Some systems support MFA eg vaultwarden. For that I use the built in MFA with Yubikeys.
For things that are not MFA supported but I need them to be open I put them behind Authelia and Nginx Proxy Manager.
Authelia config makes sense now. It was confusing at first however the custom config required on NPM still confuses me.
Anything else stays off the internet and I can access via vpn back into my LAN.
After picking up a set of Hue bulbs and using them for a while I wanted to do more in terms of automation especially when arriving home etc. I found home assistant and never looked back.
Back then I was using a raspberry pi but upgraded to a dedicated Debian box a year later to which I’m not running around 50 containers.
Reading FaceIT page it seems virtualisation is allowed as long as TPM 2.0 and SecureBoot is enabled.
Still sucks though.
Anything that is exposed is done through nginx proxy manager and 2FA is enforced on those apps either through the app or through Authelia.
Some of the exposed apps are shared with friends and family so easier to expose securely than mess with VPN for them.
Anything else is only accessible via VPN on my router.
I need to look at tailscale.