I usually end up doing it very simple with huge /24 ipv4 networks, f.e.
10.100.10.0/24 = VLAN 10 = User devices and purely internal servers
10.100.20.0/24 = VLAN 20 = IoT
10.100.30.0/24 = VLAN 30 = Servers that are reachable from outside
10.100.40.0/24 = VLAN 40 = Guests

The main thing for me is to ensure that traffic that wants to pass between VLANs go through my firewall/router and allow Suricata to do its IPS work.

If you want a webui for the debian server that gives you logs, services, ssh terminal and more then I can recommend checking out Cockpit
https://cockpit-project.org/

If you decide you want to you can install KVM/Qemu on the debian host to get into full virtualization that way. The webui can be used to configure and manage the VMs too with https://github.com/cockpit-project/cockpit-machines

edit: Cockpit also has a Docker manager, though I feel it isn’t full featured yet. I mostly used it to stop and start dockers from my phone.
https://github.com/chrisjbawden/cockpit-dockermanager

Now I can start throwing more stuff on there once I figure out backup for the game world incase I bork it.

Step 1. Find out where the docker image you run saves the volumes
F.e. https://github.com/mornedhels/icarus-server saves here:
Volumes
Volume Description
/home/icarus/drive_c/icarus Server config files and saves
/opt/icarus Game files (steam download path)

Step 2. Find a backup tool you like, f.e. https://docs.borgui.com/

Thanks for mentioning the game, saved it to my wishlist and hope to grab it for some co-op gaming come autumn. :D

Which generation refused cookies?
I feel like most look at me like I’m crazy, regardless of age, when I deny/only accept the functional cookies on sites every single visit.