Caddy + crowd sec + some kind of auth solution is what I’m aiming for though I haven’t got authentik working with it yet so I haven’t opened it up yet. I wouldn’t want to do jellyfish without the auth solution though as there local stuff isn’t so robust.

VPN in and a few local users would be the most secure if you haven’t got too many folks connecting.

I’d avoid super short USB drives if you can as they tend just to be SD cards in disguise.

If possible for dB stuff I would recommend using actual drives as lots of reads and writes will very quickly wear out most removable storage devices.

Proxmox and truenas for all my physical boxes and then Debian for all my VMs and LXCs. I’m not all that adventurous when it comes to OS choice as I found things that worked years ago and I’ve stick with them ever since as I’ve not seen anything that really looks like it does anything interesting/new that makes it worth switching.