but quantum stuff can tunnel through the cheese, despite its inability to be penetrated
I do as you, and run my own services for everything I use frequently except for email. keeping it all behind a vpn prevents unwanted access. I pay for protonmail but operate my own mail server for internal use. I have machinery to download messages from protonmail upon receipt and make them available to me, and to send through protonmail. so I'm doing both and using protonmail as the interface with outside servers.
picking a different port that isn't also used by another common service will eliminate most of the botscans you'll see otherwise.
... do you have a reason to belive your ISP cares if you run wireguard?
... in case you don't know: if it's for resources on a private home network, you can easily add the CA cert (i.e. the public key associated with the private key used to sign your certs) to your devices so that it's no longer unknown and the warnings disappear. I know this doesn't answer your question, but it's what I'd do instead of using letsencrypt for private services.
federation happens over the clearnet, so the only place tor gets used is your connection to the instance.
With syncthing, you can share securely your pictures (etc.) folder on your phone with your computer, and cut cloud storage out of the picture entirely.
clearly the author of this tweet has never been camping in the summer. you don't die just because you're outside with no AC. if that were true none of this ever would've gotten built because AC is a relatively recent invention. the Southeast certainly was hot and humid before climate change; and yes now it's getting worse, but this take is pretty sensational.
syncthing works on every device and substitutes for cloud storage services. pictures taken with a phone end up quickly in the shared folder on my desktop. etc.
can't say I've ever done this. better to figure out why it's broken and fix it so that the next time I encounter that kinda problem, I can fix it quickly.
ultimately, you will need some kind of access to something with at least one port open, if you intend to host services on the clearnet. you could use tor if onion services will work for you. if you have ssh access somewhere with a port open (or a friendly sysadmin), you could tunnel to there and redirect incoming connections back through the tunnel. same thing with a VPN, if the sysadmin is really friendly.