I’m iterating again on my lab setup and moving a few apps that I expose externally to their own VM so I can lock that sucker down even further. Right now I have a few different servers with podman/docker containers grouped by application type. e.g. critical apps: foregjo, nextcloud, vaultwarden. My arr stack. Media consumption. Knowledge & tracking apps, and general apps.
I eventually intend to throw the external apps into a DMZ VM but my network isn’t setup to do that right now, so instead I’m getting them set up on their own host and will lock down the firewall to only allow it to communicate with my reverse proxy and nothing else.
It’s been fun reworking my Ansible playbooks to do all my server provisioning (still need to figure out Terraform) along with running app installs and updates automatically at the press a button. Working with firewall rules via Ansible was a bit of a headache at first but now I’m in a really good spot.
I’m also testing out linkwarden and hoarder to finally replace what I lost with Omnivore a while ago.
I’ll throw in another recommendation for Caddy. I’ve been using it for years and the few problems/feature suggestions I had got implemented by the developers pretty quickly. They’re super active on their forums and I haven’t yet run into an issue where I couldn’t either figure it out myself or with help from their community forums (usually from a dev.) They’re very friendly and won’t berate you for simple mistakes like other devs.