Based on my setup, I use adguard to DNS rewrite all *.example.com domains to the IP of my Nginx proxy. I have the proxys setup on NPM. On my router I have adguard set as the home network DNS. Cloudflare is used as the external DNS so that the *.example.com domains work outside of my network (and point to thr Nginx server).
My setup is relatively basic, unraid dockers etc.
I also self host Vault Warden. I have my vault automatically exported to Google Drive as an encrypted copy. So worst case I can download from there, and import it to a new password manager or another Bitwarden instance if my server borks.