for the shell, that’s an easy one, shellinabox, with a custom dark mode.
for the exposed services you describe, none are “exposed”, they are hosted in nginx (meant to face the WAN, subdomained and not port forwarded) with fail2ban setup for custom filtering, and beyond that are proxied through cloudflare and their filtering for ddos etc. Most of my services are behind htpasswd hashed/salted pw’s or ldap (right now just htpasswd for the local site), and the ones that arn’t use token logins like plex, overseerr, etc. I’ll be ok :)
Absolutely! Subdomain all the things!. As long as it’s at a different port you’re good to go