I use Caddy V2 (running in Docker/Podman). Configuration can be even simpler than the below. It automatically sorts out the SSL certs from Let’s Encrypt for you. If you use Cloudflare DNS challenge like I do, you can get SSL without the server having to be exposed to the internet.

cloud.example.com {
  encode zstd gzip
  tls {
    dns cloudflare {$CLOUDFLARE_API_TOKEN}
    resolvers 1.1.1.1 1.0.0.1
  }
  reverse_proxy nextcloud.my.local.domain:80
}

If you want it exposed then you can just use the default HTTP challenge.

cloud.example.com {
  encode zstd gzip
  reverse_proxy nextcloud.my.local.domain:80
}

And yes you can add any number of sites on subdomains like this and it will reverse proxy them to the correct server based on the domain name.

Fwiw the TP link bulbs usually have a local API that Home Assistant has an integration for. You can use that and block their internet access - unless they’ve removed that feature. I only used one of these briefly because someone gave it to me. Usually just use cheap ZigBee bulbs. I would throw that one out though as someone else said it’s likely been compromised already…

If you’re open to code CAD look at build123d

You can simply use a DNS provider like Cloudflare DNS along with ddclient

For real, saves so much space that would be used for VM backups.

Aside from that, I have anything important backed up to my NAS, and Duplicati backs up from there to Backblaze B2.