...and even wondering if I really need to. I am often guilty of making that "one tweak too many", breaking a nice, working system in the process!
I have everything set up according to the best walk-throughs I can find. Have dockerized containers for Nginx Proxy Manager, Authentik and a ton of the standard *arr apps and tools (using OMV as a NAS). Have my own domain name, hosted on Cloudflare, with CNAMES set up, proxied through Cloudflare, pointing back to my main record. I can do full domain name resolution inside my home network, with working HTTPS connections to all my app web GUIs. I also have the ability to private VPN into my home network, using Wireguard, OpenVPN or IPsec.
I would probably be happy to continue to use my VPN connection to the home network when I am remote, BUT... I really would like to give Overseerr access to a couple of remote family members that have access to my Plex library (populated by Sonarr/Radarr). My finger often hovers over the Port Forwarding option on the router, but I ultimately chicken out. Am I being paranoid?? Should I just educate my family members on how to connect to my network via VPN? Anyone else made this choice? Looking for success (and maybe horror) stories before I potentially proceed.
You'll be fine. It's exactly what I do. Just keep any exposed services up to date. NPM also has a very rudimentary blocker that mostly relies on UA and bad strings getting passed through. You can turn that on. Open up only services that need to be exposed e.g. don't expose sonarr/radarr unless there's a good reason for it. Make sure anything you expose that doesn't have any sort of authentication can have it implemented in nginx or you can use an SSO solution.
I expose strictly needed services while everything else is just internal. Exposed services include jellyfin, jellyseer (jellyfin version of overseerr), and nextcloud.
That is almost exactly what I would like to do, but with Plex/Overseerr. I am curious, do you run any type of intrusion detection s/w, or have you set up fail2ban?
I have fail2ban for SSH but I haven't tuned it for nginx yet. I've worked with OSSEC which has a fork called Wazuh which I've been wanting to set up.