Very cool! Since this is all exposed to the internet, how do you keep it secure? I’ve got a spare laptop and a static IP, but I’m concerned about exposing my home server to attacks. Right now I’ve just got it all running in Tailscale, but I’d like to safely host public-facing apps too.
I religiously keep everything up to date, for anything exposed to the public I use https (Traefik does let's encrypt, caddy as well) and set 2FA for Nextcloud for example, there is also a brute-force protection app for NC.
Some services, like HA, my minecraft servers, Paperless, in fact most of them, I would indeed feel less comfortable exposing, and I don't, but for NextCloud I also use it to share large files with friends so it needs to be internet facing, as do the blogs, but Hugo generates static sites, so that is quite secure (like earlier mentioned blog).
One extra layer I put on my externally facing sites is a simple auth prompt (after redirect to https!) as an unlikely-to-have-a-compromise gate before any logon for a self-hosted service. You can make it a fairly easy to remember username/password for anyone you want to share your self-hosted apps with, since its a mostly irrelevant extra step just to guard against exploits in more complicated software stacks
I started using traefik as my loadbalancer which supports authentication middleware. I rigged up keycloak and forward-auth to handle external services that either do not support authentication or has a weak security profile. A poor man’s zero trust setup.
Neat! Thanks for the tip.
I might integrate this in some of my auth, but I'll probably keep using simple auth at the very front due to its old age and absolute simplicity making exploits unlikely
In addition to the other comment, look into fail2ban: it's a bruteforce protection that isn't application-specific, it can be configured to protect form bruteforce any service that logs login attempts somewhere.
