Ideally, VaultWarden should be run on a private VLAN with local LAN accessibility and VPN (or ssh-tunneled) remote connectivity; it shouldn't be exposed to the Net unless you have no other option.
I probably wouldn't expose Immich to the Net either, unless you need to share with folks (relatives ...) who can't handle a VPN.
The Algo VPN server configurator is pretty good at setting up VPN servers, though I've had to write some scripts to make managing users on them less annoying.
(This may not be useful, since I dunno why you're using Cloudflare; I'd be happy to try to be more useful if you want to detail your use case more.)
@tobraha
I probably wouldn't expose Immich to the Net either, unless you need to share with folks (relatives ...) who can't handle a VPN.
The Algo VPN server configurator is pretty good at setting up VPN servers, though I've had to write some scripts to make managing users on them less annoying.
(This may not be useful, since I dunno why you're using Cloudflare; I'd be happy to try to be more useful if you want to detail your use case more.)
@tobraha