Didn’t really occur to me that they exist; everything seems so focused on solar these days. But I’ll do some searching around.

I also am pretty stuck on grid tie at the moment, and grid tie AIO inverters are pretty cheap compared to piecemeal solutions. But perhaps that’s the flaw in my planning.

What sort of isp supplied residential equipment doesn’t block inbound connections? Pedantically, you’re correct.

You have a firewall. It’s in your router, and it is what makes it so that you have to VPN into the server. Otherwise the server would be accessible. NAT is, effectively, a firewall.

Should you add another layer, perhaps an IPS or deny-listing? Maybe it’s a good idea.

2 is almost as bad as the all or nothing approach. I argue that while Apple is not trustworthy, they are not incentivized to collect every piece of information about you that they can. Conversely, android is an operating system created by an advertising company specifically to ensure an ongoing corner on their market. Asking the average person to use a DeGoogled OS is akin to telling them to switch to OpenBSD on their desktop.

https://en.m.wikipedia.org/wiki/Border_search_exception

Federal law allows certain federal agents to conduct search and seizures within 100 miles (160 km) of the border into the interior of the United States.[5] The Supreme Court has clearly and repeatedly confirmed that the border search exception applies within 100 miles (160 km) of the border of the United States

There’s no first or fourth amendment rights within 100 miles of the border of the USA. Probably other missing rights too.

Well yes, it is one hop, because you’ve got the router doing TLS termination. Inside your network you point to the server that has the TLS certs. Outside of the network you do port forwarding, or use a tunnel with cloudflare agents.

Why is the router involved at all? It’s all local traffic. The external traffic comes through the cloud flare tunnel, right? Maybe I’m not understanding the architecture you’ve got.

It’s possible but it’s an extra pain in the butt.

Internally, have you tried pointing the DNS directly to the ngnix server, not the router? There’s no reason to have that extra hop (I don’t think).

If you are establishing a TLS connection to a server, the server will need a certificate. It sounds like you’re trying to have two instances of a reverse proxy - one on the server, and one on the router. It may be my ignorance of the particulars, but my immediate thought is that you should select one point in the network to do reverse proxying.

What brand are those power strips? Last time I went shopping for power strips, they were all the rage and I could hardly find one WITHOUT that feature. Today, several years later, I can’t find any. Except, perhaps, some Chinese ones without safety approvals. I need one for my tv.