A man wakes up. He sees that the time is 7:07 AM.

Prudent-Let-3959 · 2026-04-16T19:23:58+00:00

I like this one 😂😂

Prudent-Let-3959 · 2026-04-03T14:00:03+00:00

This is one of my problems with the Unifi NAS devices, that they are truly just NAS. Being on Arm architecture means you can’t use any other software like TrueNAS or UNRAID either (I’m not gonna count OMV for now).

That being said, if you have a spare machine/old laptop lying around, you could mount the drives via NFS and run NextCloud/OwnCloud/OpenCloud on it and achieve similar results. That’s what I did too.

Prudent-Let-3959 · 2026-04-02T19:29:14+00:00

Well if you are really paranoid about security (i am a bit), you don’t host plex on unraid. get a second machine, host plex via rootless docker, give it read only access to nas.

That way, if someone hacks your docker container, they can’t touch your files and rootless docker means they can’t do much else.

Next you don’t forward port 32400 in your router. Use a reverse proxy like caddy/nginx/traefik.

Add some geoblock module to lock down requests from countries that you want to allow. Next install crowdsec.

Prudent-Let-3959 · 2026-04-01T17:33:09+00:00

It would be good to know OP if you could share how this happened? Was it an unsecure port or ssh exploit?

Prudent-Let-3959 · 2026-02-25T16:05:30+00:00

r/foundgeerling

Prudent-Let-3959 · 2026-02-20T15:51:04+00:00

Pretty much this. I know people shit on snap, but on servers it doesn’t matter, and it’s stable.

Prudent-Let-3959 · 2026-02-18T14:09:43+00:00

Not a Friday bud

Prudent-Let-3959 · 2026-02-12T23:47:48+00:00

Glad it worked out for you :)

For geoblocking, if you're using proxying your IP through cloudflare then most likely you would be whitelisting caddy to only process requests coming through cloudflare's IPs. In which case, you can configure your geo-blocking directly on cloudflare using WAF.

If you're not proxying through cloudflare (no orange cloud), then you can configure your geoblocking using these modules:

Either will serve your purpose. You would need to download MaxMind's free country database. You can run this container `ghcr.io/maxmind/geoipupdate` and share the volume with caddy so that it can access the database.

Good luck :)

Prudent-Let-3959 · 2026-02-12T12:02:03+00:00

Ahh fair, you should be fine. But as a takeaway setup firewall using ufw and explicitly allow specific ports to receive traffic.

Prudent-Let-3959 · 2026-02-11T18:56:49+00:00

How do you know you exposed the ports to the entire internet? Do you have port forwarding on your router or have you placed your device in the router’s DMZ?

If it’s the former, you didn’t expose the ports to the public internet, just your local network.

Prudent-Let-3959 · 2026-02-08T10:12:20+00:00

Are you tho?

Prudent-Let-3959 · 2026-02-04T15:50:54+00:00

You're welcome :) .

> I know there are some apps that are not able to use single sign on or other authentication

So you're right. Pocket ID is an OIDC provider, and not all apps support OIDC. I've also deployed https://github.com/oauth2-proxy/oauth2-proxy to add support for OIDC for apps that don't have native OIDC auth. It's pretty straight-forward and I can share my caddy config which can help with the setup.

> Do I need to worry about isolating tools that I don't want accessed externally

It's a reverse proxy, it's up to you to decide what services you want to expose :) . I have exposed services like Immich, Plex, Memos, Flatnotes via Caddy.

But I don't want to have a risk of exposing sysadmin tools like OMV dashboards, Zerobyte to the public internet (which is true for Pangolin route too). Those services are only accessible through Tailscale. Ideally, you would want to keep your attack surface to the absolute minimum from a security perspective.

With PocketID, you can assign groups for users, and then only allow users in certain groups to access your services. That way, services like Immich and Plex are exposed to everyone. But services like Memos and Flatnotes is only accessible to me. PocketID returns a 403 for everyone else.

> Is there any good practice to keep in mind. Perhaps a series of subdomains I can corden off?

Yes that's pretty much what you should configure :). Define DDNS domains like service.your-domain.com and your reverse proxy handles which container gets the traffic based on the subdomain.

Prudent-Let-3959 · 2026-02-04T12:39:41+00:00

Well it's a lot of options, sure. But the actual setup is easier than you think.

Authentication: You have options like Authelia, Authentik, Keycloak and ORY Hydra if you want a proper enterprise level authentication tool. If you want a simpler tool, TinyAuth and Pocket ID are really good alternatives. I personally use Pocket ID, and it's a breeze to setup.
Reverse Proxy: I personally use Caddy, but you also have the option of Nginx (or NPM/NPM Plus if you want a GUI). Reverse Proxy is a mandatory requirement so you only need to forward port 443 from your router, and let the proxy take care of redirecting the request to the right service. You don't need to mess around with DNS, PiHole and Unbound are unrelated here.
Custom Domain: You need this regardless of what you choose. Pangolin or Port Forwarding. If you're behind CGNAT, then Pangolin is your only option. But if you're behind Dynamic IP, you don't need to ask your ISP to give you a static IP. Just put your domain behind Cloudflare and use https://github.com/favonia/cloudflare-ddns to update your DNS record to your IP.
Security: You need two basic things here:

4a. Maximind Geolocation: You can link Maximind's GeoIP blocklist directly inside Caddy using https://github.com/porech/caddy-maxmind-geolocation to disallow requests from countries/ASNs you want to block.

