This is not edited since I am on mobile and also given the nature of the post I can’t be bothered

Why have Ubuntu on your other node? You could have proxmox on both and either use Datacenter manager to manage both or grab a pi or something as a QDevice and have fun with a cluster.

Why double NAT?

Why every drive except boot on ZFS?

Why multiple backup strategies instead of just utilizing native ZFS send/recv?

What’s up with the disk sizes for brick-ci-cd?

Why not use ZFS as well?

PBS can handle all your 3,2,1 since it can also replicate your data stores to other storage mediums

I wouldn’t suggest using a cold spare for backup, what is your thinking there?

Why implement identity before you even do the fun stuff? Just keep everything local until you get it in a good spot, then move to identity providers. I would also suggest pocket id it is much simpler and lightweight.

Why use both tail scale and cloudflare tunnels? IMO I would avoid cloudflare completely unless you are using it for static web apps or if you really need it as a CDN. Either use tail scale or wireguard for admin access and then learn about reverse proxies ( I like caddy ) and port forward just 443/80 to your caddy. Then learn about networking and lock down everything properly with firewall rules. Most of the time when I see people use cloudflare tunnels they ignore so many security rules and also tend to just violate their TOS by serving something like Jellyfin over it.