*Bri’ish

Theres a subscription for this that works kinda like that.

Otherwise a vpn into your hone network gives you access from your devices. Maybe your router already supports this, otherwise tailscale or zerotier and similar can be a good solution.

I dont have issues exposing my ha to the internet through caddy, but i filter traffic based on country of origin (geoip2). Used to have separate auth in front but i removed that a few months ago

Edit: not too much use of running two containers if you expose the same storage to both. Better option would be to have two reverse proxies, one for local and one for internet, both proxyinf the same ha instance. That way you can get ha on normal https port with certs.

Imo you are pretty safe with a reverse proxy with an extra layer of security.

No - i would advocate for not using docker if I need a network interface. But thats my opinion, and others will have a different one.

You can use macvlan networking, and if you need host<->container communication you give your host a macvlan interface instead or in addition to the root nic. Macvlan works “on top of” an existing interface, so theres no routing locally between the underlying nic and the macvlan nics.

If the host have several nic’s you can pass one through to a given container

There are other solutions than docker for that use-case that I think are better fits. It probably works fine, but for me other drivers including host mode and ipvlan seems to have been introduced to solve the wrong thing. Like how it needs privilege for them to work and how it exposes the containers network interface. For me it kinda breaks parts of why i would use docker.

Its my personal opinion and how i like to work.

You could probably make your setup work but it seems too complicated for me when you introduce a bridge as the root interface. Maybe with macvlan adapters on the host instead or in addition.

I dont get it - are you trying to mimic vm’s with you docker containers? docker works great using the normal way of exposing ports from the internal docker net through the host. Making technology work in ways it wasnt designed for usually gives you a hard to maintain setup

You have a mighty big hand if you reach l and a with the same one

I must have been doing websites wrong for decades by not forwarding through a reverse proxy. I admit a good one like caddy makes tls easy, but unless you have several backends for one site theres no need. The reverse proxy part of load balancer is very similar to a port forward, but on layer 7 instead of 3 or 4

There are other things to consider as well. Nfsv3 is good for large sequential reads/writes. There are no multichannel in nfs3 and no caching , and you should adapt technology to the use-case. For vm storage nfs sucks while for movie storage it works great.

For general file storage I would pick smbv3 for speed and ease of user/security

Multicast DNS uses multicasting (surprise!) so keep your devices on the same network and it just works. Docker is not very multicast friendly but lxc or a vm should have no issues.