I'm in no way a person who run some cluster on bare metal servers, but managing them are not any different than cloud compute instance. Only extra thing you need is to have some monitoring for SMART status of your drive.
> I am much more comfortable working on a compiler than setting up a server in a way that it doesn't get pwned
99% of the time all you need is to have firewall up, password login off and unattended upgrades enabled. It's will literally never get pwned then.
It's can certainly be useful if you use anything with password auth or just want to avoid logs full of bots, but otherwise just change default SSH port.
> I am much more comfortable working on a compiler than setting up a server in a way that it doesn't get pwned
99% of the time all you need is to have firewall up, password login off and unattended upgrades enabled. It's will literally never get pwned then.