I blame what have done Germany 80 years ago in Europe as the main reason, we are barely getting out of the phase were all people that lives through these times are dead but it is still rembered.

How i do it:

• Wireguard for VPN endpoint on the pi and device that I have root on, secure, fast to setup and doesn’t add a lot of overhead

• For access outside of VPN:

You might have to pay for a domain name if you dont have a static IP, which is relatively cheap.

You can manually allow trusted IP to access the service in your firewall which nullify surface of attack if done perfectly but is really an hassle to setup and maintain. I’m looking to setup Keycloack for a strong pre-auth that I can share between services and that is also lightweight (Authentik is not lightweight, Authelia seems to be i’d like to try it aswell) This coupled with firewall rules and/or fail2ban like service should be more than enough for a private server I think.

It is using Glance extension module (you can send custom HTML by setting up a local web api like Flask) The graph are HTML SVG tags which are basic drawing you just have to input the x,y coordinates of your graph (I copied Glance market chart) For networking data collection and monitoring I’ve setup my own rules and scripts but it is doable with others network monitoring tools if they let you access data easily

Yes the full recipe is:

• 1 Flask API for sending custom HTML to Glance
• 1 systemd unit + python script for the right graph (last 60 minutes, resetting counter and collecting data via nftables python module)
• 1 systemd unit + python script for the left graph (last 24h, aggregate data from the last hour collevted by the first script And that’s it, the systemd units are used to schedule python scripts and all the data are stored in flat csv file (forgot one bash script +systemd unit to to flush docker rules at boot and apply custom ones)

Glance is cool I love the style and it is well implemented so you can easily add custom HTML and CSS which is what I did to do this custom monitoring. Data are gathered from iptables counters that periodically reset, the hardest and most interesting part was to understand networking and to track packet through applications based on if they were port binded or reverse proxyed (I use Caddy for web facing app I want access to without a VPN). I’ll definitively check more advanced solution, I just needed to do it manually first to actually understand what I’m doing (which took me like 2 weeks until I finally found this gem on ArchLinux wiki https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html)

I just went done this road and i’d say it is worth it even only for the learning part. I’ve set counter per application in nftable, and via a python script send them in SVG graph format to Glance dashboard. The result is I can monitor my whole network per application and the best part it all add up very well so I know there is no ‘unknown’ outgoing or ingoing traffic on my machine.

Same once I passed my driver licence and learned pedestrian had total priority on crossroad strip I realized you don’t have to thanks people for following the rule the same way driver don’t thanks me when I wait a the red pedestrian light