Before getting into my containers and reverse proxy, I decided to do some basic steps to secure the pi. This isn't an expert tutorial for homelab security, its just a list of links in case I ever have to start from scratch again.
Ideas implemented
New Accounts and Set up SSH keys
https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
Luckily, the rest of my homelab was already set up for SSH keys. There is a DietPi specific gotcha here, you need to edit/etc/ssh/sshd_config.d/dietpi.conf
to disable public key access to ssh. Login to the default accounts is absolutely forbidden.Argon40 fan control
https://github.com/iandark/argon-one-daemon
This has worked better for me than the official code from Argon40, especially if you are not running raspbian.Firewall
https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
https://chrisapproved.com/blog/raspberry-pi-hardening.html
For my secondary Pi Zero 2w the firewall is basic, all ports are closed except for a management ssh port and web admin, and those are local only. This is done with the default iptables available on DietPi (and raspbian).
The web server pi can be very restricted too, but the web ports have to be forwarded.Most things here will be forwarded through Authentik, but be aware that Dietpi puts some local management apps (like the dashboard and portainer) on strange ports so look up what you need to allow locally.
fail2ban
https://pimylifeup.com/raspberry-pi-fail2ban/
https://blog.fernvenue.com/archives/ufw-with-fail2ban/
Setting up a jail for UFW is covered in the second link, and rsyslog is not installed by default with DietPi. Looks like this defeats some of the point DietPi made with the ramlog system but this is covered in their documentation.
Ideas left on the back burner, again.
Antivirus
Running antivirus on a cron job turned out to be a bad idea after all, it's too taxing on the Pi4 and would easily take longer than it's 24 hour schedule. I wouldnt even want to run it on demand for all new files becuase I store a lot of documents on my file share and uploading pdfs would cripple the Pi. Luckily I found some instructions on how to scan only new files and hopefully that will run a little bit easier and at an opportune time.