

Depends on your threat model, but you’re probably fairly secure from remote unauthorized access right now.
Given that I’m American, I would put the *arr stack behind a dedicated VPN container like gluetun and set Gluetun up using a “no logs” VPN.
For remote access, Tailscale can probably get around that double NAT. If you have it on your devices as well as your server, you won’t necessarily need to expose anything publicly.
If that’s not an option, you could set up an external VPS to run a reverse proxy (Caddy perhaps) and use the Tailscale connection to connect the VPS to your home server. There are fully self hosted ways to do this (Headscale comes to mind), but Tailscale is how I personally would solve this.
There’s a couple of options.
I’ve used Grocy. It’s not intended for that particular use case but it would work. More for Grocery management.
Might want to check out https://awesome-selfhosted.net/