Inspired by this comment to try to learn what I’m missing.
- Cloudflare proxy
- Reverse Proxy
- Fail2ban
- Docker containers on their own networks
Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?
This, but I prefer nginx.
And no real need for tailscale or cloudflare. If you do not like to depend on a third party service, either port forward and ddns or an external vps+wire guard if you have gcnat
This is a valid solution but honestly how is using VPS not depending on third party?
It is, but you are free to switch at any time provider, there is no technological lock in like with cloudflare or tailscale (i know there is a free self hostable version, not talking about that).
So just rent a new one and switch your wireguard there.