Pete90

Pete90 OP , 5 months ago to Selfhosted in Feedback on Network Design and Proxmox VM Isolation

Sounds like I'll do just that, thanks. Should I move all public facing services to that DMZ or is it enough to just isolate Traefik?

Pete90 OP , 5 months ago to Selfhosted in Feedback on Network Design and Proxmox VM Isolation

Only Nextcloud if externally available so far, maybe I'll add Vaultwarden in the future.

I would like to use a VPN, but my family is not tech literate enough for this to work reliably.

I want to protect these public facing services by using an isolated Traefik instance in conjunction with Cloudflare and Crowdsec.

Pete90 OP , 5 months ago to Selfhosted in Feedback on Network Design and Proxmox VM Isolation

Thank you so much for your kind words, very encouraging. I like to do some research along my tinkering, and I like to challenge myself. I don't even work in the field, but I find it fascinating.

The ZTA is/was basically what I was aiming for. With all those replies, I'm not so sure if it is really needed. I have a NAS with my private files, a nextcloud with the same. The only really critical thing will be my Vaultwarden instance, to which I want to migrate from my current KeePass setup.
And this got me thinking, on how to secure things properly.

I mostly found it easy to learn things when it comes to networking, if I disable all trafic and then watch the OPNsense logs. Oh, my PC uses this and this port to print on this interface. Cool, I'll add that. My server needs access to the SMB port on my NAS, added. I followed this logic through, which in total got me around 25-30 firewall rules making heavy use of aliases and a handfull of floating rules.

My goal is to have the control for my networking on my OPNsense box. There, I can easily log in, watch the live log and figure out, what to allow and what not. And it's damn satisfying to see things being blocked. No more unknown probes on my nextcloud instance (or much reduced).

The question I still haven't answered to my satisfaction is, if I build a strict ZTA or fall back to a more relaxed approach like you outlined with your VMs. You seem knowledgable. What would you do, for a basic homelab setup (Nextcloud, Jellyfin, Vaultwarden and such)?

Pete90 OP , 8 months ago to Selfhosted in ZFS: Should I use NAS or Enterprise/Datacenter SSDs?

Thank you so much for this explanation. I am just a beginner, so those horror stories did scare me a bit. I also read, that you can fine tune ZFS to prevent write amplification so I'll read into that subject a bit more.

I thought ZFS without redundancy did give no benefits, but I most have gotten that wrong. Thanks again!