- if you can port forward (AKA no CGNAT from your ISP, look it up), only open ports 80/443 for a web server. reverse proxy will handle everything else
  - if your router's capable of VLANs, put your homelab network on one. i have no experience with VLANs so i can't help here but there's plenty of guides online and it's best practice
- install `fail2ban` first thing. it takes care of most automated bot login attempts without any configuration
- use debian or ubuntu server if you don't wanna suffer. ubuntu server is alright but debian is best bc no snap shit. same package manager (`apt`)
- best web server to use is [caddy](https://caddyserver.com/) it's really fucking simple look at [my guide](https://bubblegum.girlonthemoon.xyz/articles/basic-caddy-uses)
- **do not use password SSH auth** PLEASE set up key only auth. passwords are easy to break, keys are way harder. [basic guide here](https://www.simplified.guide/ssh/configure-passwordless-login)