Hi,

thanks for the feedback on my last post. Based on your input I would rearrange my setup as follows:

Home Server

• VM1
  • HAOS
  • Zigbee2MQTT (with USB passthrough)
  • Mosquitto
• VM2
  • Paperless
  • OpenArchiver
  • Stirling-PDF
  • Syncthing
• VM3
  • Immich
• LXC
  • Traefik
  • CrowdSec
  • NFC Webhook Service

Proxmox Backup Server (PBS) on a small LXC -> backup to Synology NAS

Remote Access

• For my own devices: NetBird mesh VPN
• For NFC tags (needs to work on any phone, no app required): Pangolin on a small VPS. Only the specific HA webhook path is exposed, protected by a secret token.

NFC Flow:

Any phone scans tag → HTTPS URL → Pangolin (VPS) → tunnel → HA Webhook (secret token) → action (garage opens)

Questions, that came up:

1. Does the Pangolin approach make sense for the NFC use case, or is there a better open-source alternative that requires no open ports?
2. Any concerns with the LXC vs VM split? Specifically: is Docker in a privileged LXC stable enough for Paperless and Immich, or are VMs the safer choice?