I know I probably did my setup way too complicated but wanted to ask for feedback or how I could do it better. (And sorry already for the post being so long but I wanted to be thorough).

Domain/Server connection

First of all I have my own domain connected to cloudflare (just the nameservers are set to cloudflare on my registrar) to manage my DNS Records and use their proxied connections to hide my servers IP.

For the server I used a oracle free Ampere (4vCPU’s/24GB Ram/200GB Block Storage) where I installed a cloudflared tunnel connector which forwards *.[mydomain] to the server via a CNAME DNS Record.

Since I also do freelance stuff and have confidential information on the server I decided to block any traffic that is not coming from DE/ES/CH (blocked through cloudflares firewall rules). My clients are also only from those countries so I think that’s fine. Blocks most attacks/scans from other countries already.

I also added mTLS to important subdomains that should not be accessed by my clients.

Since I use cloudflares free plan I only have a free ssl cert that manages wildcard subdomains, so I can’t create domains like: sub.internal on [mydomain] -> SSL_CERT_MISMATCH and cloudflare doesn’t let it through (as far as I understand it). How I set it up I’ll get to later.

Server Configuration

Basically everything on the server runs in a single k3s cluster with traefik as a reverse proxy. The ports of the server are closed (except 22 with only public key auth enabled) since it is routed through cloudflared to traefik.

I have every app/logical component in their own namespace and routed through and ingressroute.

The cluster is running: wireguard, audiobookshelf, cert-manager, paperless-ngx, invoiceninja, kite, prometheus/grafana, outline, uptime kuma, *arr-stack, and a few other small custom things.

The qbittorrent client is forwarding the connections through proton vpn (through a server in CH) with port forwarding enabled to allow connections from outside to the client. The interface is mapped in qbittorrent so the connection should not break and if so it doesn’t leak my servers ip.

For storing the large files like movies I connected the wireguard deployment to my local fritzbox through - you guessed wireguard - and connected my WDMyCloud through NFS to /mnt on the oracle server.

The deployments access the folders there through hostPath. “Hot” Data is saved in pvc’s on the server itself.

Restic backs up those folders to my NAS through sftp every hour:

- /var/lib/rancher/k3s/storage
- /etc/rancher/k3s
- /var/lib/rancher/k3s/server/
- /home/ubuntu

Forget Rule set:

restic forget --keep-hourly 24 --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prunerestic forget --keep-hourly 24 --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --prune

Internal Applications

Applications that I do not want to be exposed publicly (like *arr-stack) are configured to internal ingressroutes.

That forced me to use cloudflares zero trust connection on my devices and rewrite all DNS requests to those sub-sub domains to traefiks cluster ip. Those internal pods use a lets encrypt cert for SSL then (all managed through cert-manager).

---

I think that’s basically it (could be that I forgot something though since I configured so much over the last few days).

Just wanted to hear your guys opinions/feedback/suggestions on my setup (like on a security, selfhosted and just usability perspective).

Thanks already for reading so far :)