My mobile phone connects directly to my RPI instance without VPN through the domain. Port 80 doesn’t respond since Letsencrypt stops itself but needs to be open for http validation. Port 8123 shows the HA login screen.
My question is, did I miss anything on the security side? Should I be looking at any other security configurations or weak points?
I would confirm why you need port 80 open. If you don’t need it open, I wouldn’t have it open. I think the let encrypt add-on doesn’t require port 80 open and I know the DuckDNS addon (which includes lets encrypt) doesn’t require it.
I tried to compile information on securing a HA instance at the link below. May be worth a read.
You need to approve your ownership and control of your domain and http on port 80 is one way.
Duckdns have already approved their ownership of duckdns.com and you just get a subdomain/host on their already approved domain.
I would not forward directly from UDM Pro to Home Assistant.
The easiest thing to do is just to get a Nabu Casa account and let them handle securely tunneling to your Home Assistant node.
Or you could start getting into intermediate ingress routing between the UDMP and HA machines. NGINX with WAF profile? mod_proxy etc. Traefik? But it’s not enough to just install those things. There’s work to getting them in a good state. And even then… the Nabu Casa route will likely work out better in the end.