As for remote access, I have a separate machine running alpine with wireguard in a docker container, I VPN into that machine to get access to other devices in the network
This is smart, I should do that. I just run Tailscale on my NAS, but I do sometimes worry about it