What kind of security issues?   Of course, you should not give clients of any services you offer (like http) access to your "home network" (assuming that means LAN your personal stuff is on).   A firewall is the general answer.

I have a minimum of 2 LANs, one called DMZ is connected to internet peers (including ISP - you really should have more peers and non-ISP ones) and one for your home stuff.  Servers are receive requests from the DMZ.   A typical configuration is to have 1 or more (local) cloud servers running VMs connected to the DMZ.  If the cloud server is also the gateway for the home LAN, a firewall on the host OS maintains the separation.  (I do that because the main cloud server has 2 PSUs and is more reliable than a cheap router.  I am reconsidering because so much stuff is down during maintenance on that server.)

Whatever the gateway, a firewall on that gateway should block incoming connections to the home LAN (with exceptions - need a longer discussion).  For Linux, I use iptables - but that is sadly becoming obsolete.  I need to learn nftables, and if you are just learning linux firewall, start with that.   There are high level systems like firewalld that sit on top of nftables or iptables - and make things simpler for the specific scenarios the designers considered.   While a laptop generally is one of those scenarios, the local cloud server setup is generally not - and things like firewalld make it MORE complicated, so I just use iptables on the gateway.

Simple things first: all your reliable servers must have ECC ram.  Do not compromise on this.  I won't go into all the reasons.

The most frustrating part of self-hosting has always been power.  I've been doing this for 40 years (starting with Series-1 minicomputer), and the most common server component to fail is the PSU.   This is mitigated by having 2 PSUs - much more reliable and much more expensive.  I can get a used 1 PSU server for $100 plus shipping and maybe additional ram or disk.    I am looking at $1000 used or $2000 plus for a new dual PSU server. 

The next item is the UPS.  These fail all the time.  If nothing else, the batteries wear out in 3 to 5 years.   You want more than one.   Any server with dual PSU should connect to 2 different UPSes.  Or at least your 1 UPS and a dedicated wall outlet with surge supressor.  You want an extra UPS to swap in or take up load when one fails (or the batteries fail).   The UPS thing is a huge pain - I would pay a reasonable amount for a service that provides N UPSes for N sats/usb per month and exchange them by mail to replace or change batteries.

You need Gbit ethernet switches - maybe even 10Gbit switches for high bandwidth applications (like SAN).  Always have extra.  I prefer "dumb" (unmanaged) switches.  I've seen too many security holes in managed switches.  Always buy cable that supports the faster switches - you will probably be upgrading (if we still have a country able to buy from China were all the stuff is made).

In addition to an OS that supports VMs (I use EL8 and Fedora with KVM), you can use old laptops or old desktops as lower reliability servers for experimentation.

Is this the kind of info you are looking for? 

 everything you described above is how I have the infrastructure in my private residence home network including 10GB switches and Router Modem.   Not the secondary PSU however and I don't need 100% uptime as a critical condition.    It will not affect revenue even in the worst case scenario.  Whats more important is censorship resistance and sovereignty.   

This is exactly the summary and sanity check I was looking for.
However, I wanted to zap you but could not. 

 I haven't figured out how to do lightning with self-custody BTC yet.  I am willing to have a custodial lightning wallet - as long as I can limit the BTC at risk and keep the BTC myself.   Actually running a lightning node myself seems to have requirements that are not worth the small amount of BTC at risk.  Is it possible to have a self-custody wallet with someone else's node?  How does the node operator get paid?  

I read up a bit more each week. 

 I don't recommend storing much BTC in lightning.
The main reason for this is that lightning does not support hardware wallets yet, so essentially all lightning wallets are "hot wallets".

If we don't keep large amounts on lightning, I don't see the need for self custody although I do have that setup through Start9, I still prefer using Wallet of Satoshi for purchasing street food from non english speaking merchants in other countries.

Any amount of BTC that you would feel sorrow over losing should be held on chain in cold storage.

The rest is for fun and games and networking 😃 

I recommend trying all common lightning implementations available and see what you like the best and what makes the most sense for you.

 

 Try start9 good training wheels. research as you go and only turn on what you understand.  

 Get Phoenix wallet and load it with a solid sum of sats to pay for opening of a channel. Try to spend about half the sats before loading it with more sats.  

 Spend spend spend lol! 🤣 

 Spend or swap back on-chain. But honestly, LN is for spending.  

 small amounts, I agree.
it ends up not being worth it if you self custody for a chump change hot wallet ie: LN.

Last thing I want is to get stuck for a failed transaction at a street food vendor in El Salvador or Mexico which is were im going in 2 weeks.  I use Phonix and Zeus, but will not be going on vacation without a Wallet of Satoshi instance on my device thats for sure! 

