Add a second node using the new drive, move all vm to the new node, decommission old node, rebuild the old node with the new drive.

You can get away with a disk clone but in my opinion a vm move is the proper way to go.

Adding a new node you start with a clean install, any quirk you have on the old hw will be finally washed away (or will bite you back and be properly documented), you have a quick way back should anything go sideways (the clone too provides a quick way back, but i like this way much more ^^), you get some hands on multi node experience that will be useful for ha setup.

Normal background noise. ssh is a well known protocol/port and scanning is automated.

my home router is the stock one from my isp and have no vpn capabilities.

I put a port forward on the router and then configured everything on the internal node; in my case it is an opnsense vm running on proxmox.

I wouch for the VPN route… VPN servers are built to be exposed, are hardened/engineered to resist the harshness of the net and are somewhat safe even with default settings.

Should you publish on the wild a few web apps, you would have to harden, monitor and manage a bunch of environments and/or frameworks with a load of quirks each.

A VPN is easier to maintain and safer for your data with a lower effort.

The article is on a ‘pay or ok’ site.

Maybe there is some relation with orange man erratic behaviour, canadian pm speech in davos, europe considering to abandon usa cloud and other countries that may follow suit?

Just sayin’…

In proxmox you create a vlan on the physical interface and not on a bridge.

Once the physical port has tagged traffic for all vlan but LAN, leave vmbr0 alone, create the new DMZ vlan in proxmox networking and a new vmbr on that vlan, that’s it.

If your vps is a firewall, you could use it as an exit point for different private networks: ip1 to mask the traffic for a guest subnet that you don’t trust and if the ip gets blacklisted there are no issues for lan traffic behind ip2 while ip3 is reserved for server traffic with specific rulesets on supplier’s systems for updates/backup/whatnot. Should you have more than one mail server because of reasons, if one is blacklisted the other could remain clean (in this situation you usually put them on different subnets but whatever).

Mailu is a mail server so it is suitable for the task.

You need a mail server somewhere, a mail client cannot listen for incoming messages. A possible workaround: you could activate your own mail server accessible only inside tailscale and use it to send and receive your local alerts.

I’m doing something similar with an android tv, a raspberry 3a and my home wifi network. Antenna hooked to the raspberry using an usb dongle, tvheadend on the raspberry and kody on the android tv placed wherever you need it. Also added clipious on the tv to have no ad playback. I don’t need surfing so my setup is simpler and everything is controlled using the tv remote. Once you have the pi up and running, the bonus is that you can find a client to connect to tvheadend for any platform, so you can watch tv on a smartphone (android or apple), a tablet, a computer, another tv in the basement…