Honestly I just use a good firewall and forward_auth/authelia in caddy (so authentication happens before any apps) and it works well.
I also don't expose SSH to the public internet anymore (more laziness than anything, have it semi-exposed in yggdrasil and wireguard) (mostly because the SSH logs get annoying for journalctl -f)
Honestly I just use a good firewall and forward_auth/authelia in caddy (so authentication happens before any apps) and it works well.
I also don't expose SSH to the public internet anymore (more laziness than anything, have it semi-exposed in yggdrasil and wireguard) (mostly because the SSH logs get annoying for
journalctl -f)