miau

I currently have a home server which I use a lot and has a few important things in it, so I kindly ask help making this setup safer.

I have an openWRT router on my home network with firewall active. The only open ports are 443 (for all my services) and 853 (for DoT).

I am behind NAT, but I have ipv6, so I use a domain to point to my ipv6, which is how I access my serves when I am not on lan and share stuff with friends.

On port 443 I have nginx acting as a reverse proxy to all my services, and on port 853 I have adguardhome. I use a letsencrypt certificate with this proxy.

Both nginx, adguardhome and almost all of my services are running in containers. I use rootless podman for containers. My network driver is pasta, and no container has "--net host", although the containers can access host services because they have the option "--map-guest-addr" set, so I don't know if this is any safer then "--net host".

I have two means of accessing the server via ssh, either password+2fa or ssh key, but ssh port is lan only so I believe this is fine.

My main concern is, I have a lot of personal data on this server, some things that I access only locally, such as family photos and docs (these are literally not acessible over wan and I wouldnt want them to be), and some less critical things which are indeed acessible externally, such as my calendars and tasks (using caldav and baikal), for exemple.

I run daily encrypted backups into OneDrive using restic+backrest, so if the server where to die I believe this would be fine. But I wouldnt want anyone to actually get access to that data. Although I believe more likely than not an invader would be more interested in running cryptominers or something like that.

I am not concerned about dos attacks, because I don't think I am a worthy target and even if it were to happen I can wait a few hours to turn the server back on.

I have heard a lot about wireguard - but I don't really understand how it adds security. I would basically change the ports I open. Or am I missing something?

So I was hoping we could talk about ways to improve my servers security.

So I have recently found out about forward email just a few months ago.

I am currently using tuta as my email provider, and I have been doing so for the last three years. But I am not very happy with the closed ecosystem and locking of basic features behind paywalls.

So I decided to give forwardemail a go after reading about it on free software foundation's webmail systems (this is a web archive link, more on that later)

Now the thing is, the service works. But things don't really feel legit. They claim to have thousands of users but there's surprisingly little information about them other than their own website. The branding seems completely generic and pretty much all of their code seems to be coming from one single account with no real information.

There's a couple reviews about them on trust pilot but the positive ones mostly come from accounts where the only review is for forwardmail.net

I've read some discussion about them getting recommended on privacy guides, they sounded very professional and mentioned even wanting to get auditioned, but to the best of my knowledge that has not happened yet (please correct me if I am wrong). Worse than that they seemed to stop replying to the thread a couple months ago.

Finally, I realized today that FSF has removed their recommendation for forwardemail from their website

In conclusion, I have tested and the service does work, but I can't tell if there is something shady happening. What do you all think?