Everything critical is on lan (docs, passwords, media), everything else is on vps (gameserver, fediverse, websites). I dont mix these as I absolutely dont want to deal with a breakin. I assume they will get in so I airgap them more or less.
Nothing is exposed. There are things I want exposed, but I don't want to keep security patches up to date, even if there is a zero day. I'm looking for someone trustworthy to hire for things that it would be useful to expose, but they are hard to find.
Unlike most here, I'm not as concerned with opening things up. The two general guidelines I use are 1. Is it built by a big organization with intent to be exposed, and 2. What's the risk if someone gets in.
All my stuff is in docker, so compartmentalized with little risk of breaking out of the container. Each is on it's own docker network to the reverse proxy, so no cross-container communication unless part of the same stack.
So following my rules, I expose things like Nextcloud and Mediawiki, and I would never expose Paperless which has identity documents (access remotely via Tailscale).
I have many low-risk services I expose on demand. E.g. when going away for a weekend, I might expose FreshRSS so I can access the feed, but I'd remove it once I got home.
I've never known a reason to expose the docker socket to Nextcloud. It's certainly not required, I've run Nextcloud for years without ever granting it socket access.
Most of the things on that linked page seem to be for Docker rather than Nextcloud, and relate to non-standard configuration. As someone who is not a political target, I'd be pretty happy that following Nextcloud's setup guide and hardening guide is enough.
I also didn't mention it, but I geoblock access from outside my country as a general rule.
I was looking into setting up Nextcloud recently and the default directions suggest exposing the socket. That's crazy. I checked again just now. I see it is still possible to set it up without socket access, but that set of instructions isn't as prominent.
I linked to Docker in specific because if Nextcloud has access to the socket, and hackers find some automated exploit, they could easily escalate out of the Docker container. It sounds like you have it more correctly isolated.
Was it Nextcloud or Nextcloud All in One? I've just realised that the Nextcloud docker image I use is maintained by Docker, not Nextcloud. It's this one: https://hub.docker.com/_/nextcloud/
I use Docker-compose and even the examples there don't have any socket access.
The all in one image apparently uses Traefik, which seems weird to use an auto configuring reverse proxy for an all in one image where you know the lay of the land. Traefik requires access to the docker socket for auto configuration. But you can proxy the requests to limit access to only what it needs if you really want to use it.
What I was looking at was the All in One, yes. I didn't realize there was a separate maintained image, thank you! I'd much rather have a single image without access to the socket at all, I'll give that a shot sometime.
One warning: in my experience, you can not jump two major versions. Not just it won't work, but that if you try it everything will break beyond repair and you'll be restoring from a backup.
Two major versions can sometimes be a matter of a few months apart, so make sure you have a regular update schedule!
(Also, people say never update to a X.0 release, the first version of a major release often has major bugs).
TL;DR don't take too long to update to new releases, and don't update too quickly!
Also, the docker image is often a day or so behind the new release, soNextcloud tells you an update is available but often you then need to wait until the next day to get the updated docker image. I guess this is because (as I've just learnt) the image is built by Docker not Nextcloud.
Tailscale with the Funnel feature enabled should work for most ISPs, since it's setup via an outbound connection. Though maybe they're Super Cunts and block that too.
Funnily enough it’s exactly the opposite way of where the corporate world is going, where the LAN is no longer seen as a fortress and most services are available publically but behind 2FA.
Oh right. The last three business I’ve worked in have all been fully public services; assume the intruder is already in the LAN, so don’t treat it like a barrier.
Not OP, but I just use ZeroTier for this since it's dead simple to setup and free. I'm sure there's some 100% self-hosted solutions, but it's worked for me without issue.
Sorry, haven't logged on in a bit. I use OPNSense on an old PC for my firewall with the wireguard packet installed.
Then use the wireguard client on my familys phones/laptops that is set to auto connect when NOT on my home wifi. That way media payback, adguard-home dns and everything acts as seamless as possible even when away while still keeping all ports blocked.
I keep everything behind a VPN so I don't have to worry much about opening things up to the Internet.
It's not necessary about the fact that you're probably fine but more so what the risk to you is if that device is compromised, ex: a NAS with important documents, or the idea that if that device is infected, what can that device access.
You could expose your media server and not worry too much about that device but having it in a "demilitarized zone", ensuring all your firewall rules are correct and that that service is always updated is more difficult than just one VPN that is designed to be secure from the ground up.
Each time I've read into self-hosting it often sounds like opening stuff up to the internet adds a bunch of complexity and potential headaches, but I'm not sure how much of it is practicality vs being excessively cautious.
Limiting the attack surface is a big part, geo restrictions, reputation lists, brute force mitigation, it all plays a role. Running a vulnerability scanner against your stuff is important to catch things before others do and regular patching is important too. It's can be a rewarding challenge.
Both Nessus and Nexpose are typically enterprise class systems but they have community licensing available for home labs. Nessus can even be set up in a docker container. OpenVAS is more or less free but can be upgraded with pro-feeds, but last I tried it it was a bit more rough to use.
Do be aware though that throwing a full force scan will use a lot of CPU and can break things depending on the settings, so it's good to practice their settings on some non-critical systems first to get a feel for them.