Yes, that does indeed sound like you have all the stuff necessary to make this work.
In my home network this wouldn’t work, as I’m running all my stuff in containers on multi-purpose servers, and therefore I can’t really split things per VLAN. Most other people in the homelab/self host community also use their servers for multiple purposes at the same time, so VLANs alone often doesn’t cut it.
That depends a lot on what you do with them…
VLANs work on a layer where devices can either reach each other or they cannot.
Let’s say you have your main desktop computer in the “main” VLAN, and your Jellyfin server in the “jellyfin” VLAN, and a third server for your home-assistant in the “home-assistant” VLAN, and finally some IOT devices in the “iot” VLAN.
You connect the VLANs as follows:
Remember that all connected VLANs much be bidirectional.
Now someone compromises your Jellyfin. They now control and has access to everything on the Jellyfin server, but they also have network reachability to your main computer, because your “main” and “home-assistant” VLANs are connected. They can now try to exploit your main computer.
If they are successful in exploiting your main computer, then they can use your main computer to jump to the home-assistant server because again, these two VLANs are connected. And you likely have the credentials for accessing home-assistant available on your main computer somewhere.
Now they are on your home-assistant server, and they can now start trying to exploit your IOT devices.
If VLANs are connected, they don’t care which direction the traffic flows.
If you want to control traffic flow directions you need a firewall. A firewall can sit between VLANs and block traffic coming from one to other, but not the other to the one.
If Jellyfin gets compromised, you risk everything else on the same server getting compromised, as well as everything that server can reach.
VLANs can certainly reduce what is at risk, but wouldn’t the machine running the Jellyfin client be reachable from the Jellyfin server? And if they manage to move laterally to the client machine, what could they then reach from there?
Sure… If someone managed to stream some of my media… They probably earned it… But then they exploit a vulnerability to perform arbitrary code execution, and leverage that to hack everything else on my network…
Or in some cases ONLY allowing them to reach the Internet. So they can’t access your other devices…
All my docker images are in code in Github.
Renovate makes a PR when there are image or helm chart updates.
ArgoCD sees the PR merge and applies to Kubernetes.
For a few special cases I use ArgoCD-image-updater.
I have my Firefox configured to force HTTPS, so it’s rather inconvenient to work with any non-HTTPS sites.
Because of that I decided to make my own CA. But since I’m running in Kubernetes and using cert-manager for certs, this was really easy. Add a resource for a self-singed issuer, issue a CA cert, then create an issuer based on that CA cert. 3 Kubernetes resources total: https://cert-manager.io/docs/configuration/ca/ and finally import the CA cert on your various devices.
However this can also be done using LetsEncrypt, with the DNS01 challenge. That way you don’t need to expose anything to the Internet, and you don’t need to import a CA on all of your devices. Any cert you issue will however appear in certificate transparency logs. So if you don’t want anyone to know that you are running a Sonarr instance, you shouldn’t issue a certificate with that in it’s name. A way around that is a wildcard cert. Which you can then apply to all your subservices without exposing the individual service in logs. The wildcard will still be visible in the logs though…
In addition people often use VLANs for security segregation. For example you might buy a bunch of cheap Chinese security cameras, but want to ensure that they can’t send anything back to the manufacturer. Then you can make a VLAN with no Internet access for the cameras.
The containers in my setup are running in a Kubernetes cluster. My Kubernetes cluster consists of 3 physical servers (one old desktop computer and 2 Intel NUCs).
On that cluster I run many different things, Jellyfin, Plex, *arr-stack, downloader, Immich, zigbee2mqtt, home-assistant, audiobookshelf, calibre-web, Forgejo, ArgoCD, Homebox, Paperless, Factorio servers, Velero, and a bunch of other stuff.
Because I run so many different things on the same 3 physical machines, using containers, then there’s no way to split this into VLANs.
I could make a “kubernetes” VLAN, but everything else on my network would need to be connected with it anyway. All my computers, phones and TVs need to access Kubernetes (Jellyfin), and Kubernetes need to access everything else such as EV charger, heat pump, and the power monitoring in my power meter. Therefore I need to control my networking at a different level.