yes, there are professional third party cybersecurity auditors you can hire, but I doubt anyone here would ever need them.
Please people, stop being paranoid about your security. close up all unnecessary ports, and that's what you can do on your end. whatever else, if the service binding to an open port has security vulnerabilities you don't know, the project team may very well be unaware of it either, and there's nothing you could do.
also, if you have multiple users using your service, then it's their password strength that you should be worrying the most, not your infrastructure.
From my point of view, most things related to software config is hierachical, meaning that a tree like structure is the most intuitive in understanding them. YAML is tree based, while TOML is section based. I find YAML much easier to keep track of. And I have great experience with Python, so the indentation is pretty straight forward for me.
But I'm not picking sides and defying the other. It's purely personal mind set related. Actually I do find some workflow very suited for TOML, like build systems, where each task is in its own section, shouting clear cut domain and dependency boundaries.
It is a simple layer 7 proxy and nothing more. It is the simplest so it works. As a comparison, almost all other reverse proxies can handle layer 4 traffic.
and I don't miss the label feature of traefik at all. centralized config for an entrance gateway is so much easier to maintain and find security flaws. I think labeling would be useful only in production clusters with thousands of microservices that you absolutely need the reverse of control to get away from dependency hell. Otherwise, I advice against using such feature, not even with a caddy plugin. (I mean if you really need it, why not just use traefik...)
not getting the point why you need every new service exposed to the public. do you really need WAN access to your services? If not, not exposing anything is the way to go. then in case you need anything specific, setup a cloudflare tunnel to it. Also, put every container that may need exposure into a separate bridge network.
short answer yes. I think you already come to the same conclusion but just being intimidated by a new technology stack that you must learn fresh. Well don't be! It isn't hard, and it is definitely worth the effort!
one vm for all, the other for router. you don't even need to limit cpu resources on proxmox. it just worksTM.
anyway, I do plan to have another box for my game server because I don't want them to mess with my perfectly fine internet backbone lol.
people are not getting the risks of exposing services correctly. think about it again. even you lock everything behind a password protection, if the password is weak, it is still not anything better than no protection. The chain is only as strong as the weakest link. Your tech illiterate family members may very likely setup something like 88888888, then they are effectively making the entire server naked. It is best to use device specific authentication apps like wireguard. If they can't even use such app, then only expose apps that support webauthn (or oidc, and setup an oidc provider that supports webauthn or nopass), where they can use fingerprint readers on their phone to login.