To follow up on this, I’d look to network segmentation as another useful security barrier. I’ve just started playing around with VLANs, but the way I plan on setting things up is to have individual VLANs for services, management and IoT, with the LAN for all other user-land devices. On top of this you add strict firewall rules to what can talk to what, on which ports, etc. So all devices on the network can do DNS queries to my two DNS servers, for instance, but things from my services VLAN can’t reach anything outside of this VLAN…

There are boatloads of various note-taking apps, both open-source and not, that are much better than OneNote. Take a look at https://noteapps.info/features, where you can browse by specific features you’re interested in. I’ve just recently switched from running DokuWiki for my homelab documentation to Joplin and I’m really loving it so far (I’ve setup sync to Hetzner’s S3 service).

Seconding this, I’m currently running Proxmox on 3 small NUC-type PCs (two Dell Optiplexes and a Topton from AliExpress). The Topton has a slower Celeron, the two Dells have a i5-6500 and i3-8100t and are both very snappy running a few different containers and VMs (including HomeAssistant).