Paperless sensitive data - reasonable security?

Hello dear community,

I’m having a great time with yunohost and want to thank the people who are working on this great app!

Today I want to discuss the security of yunohost and to what extend it would be reasonable to “harden” my server.

In this case I’m concerned about my sensitive data stored on my server via the paperless-ngx application.
This includes data about my insurances, my healthcare and so on.

Of course I visited the security page.
I activated the ssh via key option. (and disabled normal ssh login)

I’m still struggling with disabling the API, because I feel much more safe for backups using the admin page.

Now my specific questions about this topic:

1. Did I enforce a reasonable amount of security by enabling SSH via key, a >30 character password and enabled API?

2. Would security improve drastically by restricting web access for paperless and just work with it in local network connection through e.g. wireguard?
   → if yes, how would I set this up?

Thank you very much for your ideas!

Hello!

What is your threat model?
Can you define “reasonable amount of security”?
Which API do you want to disable?

Hello!

My threat model is somebody who scans the internet for domains with unsecure servers to get control over them.

In my case the attacker could use my personal information to blackmail me e.g.
But of course you would never want another person to get hands on your most sensitive data.

The API im talking about is this one mentioned in the security page.

I see your point with the phrase of “reasonable security”.
The problem is, that it is very hard for a layman to get a feeling of what is secure, what would raise security and may sound OK, but it actually very bad.

I know if you are connected to the internet, theres no 100% security. But there seem to be many dumb and clever ways to play with the range of 90% to 99% if you get my idea.