Impressive. It’s set up like a corporation would do it. Very much overkill for most folks, but still a wonderful writeup. Hopefully it doesn’t turn out to need an entire corporate team just to manage and support it.

What you’re doing here is essentially what I do in my setup, but I haven’t ever attempted to write any of it down or automate the configuration of it. The main differences are: I use two piholes with VRRP addresses as my primary DNS servers, and then IPA as the actual source of record for most of the internal zones. IPA also backs a keycloak cluster which in turn backs my Cloudflare Access config via SAML and thus functions as the SSO arbiter for the tunnels. Also, these days I don’t go nearly as far out of my way to put unnecessary monitoring or restrictions on things just for the sake of “hardening” because it’s just a pain in the ass on down the road unless you’re some high profile target. I get into enough of this stuff at work that I don’t care to deal with it in my personal life. Well-known defaults and best-practices are plenty safe for the average user. 

In general, great writeup. Hopefully it helps guide some of the less experienced folks into setting up something better than what they already have