Software:
- firewall, no inbound and do outbound restrictions
- use immutable OS
- full disk encryption (keep in mind that in many setups you will need to be beside the computer after restart)
Hardware:
- put it in the trusted datacenter (home stuff is not safe from teenagers and people that need computer's electrical socket for a vacuum cleaner)
Dont know where you are getting this. Nixpkgs is a breeze to manage compared to apt repo. Also it does not matter if you are on nixos or non-nixos system, the only difference is that nix does not take care of services on its own. What kind of docs do you miss? Nix has its own extensive nix docs page, and for packaging you also have nixpkgs documentation page - also official and not much related to nixos itself. Also nix has quite good man pages.