The resource-centric approach is the right call. I've been running self-hosted infrastructure for my own projects for a while now, and the biggest lesson is that flat networks just don't scale when you start adding services — every new thing you expose becomes another thing to audit.

The NAT hole-punching with WireGuard for P2P connections is interesting. Do you handle cases where both sides are behind symmetric NATs? That's historically been the hardest case for hole-punching, and most solutions end up falling back to relay servers anyway (which defeats the purpose of avoiding centralized traffic).

Also curious about the connector deployment model — is it one connector per resource, or can a single connector bridge multiple resources in the same network segment?