[downut]

"...that can be locked down and monitored by experts."

In my homelab? I guess I should also kerberize my NFS mounts, after I solve the SPOF problem for kerberos's dependent pieces. I might have a little time after doing all this for working on my homelab projects. How much time could this configuration, maintenance and monitoring possibly take? (Just between you and me I resolve that on January 1st I will again start reading all daily/weekly/monthly logs, and this year I WILL NOT FAIL. It's only dozen give or take few boxen.)

If the security infrastructure needs to designed, configured, monitored, and maintained by "experts" in an unfunded environment, the security infrastructure is doomed to fail. IOW, it's security theatre.