Recent comments on posts in the blog:

network.http.referer.XOriginPolicy settings
I set both network.http.referer.XOriginPolicy and network.http.referer.XOriginTrimmingPolicy to 2, I'm not sure it's the combination you recommend. I encounter only one break with the login of bmo.com online banking.
Comment by Francois Diebolt
use the deploy renewal hook for certbot
I agree with Steve Kemp's comment, and additionally you can use the 'deploy' renewal hook to copy the newly generated files to the asterisk location. That renewal hook is only executed if certbot has succesfully renewed the certificate.
Comment by Vincent
Solution for: "cryptsetup: ERROR: Couldn't find sysfs directory for 253:2"

This is a superb guide, thanks!

I had an additional problem and while running "update-initramfs -c -k all" I got the following error:

cryptsetup: ERROR: Couldn't find sysfs directory for 253:2

Google couldn't answer anything about this error, but I finally figured it out - you just need to mount the sysfs (just like you mounted /proc and /dev). So just run this command:

mount -t sysfs sysfs /mnt/sys

Now when you run update-initramfs again the error should be gone and you can boot to your Linux again!

Comment by Rene
LVM missing
My case was similar, but I had an additional issue. On my Ubuntu machine /usr/share/initramfs-tools/hooks/lvm2 was not set as executable. This caused it to be skipped when initramfs was built, leaving me with an initramfs without LVM. After making the file executable (chmod +x) and rebuilding initramfs, the system was bootable again.
Comment by Morgan
Re: Debian for RaspberryPi

Why did you install Raspbian, and not the pure Debian build for arm64? https://raspi.debian.net/

Interesting. I was not aware there were images for stock Debian.

Comment by francois
Re: The "pi" user

This may be a stupid question, but why don't you remove the "pi" user altogether?

That's a fair question. The primary reason is that I would need to customize more things since that user is already setup for everything to just work.

Once it's de-fanged (no sudo access, no ssh access, random password), it's probably not very dangerous.

Comment by francois