My baseline is a public VPS with Pangolin/Crowdsec installed. I have authentik as a login system. Pangolin let’s me put authentik in front of any service so they have to log in hit before the service in question. Helps give a bit of peace of mind with the services which themselves might not be security focused. Also, these pangolin routes are able to block anything outside my country by rules, so that trims a good portion of attacks as well.

Some things don’t like that authentik layer in front though. Audiobookshelf’s phone app for example cant handle it. For that, I route those domains through cloudflare tunnels. Their tunnels do a good job blocking lots of attacks, so not having authentik in front is more acceptable.

But then there’s jellyfin that doesnt want to be on cloudflare tunnels and doesnt want authentik in front. For that, I just have it on my pangolin side with only crowdsec helping. Not ideal, but best I can do without making my grandma install a VPN on a raspberry pi in so her TV can connect or some shit.

And lastly, I have some private services like forgejo that don’t like authentik in front and only I myself care about. I tailscale to those rather than exposing sometimes.

Only other thing I think I need to add sometime is some VLAN separations?

I was pondering the same for last couple of days and had some thoughts on how to make it feasible. My research led me so far to 2 prerequisites:

1. must have Anubis in front
2. must have a WAF solution in place that covers at least OWASP Top 10

I found pretty good Caddy documentation that covers both, so I think I’ll deploy a secondary Caddy reverse proxy that’ll perform such ops for public facing services.

Of course, I currently have only 1 Caddy instance reverse proxy ing my internal services, haven’t reached the part on traffic handling when my devices are connected to the “safe network” (aka my home LAN)

I run my server on the internet, and my security is crowdsec + geo ip block (well, white-list my country’s ip but same idea) and authelia.

Using this setup, I barely ever have even bots randomly pingig me, let alone anyone trying to access my NAS.

Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don’t need to fiddle with NAT, open any ports, in fact you don’t need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob’s your uncle.

ETA: Obviously you’ll need port 22 for administration.

sudo ufw default deny incoming

sudo ufw default allow outgoing