yes i do have ddns set up with my own domain, but static IP is more convenient for me since i travel for work (and may not have the latest IP after maintenances)
i'll try to look at the auto update script but it may be too complicated for me because i'm noob when it comes to these kinds of things and probably dont have the time for it since i'm moving house (first one of my own so there's lots to do)
the thing with static IP is there loads of bots, scanners, sniffers, scrappers snooping around your network (when you're hosting stuffs with different ports etc...) everyday, you can see it just by looking through your traffic logs. Even if you have a firewall, there always dilemma what you want to block and what you don't want or cannot block and these plesky bots keep coming back under different useragents and even if you managed to block 90% of them (which is doable), there still some persistent ones that are unidentifiable (hard to come up with specific rules to block since it will block other legimate users too) and you can't possibly block all datacenter ASNs as it would require resources to lookup everytime a visit hits. While most are harmless but do you want complete strangers to loiter around outside your house everyday?
so what I've done is to totally blocked off all traffic (result = 403) that is coming in via direct IP and only allows Cloudflare header (your use case should be secure tunneling) to passthrough then I leave it to CF to filter/firewall. Yes I know you have a domain and everyone should respect that and come through that domain but heck bots doesn't respect (read above my first sentence) that and they come direct through your IP address. My use case is a server hosted in a datacenter but for your homelab/NAS scenario, you are the only one accessing?... so it should be easier to implement.
