Some of these you’re already doing, but writing a complete* list. *almost garuanteed not to be complete, suggestions welcome

1. Have everything behind the same reverse proxy, so that you have only one endpoint to worry about. Run it through ssllabs or similar to check your config.
2. On your reverse proxy, add one or more layers of authentication if possible. Many possibilities here: If one app supports client certificates, while another has limited capabilities, you could probably tie together something where IPs are whitelisted to the ither services based on that certificate auth.
3. Geoblock all countries you won’t be accessing from
4. crowdsec is pretty nice, this detects/blocks threats. kinda like fail2ban but on steroids.
5. if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of “if it’s compromised, they’re not in your house”.

lastly consider if these things need to be publically avilable at all. I’m happy with 95% of my services only being available through Tailscale (mesh VPN, paid service with good enough free tier, open source+free alternatives available), and I’ve got tailscale on all my devices

Agreed! I think a part of the “problem” is that with Nix, there’s now at least 3 sides: application specific knowledge, system knowledge, and you have to use the nix language, architecture and tools to interface with it. so for a seasoned linux user, there’s maybe just a new programming language, but if you’re new to Linux, it’s quickly gonna overwhelm you. which in a way is a bit ironic because I’d argue that it’s easier to manage a NixOS system, and getting help is so much easier when your problems can be replicated by just aharing your config.

that is one way to do it, and it’s a very common one - it’s robust and simple. So I can’t correct you, but thought I would add to it. In NixOS, they’ve improved it by making sure all your apps are symlinked, and when updating, these symlinks are updated. That way you can start using your newly updated system straight away, without a reboot. When rebooting, you are prompted to which generation you want to boot into, (defaulting to “latest” after a few seconds of no input) making rollbacks a breeze.

As an “outside observer”, I think maybe you’re not seeing (what I believe is) the other guys viewpoint: What you are bringing up (photoshop has been possible already) is a core part of what he said from the start, and his point builds on top of that. So obviously he already knows it, and arguing about it disregards that his line of argumentation builds upon the basis we all agreed upon to be true until you brought it up as … contrarian? To his point. doesn’t seem like “old man yells at cloud” energy, more like “Uhm, achtually”