Why Not a Spare Machine?
I don't have one. And buying hardware for a learning project adds cost without adding much learning value. Cloud VMs teach the same skills — networking, firewalls, user management, service configuration — and they come with the added challenge of dealing with cloud-specific networking layers.
Oracle Cloud's Always Free Tier
OCI offers an ARM-based Ampere A1 instance on their permanently free tier. The specs are generous for a personal project: multiple OCPUs, plenty of RAM, ample block storage, and a large monthly outbound transfer allowance. It costs nothing, permanently. No trial period, no credit card surprises.
The ARM architecture means packages are aarch64 instead of x86_64. In practice, this rarely matters — almost everything in the Oracle Linux repos ships ARM builds. But it's worth knowing if you're compiling from source or pulling container images.
Why Oracle Linux?
Oracle Linux is a community-driven, RHEL-compatible distribution. It uses the same package manager (dnf), the same init system (systemd), the same SELinux policies, and the same directory conventions as Red Hat Enterprise Linux.
This matters because enterprise environments run RHEL, CentOS, or their derivatives. Learning on Ubuntu is fine, but the skills don't transfer one-to-one. File paths differ, service management has quirks, firewall tooling is different (ufw vs firewalld). Oracle Linux means the commands I practice here are the same ones I'd use in a production data center.
One Principle From Day One
When OCI offered to generate an SSH keypair during instance creation, I declined. I uploaded my own public key instead.
The reasoning: a private key should never exist on any machine other than mine. Not even briefly, not even encrypted in transit. If a third party generates it and sends it to you, you're trusting their infrastructure, their memory management, their cleanup processes. The only way to be certain no copy exists elsewhere is to generate it yourself and never let it leave your machine.
This is a small decision, but it reflects a principle that applies everywhere in this project: don't trust defaults, and don't delegate security decisions to convenience.
Note
When I started this project, the server ran Rocky Linux 9 on a paid OCI shape (VM.Standard.E5.Flex) that was quietly burning through trial credits. Rocky Linux isn't available as a platform image for OCI's Always Free ARM instances (VM.Standard.A1.Flex), so I migrated everything to Oracle Linux 9. Both are RHEL-based, so the transition was nearly seamless — same package manager, same SELinux, same systemd. The real lessons were in the migration itself: SELinux contexts don't survive cross-machine copies, and overwriting OCI's cloud-init sudoers file without checking what's already there locked me out of sudo entirely. That one cost me a GRUB recovery session through the OCI serial console.