It comes down to using secure passwords, 2 factor authentication, and updating software as soon as you can.

Check out Cloudflare’s zero tier tunnel to only expose the services you need without port forwarding. Added benefit of masking your home’s IP behind Cloudflare to prevent DDOS. Only downside is you need your own domain.

Proxmox, Nextcloud, and Jellyfin user here. My setup separates groups of services into their own VMs. Docker is just another way to package and deploy applications by simplifying the process.

So Nextcloud and Jellyfin get their own VMs, and I deploy the applications via Docker on the separate VMs. If you want to utilize Portainer, you can deploy an agent to each of these VMs.

Lightweight applications I typically deploy to separate LXC containers. Portainer, Pi-hole, NGINX would all get separate LXC containers. You can connect to the other VM Portainer agents from the LXC Portainer server.