Do you have an example?
"Open Source + hosted" always involves trust, as you can only look into the Github repository, not if the running hosted application is running identically.
Only exception: It's an E2EE encrypted solution, and everything else happens client-side (example: Bitwarden)
E-Mail.
And maybe unpopular opinion:
Any service that you use with port-forwarding, besides WireGuard.
I would never access any self-hosted application without VPN.
Password manager. I want to minimize complexity with my most important data (that's why I'm using KeePass instead of Self-Hosted Bitwarden).
If you want to secure something, you should know how it works?!
My journey:
Joplin -> Trilium Notes -> Logseq -> Obsidian
I find Obsidian the most powerfull, because of the PlugIn system and full compatiblity with Android and iPad.
And I realized, it's a stupid idea to have a "knowledge base" in a Docker setup, if you need this knowledge base also for debugging or reinstall your Homelab. So the local installation of Obsidian togeter with Synchting gives you always access to your knowledge, even if the server are down.
However, none of the above have collaborate features. But don't need it.
Expensive. And I avoid small providers, without any established compliance, where a bored admin could surf through my server root ;)
Terminal of Proxmox.
pct enter
Now you have SSH
I would repair my capslock next :)
Create 2 virtual machines.
One Virtual Machine with OpnSense Firewall, where you setup the ProtonVPN WireGuard connection.
One Virtual Machine with your Docker-VM.
Connect both machines via a virtual network, and setup the OpnSense-Firewall so that only internet-traffic through the WireGuard-Gateway is allowed.
That's the most bullet proofed solution, as any connection of your Docker-VM is secured, independent of the VM's configuration.
- Don't expose the web interface of wg-easy ( 51821 ) to the internet
- update your docker installation frequently
- Keep the private keys of your clients safe
That's all you need to do.
Personally I also would change the UDP port of WG (via different port forwards of your router). But more for getting through firewalls in public WiFis (e.g. UDP Port 443, 53 or 123)