The maintenance time is a bit overestimated if you keep it simple.
On my homelab, I update everything every quarter and it takes about 1 hour, so 4 hours a year is pretty reasonable. Docker helps a lot with this.
And I’ve almost never run into trouble in years, so I have very few unexpected maintenance tasks.
EDIT: I am referring to a homelab that is only accessible for private purposes through a VPN.
As a bare minimum, you should update your server and docker images daily, or at least whenever there's an update (which you won't know unless you check).
If you only access your homelab over VPN or similar, then by all means, update whenever you feel like it, but if you expose your services to the internet, you want to be damned sure there are no vulnerabilities in them.
The internet of today is not like it was 20 years ago. Today you're constantly being hammerede by bots that scan every single IPv4 address for open ports, and when they find something they record it in a database, along with information on what's running on that port (provided that information is available).
When (not if) a vulnerability for a given service is discovered, an attacker doesn't need to "hunt & peck" for vulnerable hosts, they already have that information in a database, and all they need to do is start shooting at their list of hosts.
You can use something like shodan.io to see what a would be attacker might see (can check your own IP with "ip:xxx.xxx.xxx.xx".
Try entering something like Synology, Proxmox, Truenas, Unraid, Jellyfin, Plex, Emby, or any of the other popular home services.
Sorry, I should have mentioned that my services are only accessible through a VPN. Otherwise, I completely agree with you.
> As a bare minimum, you should update your server and docker images daily, or at least whenever there's an update (which you won't know unless you check).
I got this setup automatically with Renovate: https://github.com/shepherdjerred/homelab/blob/main/src/cdk8...
It's pretty easy to soft expose yourself too now with things like cloudflare tunnels without a lot of the security risks. You can put all access behind an secret/API key or OAuth login easily.
I definitely need to get my security hygiene up to snuff, but let me ask you, since using a reverse proxy (caddy in my case) refuses connections without a domain, would the scans reveal anything about my host if they don’t know the URL of my jellyfin instance?
> which you won't know unless you check
RSS feeds FTW
Who maintains the VPN?
If it were me doing this, either Zerotier or Tailscale. They aren't strictly VPN's in a traditional sense, but they largely achieve the same ends, and Zerotier's been much more flexible and performant than anything else I've ever tried.