NFS4 I don’t think its obsolete.

I use it for my Desktop computers to connect to the server. All of my systems use Linux so that’s my primary use. They backup to the server nightly.

I discovered about a few months ago that XCP-NG does not support NFS shares which was a huge dealbreaker for me. Additionally, my notes from my last test indicated that I could not mount existing drives without erasing them. I’m aware that I could have spun up a TrueNAS or other file sharing server to bypass this, but maybe not if the system won’t mount the drives in the first place so it can pass them to the TrueNAS . I also had issues with their xen-orchestra which I will talk about below shortly. They also at the time, used an out of date CentOS build which unless I’m missing something, is no longer supported under that branding.

For the one test I did which was for a KVM setup, was my Home Assistant installation, I have that running in Proxmox and ccomparativelyit did seem to run faster than my Proxmox instance does. But that may be attributed to Home Assistant being the sole KVM on the system and no other services running (Aside from XCP-NG’s).

Their Xen-Orchestra for me was a bit frustrating to install as well, and being locked behind a 14 day trial for some of the services was a drawback for me. They are working on the front end gui to negate the need for this I believe, but the last time I tried to get things to work, it didn’t let me access it.

Pushed Wireguard back onto my network. I’ve been a Tailscale user for a couple of years, but never really saw the need for it for me as I’m the only user of the service. :)

I will freely admit though, there’s nothing wrong with the service and honestly is great if you are behind a CGNAT router or don’t want to use Cloudflare for your tunneling.

You said

I’m only really running a caddy reverse proxy on the VPS which forwards my home server’s services through Tailscale. "

It seems then that you are using a Tailscale Funnel to expose your services to the public web. Is this the case? I ask because the basic premise of Tailscale is that you have to be logged into your Tailscale network to access the services and if you are not logged in, then the site you try to access won’t even appear to exist. Unless it’s setup via the Funnel.

Assuming then that you setup a funnel, then you are now 100% exposed to the WWW. AI Bots and bots in general crawl the WWW daily and eventually your site will be found. You have a few choices here, rely on a Web Application Firewall (WAF) such as Bunkerweb which would replace Caddy, but would provide a decent firewall of sorts. Or…you can use something like Config Server Firewall but I’m not sure if they have AI Bot protection. The last I used them was before AI was a thing.