Looking for advice for self hosted networking.

Question first, details below:

Everything works fine now, but feels...hacky. My question is, what's the best way of dealing with allowing only certain services to be accessible to the world while blocking other services to everything except local (+vpn) clients? Currently, because of my vps port forwarding, all external traffic appears to come from that machine. So, what I have now in my nginx config is to allow traffic from the local & wireguard subnets, except for traffic from the vps itself.

So: looking for advice on how to better manage access, but of course, if anyone has other improvements/suggestions, I'm all ears.

My current setup is:

Machines:

• VPS (vps) with public IP.
• Home router (router) with no public IP or open ports.
• Home server (srv-home).
• Remote server (srv-remote), located with family.

Network structure, ignoring vlans and whatnot, is:

• vps <--wireguard--> router
• vps <--wireguard--> srv-remote
• router <--ethernet--> srv-home

srv-remote and srv-home can communicate through vps+router.

Services & structure, broadly speaking:

vps port forwards http/s to router, which port forwards to srv-home (can optionally have it port forward directly to srv-home, doesn't really matter to me).

srv-home handles SSL, both for services on srv-home and srv-remote. This allows me to a) manage certificates locally in one place (not on vps), and b) use local DNS on my router to bypass vps for locally hosted services. Works great.

srv-home and srv-remote both host some services which I would like to be publically accessible and some that I would like to remain private.

vps also acts as my roadwarrior vpn, on the same wireguard interface that's used for the vps<-->router link. One solution would be to just have separate wireguard interfaces (or maybe just separate address spaces?) for the vps<-->router and vps<-->[roadwarrior] links? Another would be to get the vps portforwarding set up in a way that doesn't lose originating IP address, but so far I have been unsuccessful there.

Thanks in advance for any insight!

SOLVED: delete using web client, and mobile will re-upload.

I haven't been able to find the proper way to force a re-upload of an image from mobile --- any suggestions?

The images in question are from an iOS device. They show up correctly on the iOS device (both native Photos app and Immich), and claim to be uploaded (cloud w/check mark icon). On Android and web, they do not show up. If I try to download the image on web, it fails, with an immich_server log message of

ERROR [ExceptionsHandler] ENOENT: no such file or directory, stat 'upload/library/admin/path/to/file.jpg'

I've read it's possible to fix these issues with some Postgres magic, but I've also read that that is Strongly Discouraged.

I believe the original issue of why the files got borked was I didn't have a sufficient client_max_body_size set (I'm using a reverse proxy, nginx). This is just a hunch though...

Thanks in advance --- will just ask the immich.app crowd if that's a more appropriate place.

Wikipedia: https://en.wikipedia.org/wiki/DSV_Alvin

Sounds like it was (shocker) really well designed. It even sank once when a cable snapped on support boat --- crew escaped, and it was recovered and retrofit. And if things go sideways, the cabin/titanium sphere could detach, floating freely up to the surface.

After hearing about OceanGate, deep sea subs sounded terrifying --- but reading about this is somehow very comforting.