 Multiple LN and on-chain wallets for the win. Keeping a small amount (1-5%) of my stack on me at all times.  

 Likewise!   The more tools you are equipped with, the better!
Except more like 0.01% to 0.0 5% here....  

 Do you have to open a channel to use lightning network? 

 If you want to have your #sats in your own custody, you have to open a channel - a smart contract on #Bitcoin main chain.

There are fully custodial wallets where you don't have to open any channels like Wallet of Satoshi but in that case, you don't own your #sats, the wallet provider does hold it in their channel. It's OK for small amounts like less than a million sats or something, I guess. Most people use them here for zapping.  

 I think a fully custodial wallet is what I want.  Where I can transfer a small amount of BTC (which is self-custody) for zapping and receiving zaps.  How does the wallet provider make money?  Do they take a percentage? 

 They take small fees from the transactions and some sell other services like swapping between on-chain and LN. We are so early, many operators are first building the solutions and care about earnings later.  

 For censorship resistance, there are several huge threats not really addressed by Nostr: ICANN DNS, cabal TLS,  ISP.

Low handing fruit: never ever use ISP nameservers.  Run your own resolving DNS server.  Do NOT use the ICANN root zone unmodified.  Practice adding private TLDs - from the common 'LAN' TLD for local names to secret TLDs that you share only with trusted collaborators to public alt-TLDs (like .NOSTR) that anyone can use by configuring the name servers you supply.  Always use your own primary DNS server.  Use peers (even competitors) or 3rd party services for secondary service.  Note that 3rd party secondary services will only handle ICANN TLDs.  Consider becoming a server for the opennic.org collection of alt-TLDs.  It is good practice.

Cabal TLS is not secure and never has been.  The cabal can forge certs and MITM https and other TLS connections.  The problem is that common browsers trust all cabal CAs for all certs.  The first step to addressing the problem is a PKCS#11 policy for the browser.  I just learned that all browsers are supposed to support that last week (I was working on an extension to "veto" certs via user supplied rules or js code).   Normies need a simple way to use private CAs with confidence they will be trusted only for designated domains/TLDs (and that cabal CAs are NOT trusted for those domains/TLDs).

When I started on the internet, we connected peers via rs232 cable, a leased line, or a 24x7 phone call with a dial-up modem.   These methods improved, and additional tech like coax, 10baseT, ISDN, Wifi, etc were added.  The internet remained decentralized until around 1996, when globalist began pushing for a more centralized approach.  Not only ICANN, but convincing people to drop peer connections and just use an ISP, drop self-hosting and just use a service.   All this centralization was so convenient.   Nicky Haley advocates a national ID to access an ISP.   Elites will be pushing for this.  It is past time to relearn peer connections.

The best technique IMO is virtual global mesh networks.  These support a mix of ISP and peer links and do not rely on the original internet routing (BGP) which required too much manual intervention.   The best virtual nets are e2ee with authenticated IPs (IPv6).

IPv4 must die.  It has become a tool of centralization.  (But you probably have to compromise to accomodate normies until they can install a p2p enabling VPN on their devices.) 

 I agree.  I guess I have been ahead of the normies for so long now, I have already forgotten many of the things they are just learning now 😉 

Running a few mesh networks as we speak.

Anyway, this conversation went way over kill compared to what I was looking for but thats okay! lots of great insight.  Thank you.

 

 Censorship resistance is hard:
- your ISP may terminate your deal (because you piss off someone)
- IP adresses are rented and centralized, you may loose it
- same thing with DNS (or they will just block you) 

 There is no such thing as "unlimited" internet of any kind.  It is a mathematical impossibility - like "zero bandwidth transmitter".   Fiber has a high rate to the home, but you connect to the same routers and switches at the ISP office as when you have cable.  I actually prefer cable (unless your application truly requires Gbit or more over the internet) because fiber has a higher cost to install, longer MTTR (takes longer to repair), and shorter MTTF (fails more often).  

What is called "unlimited" means "unmetered" - you are charged a flat rate.  This causes many perverse incentives for both ISP and customer, which I won't go into here.  (Similar to an all-you-can-eat restaurant - which is never truly all you can eat and also has perverse incentives on both sides.)  The economic incentives are much saner when paying for actual bandwidth consumed.  A compromise is "tiered" plans, where you pay a flat rate for each capped tier, with an option to auto upgrade (if slowing down services is not an option). 

 sure.  There is no such thing as unlimited air either lol 

 You don't pay for air.  Yet.  (See "carbon" taxes.) 

 We pay for everything, whether one sees it or not. 

 There is a difference in you downloading vs uploading so others can download from you