I’m not familiar enough with cloudflare proxy stuff. I just have my DNS pointed at my router external IP (and luckily my ISP doesn’t reset my IP ever.) It sounds like CF has designed this intentionally as a profit center. Sorry couldn’t be more help

This isn’t a cloudflare limitation. It’s a TLS limitation. It was a conscious decision not to support multi-level wildcards. You won’t find a service that supports it. Most people get around this by just not using TLS certs like this. You can encode your multi-level name spacing in 1 level So instead of something like svc1.svcgroup.dev.domain.org You can do it like svcgroup-svc1.dev.domain.org

Never heard of a tool to get around this TLS limitation. There are tools that manage lots of certs (cert-manager in k8s comes to mind). If you had a more concrete example it might help people to suggest solutions.

The only Radxa I’d bother with is the Rock 5 and for the price, I’d probably just go with rpi5 (unless you like to tinker… a lot). That’s coming from someone that owns 3 Rock5’s. The new Orion board looks interesting, but if it’s like any other Radxa products it’ll be 2+ years before it gets decent software support.

There’s a fine line between “auto-updates are bad” and “welp, the horribly outdated and security hole riddled CI tool or CMS is how they got in”. I tend to lean toward using something like renovate to queue up the updates and then approve them all at once. I’ve been seriously considering building out a staging and prod env for my homelab. I’m just not sure how to test stuff in staging to the point that I’d feel comfortable auto promoting to prod.