The homeserver doesn’t have to be fancy. We’re running all our stuff off a Dell Vostro from 2012 we got for like $30 on Craigslist. (It did need another $30 replacement PSU though. And it has 8GB RAM and a 500GB SSD which is nothing to sneeze at for a machine that cheap and that old.)

The moment you get a TLS cert, it’ll show up in Certificate Transparency logs and apparently the attack bots scan that for targets.

You can totally do that yeah!

We have our stuff set up so inbound VPS traffic (for HTTPS) comes in on port 4430, while LAN traffic is on 443. It’s not done for firewall reasons, it’s so we can pass the client’s IP through with Nginx’s proxy_protocol feature, but you could just make your local-only services not listen on 4430. Boom, done.

Fail2Ban on the VPS is probably good. On the home server, it might just lock out the VPS (since everything comes from there).

Anyway yeah, I’ve got a whole guide on this sort of setup! https://frost.brightfur.net/blog/selfhosting-with-a-bounce-vps-part-1/

– Frost