I already do use firewall rules, this is just an extra step I take to segment things which also serves to make it a bit easier for me to remember certain addresses. It is entirely unnecessary, but I like it this way.
Let’s say I have a static IPv4: 72.235.228.162
And IPv6 block: 2660:1100:45f0:c17:: /60
What I do is set up a Virtual IP in OPNSense and give it the address 2660:1100:45f0:c171:72:235:228:162
Then I set up the firewall rules for that IP.
Then I NAT 1:1 that IP to the NGINX VM’s IP and now the Internet doesn’t need to know about it.
I use NAT on IPv6 so that I control which IP address is exposed. I’ve got /60 and all of my home devices are assigned unique IPs. What I like to do is set up a V6 address that uses the same numbers as my static V4 address and NAT that to my NGINX box, basically using the router assigned V6 as a “local” address.
Yeah, I gave up because it wasn’t really necessary for me. I have a /29 plus I can open ports so I just decided to set up an SMTP relay on my VPS because my ISP blocks outbound on port 25. I can still do inbound on port 25 so no issues receiving emails. It actually might benefit you to have an SMTP relay on the VPS to properly route the outbound email if you don’t want to have two Wireguard tunnels running.
One quick tip for your email setup - you want to set up routing rules (not NAT). I struggled with this for quite a while before I eventually gave up though. I started to write a tutorial but it remains unfinished. Check it out, might be helpful for you. https://github.com/madeofstown/Wireguard-VPS-Port-Forward
When you rip your own you get to control the quality, which I think is the best part, but I suppose if you needed to rip 100s of movies a year it would become a chore. The thing is that the majority of new movies and TV can easily be found on BitTorrent, so I would only need to rent and rip a few obscure or older films in a year, and those could probably be found at the library.
I ran one for a few months until I woke up one morning and it wasn’t working. As I was the only person using it, I didn’t bother to troubleshoot and just signed up for an account at lemmy.world.
If you want to run your own I recommend you check out the ansible install route. It’s really simple and straightforward once you wrap your head around ansible.
What’s the point of renting a VPS if you only access it from your own network? I understand why a large company would do it (risk mitigation) but I don’t understand why a self-hoster wouldn’t just use an old computer at home. Your costs would be reduced and you could more easily control access.
Now that being said, most Cloud VPS providers have a firewall that you can configure from their web portal. If you whitelist your home network public IP then you can be sure that anyone connecting to your VPS will have to be doing so from your home network. You could do the same thing with UFW or Iptables on the VPS but I recommend using the external firewall because it won’t take resources from your VPS while defending against a DDOS.
Another related question. Is the creator of Lemmy also the creator of torrents-csv? I ask because their dockerhub page hosts torrents-csv images as well as the lemmy one.