Connecting to a switch/router doesn't change anything, that's just how the Internet works. The fiber from the street is almost certainly connected to switches before it gets to your house as well.
If anything would break the "fiber to the desktop" meme, it's the fact that most residential ISP ONTs I'm aware of do not support SFP, which means that you'd have to get copper out of the ONT, then convert it back into fiber. You'd have to get lucky with an ISP that has compatible options.
I've heard of people doing fiber to the desktop in their homelabs. Seems a little overkill, but it's the cool factor that counts!
I don't get why they call hosting a mail server being your own ISP. It's a very very loose definition of the term "ISP" there. ISPs may provide mail services on the side, but that's not what makes them an ISP imo—its providing internet access that makes them an ISP.
On looking it up, apparently some people consider email providers ISPs in their own right though? Seems like confusing terminology.
This project uses mDNS, which is specific to the .local TLD. The whole reason that people are against the use of .local is because it would break mDNS. So you can set a custom TLD, but it doesn't matter because this is actually the correct context for .local to be used, and changing the TLD will actually break things for a lot of clients.
10.50.50.0 is not a valid IP address in most configurations. Have you tried 10.50.50.1?
Docker containers are more like LXCs—in fact, early versions of Docker used LXC under the hood, but the project diverged over time and support for LXC was eventually dropped as they switched to their own container runtime.
If you're already using Wireguard, it's super easy to add a VPS to your Wireguard network and route all traffic through it. Then you can port forward pretty easily using some iptables rules from the VPS public IP to an IP on the Wireguard network.
That said, doing it that way will involve routing all of your traffic through the VPS, which means you'll need a good low latency connection to your VPS. (You can set up split tunneling, but it's a bit of a hassle to do that and port forwarding.) An alternative would be to set up a reverse proxy on the VPS, and reverse proxy your VPN IP.
Any non-proxiable services probably shouldn't be exposed directly to the internet anyway, and you can simply expose them via VPN.
As long as you have access to a a command line, you can install it manually. It's worth noting though that I did a cursory internet search, and it seems like the developers are strongly against installing AGH on IPFire directly—plus it would take some hackiness to even get it installed on IPFire directly. That said, IPFire supports VMs, so you could run AGH in a VM on IPFire.
AGH can also be installed alongside OPNsense or pfSense as well, either by installing manually or in the case of OPNsense there's a plugin in the community repo
What is TrueNAS adding to this arrangement? Generally when people run two different servers at home, they keep the VM drives on the hypervisor and just use the NAS for storing bigger things like media files. Hosting VM drives over iSCSI works in an enterprise environment, but if you can't guarantee uptime for your storage solution then all you're doing is adding failure modes.
It seems to me that your best bet is to go down to one server, which means cutting out either TrueNAS or Proxmox. Both can handle both storage (ZFS included!) and VMs, so ultimately it's a matter of which you like better.
Alternatively, if you're hosting other stuff on your NAS, you could consider keeping both servers but just getting a few SSDs to stick in your Proxmox mini PC to serve VMs. That may or may not be viable for your situation, but it's worth considering.
Nah that ExpressVPN article is about regular port forwarding, not through the VPN. If you use that type of port forwarding you'll be leaking your IP.
Unlike Tor, which is built around accessing the clearnet anonymously, I2P is primarily designed around keeping traffic in the darknet. When you join I2P, you route traffic for other nodes but only within the I2P network, it will never leave through your clearnet address.
The equivalent of Tor's exit nodes are called "outproxies", but they aren't often used, there aren't very many of them, and you have to specifically set them up manually as it isn't the default behavior like it is for Tor.