I use HAProxy on PFSense to expose a home media server (among other services) for friends to access. It runs on a privileged LXC (because NFS) but as an unprivileged user.
Is this reckless? Reading through all this makes me wonder if SSHFS (instead of NFS) with limited scope might be necessary.
That's a popular architecture, but I personally wouldn't run part of the application stack (HAProxy) on my network firewall, and would instead opt to move it to the media server.
Suppose you have the media server in its own VLAN/Subnet, chances are good that the firewall is instrumental in enforcing that security boundary. If any part of the layer-7 attack surface is running on the firewall... you probably get the idea.
Interesting, I never considered it part of the application stack. It routes a dozen or so separate services so it feels at home next to Wireguard, DHCP, and DNS.
Is this reckless? Reading through all this makes me wonder if SSHFS (instead of NFS) with limited scope might be necessary.