I basically just avoid exposing ports from containers unless I really do want them exposed on the host?
Most services go through my reverse proxy, traefik.
Things like databases don't publish ports on the host because they're only accessed internally, using their container name.
Yeah I've been using wireguard for a long time myself personally, and more recently for a small team to access an intranet.
I'm a big fan. After a half hour or so trying to understand configs it's pretty manageable.
I've been trying to get zulip working.
Sounds like it addresses your requirements.
Seems to be a real bitch to self host - I've been doing this a while but the compose yaml is pretty arcane with hundreds of environment variables.
I didn't "give up" exactly but it's been on the back burner for a month or so now.
I'm honestly kinda surprised that Google is apparently not in fact doing this already and (according to the comments here) continues to not do so.
I've had a Synology NAS for 15 years or so, and I think it's ideal for this kind of use-case.
It has a point and click configuration UI that you access from a web browser.
There's a reasonably large ecosystem of packages you can install.
I'd have a super-serious talk with them about backing up their stuff.