The amount of VLANs here are , imo, a bit of an overkill

OK. Would you mind telling me what you'd do differently? And why?

1. Do not host an email server. There will be plenty of people here that will list the multiple reasons but chief among them is that it will be extremely easy to get your IP on a bad reputation list.

I know that's the conventional wisdom. I also know there are plenty of people out there who are doing it successfully and have been for years. I plan to use an SMTP relay so I don't have to worry about my IP being on a bad rep list.

2. If you are a novice as you state then the recommendation would be to not expose any services to the internet. If you need to make your NextCloud or any other app accessible to others than a remote access VPN would be best. If you dont want to do that then look at CloudFlare tunneling but i honestly just wouldnt do it if you are not prepared in all the things that could go wrong.

I'm already using CF tunneling. I plan to be prepared for worst case scenarios with a very good backup plan/system. If everything crashes and burns, OK. Great learning opportunity.

If you are going down this rabbit hole of simulating an enterprise then look also into setting up a remote logging server (Graylog), perhaps a SIEM (Wazuh) which i would highly recommend considering you are exposing web servers to the world.

Yep. Planning to use both of those. Maybe Zabbix and Suricata, too. All stuff I want to learn.

And start small. Too many things can go wrong with all these

Learning is one thing. Overwhelming is another

1. Do not host an email server. There will be plenty of people here that will list the multiple reasons but chief among them is that it will be extremely easy to get your IP on a bad reputation list. Honestly, dont do it.
2. If you are a novice as you state then the recommendation would be to not expose any services to the internet. If you need to make your NextCloud or any other app accessible to others than a remote access VPN would be best. If you dont want to do that then look at CloudFlare tunneling but i honestly just wouldnt do it if you are not prepared in all the things that could go wrong.

If you are going down this rabbit hole of simulating an enterprise then look also into setting up a remote logging server (Graylog), perhaps a SIEM (Wazuh) which i would highly recommend considering you are exposing web servers to the world.

The biggest advice i would give is this. If you could avoid exposing anything to the internet then do that.

Also, its your home. Give yourself/24s for your VLANs. I tried to be clever like you and give reasonable sizes to my DMZ. I gave a /29, After a few weeks i realized i had a lot of virtual machines that i have spun up and i had to go around re-iping everything.