I am sorry, but a GDPR compliant server does not exist.
It sure helps on the transport side of things if Nethserver is as secure as possible, but this will mainly aid to get 27001 compliant, when the GDPR applies to you.
The GDPR is just a set of rules demanding privacy by default. It identifies Personal Information in a way that everything directly linked to a person, is it. It then demands that one has rules and regulations in place on who can handle that PI and when, and for what exact purpose. Any other use is prohibited and leads to a data-breach that you are required to report.
Other then that, it demands that people can be forgotten. This requires pseudonomisation of log-files and something like a checkmark to add to an account, that will irreversibly erase the personal data and have the pseudonim return john doe.
It also demands that all data present on the system be exportable in easy to carry format, as well as it being requestable by the person.
If you guys are gonna make it so that this works throughout the distribution, you can claim it is compliant, and you’d be insane
In reality, GDPR requires companies to limit acces to PI to a ‘need-to-handle’ basis, and be able to erase data, including data in log-files, and upon restore of old backups. It also requires a complete audit-trail to who had what access to what PI at what time and why was that warranted. Most of this is procedures and access-rights related stuff, and hardly applies to server installations beyond the requirement to be able to transport using secure means. That alone does not make it compliant tho.
Edit: Strictly, when an employee leaves and uses these rights, we need to erase all PI on them as well, and that will be a major PITA on every server distribution there is, forcing companies to either not log stuff that could possibly contain PI, or say ‘f*** it, lets see what happens in court when it gets to that’.
Also, when you are required by law to have records, that in and of itself is enough reason to not comply with a request to be forgotten. Think medical data, or employee data.