Some of these you’re already doing, but writing a complete* list. *almost garuanteed not to be complete, suggestions welcome

1. Have everything behind the same reverse proxy, so that you have only one endpoint to worry about. Run it through ssllabs or similar to check your config.
2. On your reverse proxy, add one or more layers of authentication if possible. Many possibilities here: If one app supports client certificates, while another has limited capabilities, you could probably tie together something where IPs are whitelisted to the ither services based on that certificate auth.
3. Geoblock all countries you won’t be accessing from
4. crowdsec is pretty nice, this detects/blocks threats. kinda like fail2ban but on steroids.
5. if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of “if it’s compromised, they’re not in your house”.

lastly consider if these things need to be publically avilable at all. I’m happy with 95% of my services only being available through Tailscale (mesh VPN, paid service with good enough free tier, open source+free alternatives available), and I’ve got tailscale on all my devices

I don’t understand what you mean with the content disappearing when you mount the virtiofs on the guest - isn’t the mount empty when bound, untill the guest populates it?

Can you share what sync client+guest os you are using? if the client does “advanced” features like files on demand, then it might clash with virtiofs - this is where the details of which client/OS could be relevant, does it require local storage or support remote?

If guest os is windows, samba share it to the host. if guest os is linux, nfs will probably do. In both cases I would host the share on the client, unless the client specifically supports remote storage.

podman/docker seems to be the proper tool for you here, but a VM with the samba/nfs approach could be less hassle and less complicated, but somewhat bloaty. containers require some more tailoring but in theory is the right way to go.

Keep in mind that a screwup could be interpreted by the sync client as mass-deletes, so backups are important (as a rule of thumb, it always is, but especially for cloud hosted storage)

Agreed! I think a part of the “problem” is that with Nix, there’s now at least 3 sides: application specific knowledge, system knowledge, and you have to use the nix language, architecture and tools to interface with it. so for a seasoned linux user, there’s maybe just a new programming language, but if you’re new to Linux, it’s quickly gonna overwhelm you. which in a way is a bit ironic because I’d argue that it’s easier to manage a NixOS system, and getting help is so much easier when your problems can be replicated by just aharing your config.

that is one way to do it, and it’s a very common one - it’s robust and simple. So I can’t correct you, but thought I would add to it. In NixOS, they’ve improved it by making sure all your apps are symlinked, and when updating, these symlinks are updated. That way you can start using your newly updated system straight away, without a reboot. When rebooting, you are prompted to which generation you want to boot into, (defaulting to “latest” after a few seconds of no input) making rollbacks a breeze.

As an “outside observer”, I think maybe you’re not seeing (what I believe is) the other guys viewpoint: What you are bringing up (photoshop has been possible already) is a core part of what he said from the start, and his point builds on top of that. So obviously he already knows it, and arguing about it disregards that his line of argumentation builds upon the basis we all agreed upon to be true until you brought it up as … contrarian? To his point. doesn’t seem like “old man yells at cloud” energy, more like “Uhm, achtually”