You can try seeing if you can set the speed/duplex of NIC/ports manually if auto-detection keeps getting it wrong.

Unifi I like the APs for mesh & multiple SSID+vlans but I keep them on dedicated vlan with zero internet access because I don’t trust that I properly followed instructions to disable opted in analytics/telemetry. The mgmt software is alright but new UI wastes a lot of space. The PoE switch was alright until it stopped being able to keep a config last year. USG router I kept less than a year because it was too slow with any useful features enabled. I’ve glanced around at replacement APs here & there but pretty much waiting until I have more wifi 7 compatible devices and that’ll be another couple years.

Self-host your own ACME server. Then you can use certbot pointed there.

These instructions are old so not sure if newer/better ways, https://blog.sean-wright.com/self-host-acme-server/

Sounds like bridge mode is needed for the vm’s network interface in virt.

I would say proxmox ve is easier to start with.

The container method used should be whatever you are more familiar with or prefer. They both have their own quirks, pros, & cons.

SELinux - If you don’t want to deal with SELinux then set it to permissive mode. If you want to keep in enforcing mode you need to create the appropriate policies, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/configuring-selinux-for-applications-and-services-with-non-standard-configurations_using-selinux

Firewall - If you don’t want it’s protection then look up instructions to stop & disable it on your distro.

Port forwarding - From linux container side you either need to specify host networking or the ports you want to allow through, there is no avoiding that if it needs to be network accessible. If you want it internet accessible then you need to setup port forwarding on your router.

Have you looked into something like yunohost? It may be the kind of thing you’re looking for.

If your router lets you try adding a static route for the tailscale IP/subnet to the laptop with IP forwarding enabled.

This project, https://neko.m1k1o.net/#/getting-started/examples , looks like a good base to try running regular GUI apps via docker & web.

edit: and here’s the git with Dockerfiles, https://github.com/m1k1o/neko-apps

They changed quite a few things between DSM 6 & 7 and unfortunately one of them broke easy use of those USB sticks. I didn’t want to mess with the internal config of the Synology NAS too much so used the VM approach with the HA image and mapped the USB stick to it.