Yes, you are right, I already use DNS validation. But it is just it is easier to request a single wildcard certificate for my domain and have all the subdomains that I use for the local services defined only in my local DNS. I cannot fully automate the certificate renewal because namecheap requires to allowlist the IP that can call its API, and my ip is dynamic. So renewing a single certificate saves me time. Also, the wildcard certificate is installed on a single machine, so it is not the I increase a lot the attack surface by not having different certificates for each virtual host.

The advantage of wildcard certificates is that you don’t have to expose each single subdomain over internet. Which is great if you want to have https on local only subdomains.

https://shadowsocks.org/ should be a good option, easy to install, encrypted, and password protected

For a simple dynamic DNS, I have been using https://www.duckdns.org/ for a few years and been happy so far

The main storage is a Nas that is mounted in read only most of the time and has two drives in raid mirror. Plus rclone to push a remote and client side encrypted backup to backblaze.