Is the code good? Are you prepared to make any potential fork viable and useful in ways that Lemmy isn’t so people have a tangible, non-ideological reason to choose your software over Lemmy? Do you have a long term goal for funding and maintaining a fork?
That said, Piefed is already a thing, and it federates with Lemmy. It’s where I’m commenting from right now. It has a better on boarding process and does a better job surfacing things I care about.
Systemd has all sorts of options. If a service has certain sandbox settings applied such as private /tmp, private /proc, restricting access to certain folders or devices, restricting available system calls or whatever, then systemd creates a chroot in /proc/PID for that process with all your settings applied and the process runs inside that chroot.
I’ve found it a little easier than managing a full blown container or VM, at least for the things I host for myself.
If a piece of software provides its own service file that isn’t as restricted as you’d like, you can use systemctl edit to add additional options of your choosing to a “drop-in” file that gets loaded and applied at runtime so you don’t have to worry about a package update overwriting any changes you make.
And you can even get ideas for settings to apply to a service to increase security with:
systemd-analyze security SERVICENAME
I just host everything on bare metal and use systemd to lock down/containerize things as necessary, even adding my own custom drop-ins for software that ships its own systemd service file. SystemD is way more powerful than people often realize.
I literally have clothes hanging on a line across the living room because our just out of warranty $1,000+ Samsung “smart dryer” died again a month after I replaced every sensor and the heating element, and I just don’t feel like taking it apart again to “maybe” find the problem.
Before this we just had a plain white box from Maytag; easy to work on, cheap replacement parts. It was probably 30 years old when the motor seized and my wife asked for newer, fancier machines. Big mistake.
I got my mom on Bitwarden because I figured it would be easier for her than KeePass (which is what I use synced to my Nextcloud) and it turns out Bitwarden does the same thing. If you want to create “custom” attributes for an entry like your security questions, attach a screenshot, etc., you have to either pay or self-host.