sarkyscouserB

Yes, I expose Home Assistant this way

I use nextdns as I can use that when mobile but if you want a local solution adguard home has DOH/DOT built in and a nicer interface than pihole IMHO

You will be behind CGNAT and a VPN will work yes but you will need to run a VPN client on each of your remote devices.

Adguard Home or pihole for starters.

Or run unbound and go straight to authoritative DNS servers.

If you want stability then you should go with Debian

I’m assuming the benefit over say Caddy + Authelia is that you don’t need to open any local ports such as 80 and 443?

Once you’ve chosen a VPN take a look at gluetun as a dockerised VPN gateway

I use Caddy and agree with your last point in the context of Crowdsec

Quite a number of smart home devices may not even support 5GHz wifi, I would check first.

5GHz/40MHz wifi should be good for ~300Mbps in the same room but will rapidly go down with distance and obstructions.

Increase your channel width to 80 MHz. Yours is set to 40 or lower.

Increasing channel width will increase bandwidth but reduce range and increase interference.

If you only have a basic router channel width settings may not be available though.