Dunno if you are still watching this post.

I have a few comment to your post and the other panic about security.

1. Using nextcloud only for bookmarks if total over kill, but if you want to start and understand and later use it more, it’s actually a good idea.

2. Yes, exposing ports in your firewall is potentially dangerous, BUT if you only expose a port and not the complete PC the firewall deals with attacks (but your services still have to be up to date to ensure safety).

3. Yes, using a VPN instead of exposing the service is saver that’s for sure. You can do it they way for the start. But don’t let you be frightened by some of the other commands. I have several services public on my network. 3.1. BUT I still evaluate if this service even have to be public and the risk of late patches. I have public services and local service (name.domain.com and name.local.domain.com). Any service that I don’t need to access from a random PC/share with family/friends can only be accessed in local network /via vpn.

4. Its good you are careful, try to search online for more information since this post didn’t get a lot of comments.

Edit: 5. Don’t know why people recommend tailscale where you need an account, instead of recommendatinh wireguard (tailscale is build on wirequard) or OpenVPN.

Edit 2: 6. Don’t use UPnP! It enables your machines to automatically open ports, that’s so bad.

I used zabbix at some point, but I never looked at the data so I stopped. Zabbix shows all kind of stuff.

I have cockpit on my bare-metal that has some stats, and netdata on my firewall, I do not track any of my VM’s (except vnstat that runs on everything device).