Quick overview of my setup: Synology NAS running a whole bunch of Docker containers and a couple of full blown VMs, and an N100 based mini PC running Ubuntu Server for those containers that benefit from hardware acceleration.

On the NAS I have a Linux Mint VM that I use for various desktoppy things, but performance via RDP or NoMachine and so on is just bad. I think it's ultimately due to the lack of acceleration, so I'd like to try running it from the mini PC instead but I'm struggling to find hypervisor options.

VirtualBox can be done headless, apparently, but the package installed via Apt wants to install X/Wayland and the entire desktop experience. LXC looks like it might be a viable option with its web frontend but it appears to be conflicting with Docker atm and won't run the setup.

Another option is to redo the machine with UnRaid or TrueNAS Scale but as they're designed to be full fledged NAS OSes I don't love that idea.

So what would you do? Does anyone have a similar setup with advice?

Thanks all!

Edit: Thanks for everyone's comments. I still can't get LXC to work, which is a shame because it has a nice web frontend, so I'll give KVM a go as my next option. Failing that I might well backup my Docker volumes, blat the whole thing and see what Proxmox can do.

Edit 2: Webtop looks to be exactly what I was looking for. Thanks again for everyone's help and suggestions.

Specifically from the standpoint of protecting against common and not-so-common exploits.

I understand the concept of a reverse proxy and how works on the surface level, but do any of the common recommendations (npm, caddy, traefik) actually do anything worthwhile to protect against exploit probes and/or active attacks?

Npm has a "block common exploits" option but I can't find anything about what that actually does, caddy has a module to add crowdsec support which looks like it could be promising but I haven't wrapped my head around it yet, and traefik looks like a massive pain to get going in the first place!

Meanwhile Bunkerweb actually looks like it's been built with robust protections out of the box, but seems like it's just as complicated as traefik to setup, and DNS based Let's Encrypt requires a pro subscription so that's a no-go for me anyway.

Would love to hear people's thoughts on the matter and what you're doing to adequately secure your setup.

Edit: Thanks for all of your informative replies, everyone. I read them all and replied to as many as I could! In the end I've managed to get npm working with crowdsec, and once I get cloudflare to include the source IP with the requests I think I'll be happy enough with that solution.

I work in tech and am constantly finding solutions to problems, often on other people's tech blogs, that I think "I should write that down somewhere" and, well, I want to actually start doing that, but I don't want to pay someone else to host it.

I have a Synology NAS, a sweet domain name, and familiarity with both Docker and Cloudflare tunnels. Would I be opening myself up to a world of hurt if I hosted a publicly available website on my NAS using [insert simple blogging platform], in a Docker container and behind some sort of Cloudflare protection?

In theory that's enough levels of protection and isolation but I don't know enough about it to not be paranoid about everything getting popped and providing access to the wider NAS as a whole.

Update: Thanks for the replies, everyone, they've been really helpful and somewhat reassuring. I think I'm going to have a look at Github and Cloudflare's pages as my first port of call for my needs.

Hey there, my local instance has had two admin posts pinned for the last 6 months-ish and they show right at the top of my Subscribed, Local, and All views. I can't imagine they're going to get un-pinned any time soon, so it would be great to get a feature where we can hide them.

Thanks for the consideration!