You don't say what you're using Cloudflare for, so suggesting an alternative is a bit tough.
Assuming that you're using a CF tunnel to get through CGNAT, tailscale would be one alternative (no need to turn it off/on, though). The other alternative would be renting a cheap VPS and tunneling through that instead.
On the other hand, if you're primarily using CF as a reverse proxy, you can run any number of them on your own server instead, like Nginx, Zoraxy, etc.
On the other other hand, if you're using their WAF, that can also be run locally. Crowdsec offers a WAF component in addition to their usual protections, for example.
On the other other other hand.... There are alternatives to most, if not all, of their other services, too.
What's a good reverse proxy for a set up using Cloudflare?
Having a reverse proxy behind your reverse proxy is a little redundant, but should work fine. My preference after trying several was nginx. The config takes a little to get used to, but it has a ton of features.
The paid plans get you the "premium" blocklists, which includes one specially made to prevent AI scrapers, but a free account will still get you the actual software, the community blocklist, plus up to three "basic"lists.
The slightly lower power draw pi5 vs a Tiny will eventually make up for the higher initial cost, but you can save more by turning off lights when you leave a room or skipping a round at the bar.
In my opinion, the wider software compatibility, better processing power, and expansible RAM and storage options far outweigh the eventual theoretical savings.
That said, if you need the super small SBC form factor or GPIO pins, definitely go for a pi. They absolutely have their use cases. I have 4 or 5 of the 3B and 3B+, and have used them on-and-off for a variety of tasks over the years.
It's been a long time since Pi's were competitive on price.
You can get a used Lenovo Thinkcentre for $50 on eBay. A modern pi is going to cost you that much for just the board, then you still need to buy a case, power supply, SD card, and then figure out some solution for storage...
I tried a bunch, zoneminder, motioneye, frigate, etc., before finally settling in AgentDVR. It offers a fair bit of flexibility via MQTT and "just worked" with my PTZ camera.
You're not a "target" as much as you are "a thing that exists." These aren't targeted attacks.
That said, you can look into adding some additional measures to your webserver if you haven't already, like dropping connections if a client requests a location they shouldn't, like trying to access /admin, /../.., /.env, and so on.
On nginx, it could be something like:
location ^/\.|)/admin|/login {
return 444;
}
Of course, that should be modified to match whatever application you're actually using.
Self hosted from my homelab on an nginx server. I also self host my blog, which has some info on my whole set up. My blog uses some basic bloging software, though, rather than being hand-made.
The "side menu thingy" is achieved through HTML "frames". It's an element of HTML that's pretty much extinct nowadays, but was all the rage when I built my very first page back in the day.
Nice. I wrote mine "by hand", too. No CSS, just raw HTML. I think it's a more personal experience than just using whatever random template some all-in-one web hosting company offers.
A lot of how you set up your system is just going to depend on how you want to set it up.
I run podman (like an improved version of docker) in a single LXC container for applications that are primarily packaged as docker apps. I think I have 4 or 5 applications running on that LXC.
For things that are distributed via apt, git repo, etc, I'll either create a new LXC or use an existing LXC if it's related to other services I'm running. For example, crowdsec is run in the same machine as nginx since those two work together and I'll always want them both running at the same time, so there's no reason to separate them.
I have mariadb running in its own LXC so that it can follow a different (more frequent) backup schedule than the mostly static applications that interact with it.
Anything that needs to interact directly with hardware, like Home Assistant, or I want kernel separation for, will get a full fledge VM instead of a container.
I use podman almost exclusively at this point. I like having the rootless containers and secrets management. If you're on Debian, though, I strongly suggest pulling podman from Trixie. The version in Bookworm is very out of date and there's been a lot of fixes since then.
I use nginx as a reverse proxy with crowdsec. The backends are nginx and mariadb. Everything is running on Debian VMs or LXCs with apparmor profiles and it's all isolated to an "untrusted" VLAN.
It's obviously still "safer" to have someone else host your stuff, like a VPS or Github Pages, etc, but I enjoy selfhosting and I feel like I've mitigated most of the risk.
I'd imagine that if your job is making YouTube videos, portainer and other graphical abstraction layers probably make more visually interesting videos than just watching someone type out a bunch of commands.
I know I'm a bit late to the conversation, so I don't know if this is still helpful... But I have a camera with "AI Detection" built into it and it appears to send alerts via its ONVIF connection. I've disabled motion and other detectors on my NVR (AgentNVR) and instead configured it to just wait for an alert from the camera itself to start recording. It's been working quite well.
My initial plan was to use a coral TPU and frigate, but the Coral/Gasket drivers appear to be pretty old and I couldn't get them to work properly, myself.
You don't say what you're using Cloudflare for, so suggesting an alternative is a bit tough.
Assuming that you're using a CF tunnel to get through CGNAT, tailscale would be one alternative (no need to turn it off/on, though). The other alternative would be renting a cheap VPS and tunneling through that instead.
On the other hand, if you're primarily using CF as a reverse proxy, you can run any number of them on your own server instead, like Nginx, Zoraxy, etc.
On the other other hand, if you're using their WAF, that can also be run locally. Crowdsec offers a WAF component in addition to their usual protections, for example.
On the other other other hand.... There are alternatives to most, if not all, of their other services, too.