical servers, have an instance of each type of server on each, and have these stay synchronized. If one server goes down, the disks crash, or you need to upgrade, you can easily rebuild a set of redundant servers without downtime, and all you need to do is save the configurations (and take notes!)
Like I said, not always possible, but in general the more an application needs to store “user data”, the more likely it is it has the ability to use one of the above as a backend storage system. That will reduce, significantly, the amount of application servers that need to be backed up, and may reduce your need to consider using NFS etc to separate the data.
In all honesty, there’s nothing you can do with any VPS (or cloud - AWS, Azure, etc) provider to prevent them from accessing your server as you’re reliant on them to make sure there are no back doors in their images or hardware, and they have a vested interest (maintenance etc) in making sure they have at least some access. But it’s usually rare they do actually log in.
You can tighten up security a little bit by:
But those three still rely upon there being no back doors embedded deeper into the OS.
In the end, if it’s confidentiality you need, you’re better off setting the VPS up as a proxy to data that’s held on a server you have full control over (ie one that’s in your house), with no secrets kept on the VPS itself. That can be a tough one to set up and is beyond the scope of a simple Lemmy post…
Remember to log out of the console, as I’ve personal experience of seeing someone at Racknerd type commands into it (presumably by mistake but possibly because that’s SOP - this was shortly before they shut down the server claiming it was responsible for a networking issue after being hacked. Never found evidence it was hacked but Linux can glitch from time to time. So it’s possible they were taking advantage of the fact I was looking at the console at the time to see what the state of the machine was and then realized I was watching.)
Note I’m referring to the console here, not random ssh sessions. While there may be technical ways for them to hijack those, there’s not a lot of point in doing so, there are easier ways to gain access to VMs via, say, backdoor passwords.
I’m not directly familiar with either, but syncthing seems to be about backing up, so I’m not entirely surprised it’s file oriented, and jellyfin doesn’t look like it’s about user maintained content so much as being a server of content. So I’m not entirely surprised neither would support S3/Minio.
Yeah it took me a while to realize what S3 is intended to be too. But you’ll find “Blob storage” now a major part of most cloud providers, whether they support the S3 protocol (which is Amazon’s) or their own, and it’s to be used precisely the way we’re talking about: user data. Things clicked for me when I was reading the DoveCot manuals and found S3 was supported as a first class back-end storage system like maildir.
I’m old though, I’m used to this kind of thing being done (badly) by NFS et al…