If the main site gets compromised the credentials there must be considered lost and known to che attackers.

with a pull backup that’s not an issue because the main site has no access to the remote system; it is a process on the remote site that has credentials to access the main site and not the other way around.

the remote system may receive retrieve a compromised copy of the data, but the attacker cannot tamper with previous backups so recovery is still possible.

my home router is the stock one from my isp and have no vpn capabilities.

I put a port forward on the router and then configured everything on the internal node; in my case it is an opnsense vm running on proxmox.

I wouch for the VPN route… VPN servers are built to be exposed, are hardened/engineered to resist the harshness of the net and are somewhat safe even with default settings.

Should you publish on the wild a few web apps, you would have to harden, monitor and manage a bunch of environments and/or frameworks with a load of quirks each.

A VPN is easier to maintain and safer for your data with a lower effort.

In proxmox you create a vlan on the physical interface and not on a bridge.

Once the physical port has tagged traffic for all vlan but LAN, leave vmbr0 alone, create the new DMZ vlan in proxmox networking and a new vmbr on that vlan, that’s it.

If your vps is a firewall, you could use it as an exit point for different private networks: ip1 to mask the traffic for a guest subnet that you don’t trust and if the ip gets blacklisted there are no issues for lan traffic behind ip2 while ip3 is reserved for server traffic with specific rulesets on supplier’s systems for updates/backup/whatnot. Should you have more than one mail server because of reasons, if one is blacklisted the other could remain clean (in this situation you usually put them on different subnets but whatever).

Mailu is a mail server so it is suitable for the task.

You need a mail server somewhere, a mail client cannot listen for incoming messages. A possible workaround: you could activate your own mail server accessible only inside tailscale and use it to send and receive your local alerts.