Selfhosted

DDOS against a little self hosted instance isn't really a concern I'd have. I'd be more concerned with the scraping of private information, ransomware, password compromises, things of that nature. If you keep your edge devices on the latest security patches and you are cognizant on what you are exposing and how, you'll be fine.

Of course security comes with layers, and if you're not comfortable hosting services publically, use a VPN.

However, 3 simple rules go a long way:

1. Treat any machine or service on a local network as if they were publically accesible. That will prevent you from accidentally leaving the auth off, or leaving the weak/default passwords in place.

2. Install services in a way that they are easy to patch. For example, prefer phpmyadmin from debian repo instead of just copy pasting the latest official release in the www folder. If you absolutely need the latest release, try a container maintained by a reasonable adult. (No offense to the handful of kids I've known providing a solid code, knowledge and bugreports for the general public!)

3. Use unattended-upgrades, or an alternative auto update mechanism on rhel based distros, if you don't want to become a fulltime sysadmin. The increased security is absolutely worth the very occasional breakage.

4. You and your hardware are your worst enemies. There are tons of giudes on what a proper backup should look like, but don't let that discourage you. Some backup is always better than NO backup. Even if it's just a copy of critical files on an external usb drive. You can always go crazy later, and use snapshotting abilities of your filesystem (btrfs, zfs), build a separate backupserver, move it to a different physical location... sky really is the limit here.

The DDOSED hype on this site is so over played. Oh my god my little self hosted services are going to get attacked. Is it technically possible yes but it hasn’t been my experience.

If you do it right you shouldn't get hacked. Even if you do you can keep good immutable backups so you can restore. Also make sure you monitor everything for bad behavior or red flags.

Use any old computer you have lying around as a server. Use Tailscale to connect to it, and don’t open any ports in your home firewall. Congrats, you’re self-hosting and your risk is minimal.

Getting DDOSed or hacked is very very rare for anyone self hosting. DDOS doesn't really happen to random people hosting a few small services, and hacking is also rare because it requires that you expose something with a significant enough vulnerability that someone has a way into the application and potentially the server behind it.

But it's good to take some basic steps like an isolated VLAN as you've mentioned already, but also don't expose services unless you need to. Immich for example if it's just you using it will work just fine without being exposed to the internet.

I've self hosted home assistant for a few years, external access through Cloud flare now because it's been so stablez but previously used DuckDNS which was a bit shit if I'm honest.

I got into self hosting proper earlier this year, I wanted to make something that I could sail the 7 seas with.

I use Tailscale for everything.

The only open port on my router is for Plex because I'm a socialist and like to share my work with my friends.

Just keep it all local and use it at home. If you wanna take some of your media outside with you, download it onto your phone before you leave

Drink less paranoia smoothie...

I've been self-hosting for almost a decade now; never bothered with any of the giants. Just a domain pointed at me, and an open port or two. Never had an issue.

Don't expose anything you don't share with others; monitor the things you do expose with tools like fail2ban. VPN into the LAN for access to everything else.