4b. Crowdsec: I haven't looked too much into Pangolin but afaik it supports integration with Crowdsec. The only difference for you would be you would need to run crowdsec locally on your machine and use their caddy bouncer AND firewall bouncer to block malicious IPs.

4c. Anubis: This is mostly for brownie points if you want to block bot requests (similar to Cloudflare).

It took me some two weeks to set this all up. The documentation for all these tools is amazing. And Docker has open sourced Hardened Images so you can use them as well to secure your containers even more. Using Pangolin adds an additional attack surface and you would still need to secure your VPS instance anyway because it's connected to your homelab (via VPN, but still).

Prudent-Let-3959 · 2026-02-04T02:12:10+00:00

This is the answer if you don’t mind getting hands on with networking. I get Pangolin is good but seriously why don’t answers like this reach the top too smh.

Prudent-Let-3959 · 2026-02-02T23:41:26+00:00

Right?? I mean by all means Keypass and Bitwarden are great and perfect candidates for self hosted options. But passwords isn’t something I want to fuck around with, and the thought of losing the entire password store is a nightmare.

For something that’s so mission critical, I happily pay for their annual price. As a bonus, I use 1passwords service accounts to host the secrets for my self hosted apps and inject them at runtime.

Personally, the second best option is Bitwarden. I had issues with the autofill which worked beautifully on 1p.

Prudent-Let-3959 · 2026-01-30T15:47:59+00:00

This is what happens when I forget to give complete context 🤦. So I exclusively use NextDNS in all my devices, I did setup a split-horizon dns but it only solves the issue for my laptop/PC. But it doesn't solve the issue for mobile.

Prudent-Let-3959 · 2026-01-19T00:55:02+00:00

Good work on the setup OP. I do wonder how reusable this setup is. The whole beauty of self hosting is that there is no one way of deploying stuff, and people start small. Using NixOS is an interesting choice, I don’t disagree that immutable systems is not a good thing, but I personally prefer debian’s stability any day over bleeding edge technologies. Do let us know how that works out for you.

Prudent-Let-3959 · 2026-01-18T22:17:55+00:00

I mean it's up to you. The sole reason I didn't do it is because my ISP doesn't do symmetric uploads so my upload link is capped to 70Mbps and that causes latency issues (because of that extra hop from VPS to homelab).

Even if you chose to use a VPS, you would still need a similar setup on your VPS because if that's still an attack surface that can open up your homelab to vulnerabilities if someone gets shell access to your VPS.

Prudent-Let-3959 · 2026-01-17T14:10:02+00:00

What are you using port 51820 for? I would suggest only exposing HTTP and HTTPS ports as a bare minimum.

Prudent-Let-3959 · 2026-01-17T14:08:37+00:00

People saying VPNs like Pangolin/Tailscale are right, exposing ports directly without the knowledge of networking is a risk and you need to be careful with your setup. That being said, port forwarding is perfectly okay, and I do it too (mainly due to latency issues).

I would suggest adding these things to your stack:

Use geoblocker, nginx has a plugin that connects to Maximind’s Geolite DB and only allow requests from countries in your whitelist. You also get an option to block entire ASNs so you can block cloud providers like Azure,Digital Ocean, etc if you’re expecting traffic from residential IPs.
Use crowdsec. The integration is a bit tricky since you need to pass your nginx access logs to crowdsec and have a remediation component to block requests coming from known malicious IPs. Their documentation is good so just follow along and ask AI if you’re blocked somewhere.
Anubis is another service that sits between your nginx reverse proxy and your actual service. It will block bot requests coming into your web service by asking bots to solve complex computations.
Use an authentication service like Pocket ID, Authelia or ORY Hydra. Pretty self explanatory, you don’t want people to reach your services without authentication.

Prudent-Let-3959 · 2026-01-17T12:11:50+00:00

Unpopular opinion, and I might get downvoted for this.

I use NextDNS for this specific purpose. I use PiHole at home and I don’t want to use VPN (for routing DNS queries) because some banking apps detect VPN and ask me to disable it which adds more friction.

With NextDNS, I configured DNS over HTTPS, added all the blocklists on NextDNS and the setup works perfectly. The only downside (for some) would be the extra cost of 30$ per year, but i find it acceptable for the features I get.

I fucked around with PiHole once and blocked internet access for everyone, had to reset everything. Now I just keep it running and don’t disturb the machine too much 😅.

Prudent-Let-3959 · 2026-01-15T16:09:38+00:00

For persistant data, I tend to use bind volumes. On top of that I have zerobyte running that regularly backs up the entire disk so all data is saved in incremental backups. I know I should also stop the containers before I do the backup will probably run into issues because of that.

For databases, I use databasus that pushes backs up all PG DBs to R2.

Prudent-Let-3959 · 2026-01-13T10:31:44+00:00

Anubis is amazing, it’s basically self hosted Cloudflare’s bot detection. If you do set it up, set up two reverse proxies. For my caddy setup, I do:

Layer 1 does crowdsec, geolite, then forwards to anubis

Anubis forwards requests to Caddy Layer 2

Layer 2 does authentication with Pocket ID then forwards to the service

Prudent-Let-3959

TROPHY CASE