QNAP sells extensions unit https://www.qnap.com/en/product/tr-004
They usually connect with USB (at least for home grade devices), but my understanding is that they are not seen as block devices so the nas has access to all the single drives like they were internal.
Back to the days I was fixing a lot of computers of friends and relatives, my Swiss army knife of Linux was https://www.system-rescue.org/
Very lightweight but with a full set of recovery tools. I've tried it recently and I still find it up to the expectations.
I've also used a fair amount of https://clonezilla.org/ to (re)store images of freshly installed OSes (mostly windows XP and 7 to give you an idea of the timeframe) for people who I know would have messed up faster.
A lot of technical aspects here, but IMHO the biggest drawback is liability. Do you offer free storage connected to internet to a group of "random tech nerds". Do you trust all of them to use it properly? Are you really sure that none of them will store and distribute illegal stuff with it? Do you know them in person so you can forward the police to them in case they came knocking at your door?
Yes, you can do it on your server with a simple iptable rule.
I'm a little rusted, but something like this should work.
iptables -t nat -A PREROUTING -d [your IP] -p tcp --dport 11500 -j DNAT --to-destination [your IP:443]
You can find more information searching for "iptables dnat". What you are saying here is: in the prerouting table (ie: before we decide what to do with this packet) tcp connections to my IP at the port 11500 must be forwarded to my IP at port 443.
I tried a few and eventually settled on commafeed. It has categories, can be executed from a single docker image (in other words, can run without the hassle of an external database), and the responsive UI works well both on pc and phone.
I remember this blog post (I cannot find right now) where the person split the decryption password in two: half stored on the server itself and half on a different http server. And there was an init script which downloaded the second half to decrypt the drive. There is a small window of time between when you realize that the server is stolen and when you take off the other half of the password where an attacker could decrypt your data. But if you want to protect from random thieves this should be safe enough as long as the two servers are in different locations and not likely to be stolen toghether.
TPM solves a sigthly different threat model: if you dispose the hd or if someone takes it out from your computer it is fully encrypted and safe. But if someone steals your whole server it can start and decrypt the drive. So you have to trust you have good passwords and protection for each service you run. depending on what you want to protect for this is either great solution or sub optimal
I use rclone, which is essentially rsync for cloud services. It supports encrypion out of the box.
I use https://mycorrhiza.wiki/ it is not very fancy but it is a single executable file and stores pages in a git repository, so no database is needed and doing the export is as simple as reading some files.
The advantage of wildcard certificates is that you don't have to expose each single subdomain over internet. Which is great if you want to have https on local only subdomains.
For a simple dynamic DNS, I have been using https://www.duckdns.org/ for a few years and been happy so far
Could it be that the domain name has both IPv4 and IPv6 and depending on the network you try to reach one or another? Wireguard can work on both protocols, but from my experience it doesn't try both to see which one works (like browsers do). So if at the first try the dns resolves the "wrong" IP version, wireguard cannot connect and doesn't fallback trying the alternative.