You don’t need MACVLAN. Just move the synology ports to another range and then run NPM on :443.

Not if your apps run on Windows only.

KeePass, no sync need when used with KeePassium and WebDAV.

Transmission and then your normal *arr stack.

All three. Alpine (read-only from RAM) is the perfect OS for any RPi. Alpine in a VM is a perfect OS with native support for all hypervisors and drivers available from the start, and as a container base layer its simply one of the best OS out there. I run all my bare metal nodes with Alpine from USB (read-only from RAM). You setup a USB stick, plug it in, boot from it, done. You can setup the OS with your keys and everything, take the USB stick, simply copy the contents (its FAT32) and put it on another stick and plug that into another server and boom, OS ready, no installation required.

Disclaimer: All my bare metal nodes are for containers, the OS has nothing installed, so read-only from RAM is IMHO the best option to do so, unless you want PXE.

Many issues like?

You wrote a guide on how to install and use a Linux distro but you can’t install another distro. Isn’t that a little bit of a contradiction, same with the statement “with as little bloat as possible”, that’s exactly what Alpine is made for. Are you sure you should give other people advice?

Go Alpine, hardened from the start (almost).

I only use Alpine on Pis so I’m interested to hear why any Debian at all?

Unifi, built in payments via paypal and more.

Could run https://poste.io locally?

Intel NUC or any other NUC for compute and a Synology NAS for storage (RAID6, so at least 4 HDD) and then please follow the 3-2-1-1-0 backup rule.

Container in the same network namespace can communicate with each other but only if run by the same user. Why do you feel the need to run pods with different users? Podman is by default rootless, that rootless gives you the best in security when it comes to container isolation from the host. If you want to isolate containers from each other simply use different pods or network namespaces, whatever you prefer. Any reason to prefer caddy over the likes for Traefik or Nginx?

Here you go: certbot

How shallow in cm?

A simple webserver secured by htaccess is not inherit insecure, but there are a lot of steps you can take to improve security further: Like proper authentication via OICD or something similar. Only access to the server via VPN, files encrypted, and so on.

This is not true sorry. Even in k8s any container has access to any other container in the same pod or in dockers case on the same host. In k8s you can at least add network profiles. If its a host or MACVLAN container it gets worse if no proper isolation is configured on the network level.

Just out of curiosity: Whats the use case to download videos from surveillance to your phone?

This is the frist time I hear of that. Plex alway worked offline. Did you forget to add your subnet to the “no authentication” list?

My Plex is offline except for Metadata downloads. What does not work on your end? Why do you need an offline Plex? Plex works offline too, you just get no Metadata unless you have it in the folder of the file.