Looks good and I was able to get it on pretty quickly. I was about to post this from the app but saw it's missing the web's markdown shortcuts and image upload option.
Also looking at this post the screenshots are cropped and I didn't see a straight forward way of looking at the whole image.
I use a combination of netbox for the physical/logical network and server connectivity, and outline for text documentation of the different components.
If you have a domain you own that's the way to go, I went by your .home naming assuming that's what you're using. Since .home can't be registered similar to .local, LetsEncrypt wouldn't be an option.
I have a split DNS setup on my end so a service like jellyfin would resolve only internally since I want to limit it, but others would be both public and internal.
Funny enough I already made a few changes to the traefik configs, I saw someone else's post and if it's safe to assume that any request with Accept header starting with application/ should be routed to the Lemmy server, the following would work as well:
- traefik.http.routers.leddit-api.rule=Host(`leddit.social`) && (PathPrefix(`/api`, `/pictrs`, `/feeds`, `/nodeinfo`, `/.well-known`) || Method(`POST`) || HeadersRegexp(`Accept`, `^[Aa]pplication/.+`))
I've also added caching policies to make sure none of the API responses are cached and having the UI be cached explicitly since it's not done today.
services:
lemmy-server:
deploy:
labels:
- traefik.http.routers.leddit-api.middlewares=no-cache
- traefik.http.middlewares.no-cache.headers.customresponseheaders.Cache-Control=no-store
...
lemmy-ui:
deploy:
labels:
- traefik.http.routers.leddit-web.middlewares=cache-control
- traefik.http.middlewares.cache-control.headers.customresponseheaders.Cache-Control=public, max-age=86400
Shouldn't be any risk if it's all local.
For an internal domain you'll need to set up your own internal CA to sign certs for your fqdns. The risk comes from any mishandling of that new CA since you'll need to install it as a trusted root on all of your devices and if someone gets a hold of it nothing would stop them from creating a MITM attack for let's say yourbank.com
If you have the CA's key under lock then you should be good.