Roughly a year later, the Synology is running great, and I haven't done much with the configuration aside from the occasional update. That said there are a number of specifics I left of my first post.
VPN Access via K8S and Nebula
I'm still using Nebula vpn. Every once in a while I consider moving to one of the wireguard options, but Nebula seems to be in the sweet spot of simple while having the features I care about. The only part I haven't quite smoothed out yet is dns. Fortunately I have few enough hosts that it hasn't been much of a problem.
I have nginx ingress proxying http and nfs connections to the Synology. With nfs I had to update the permissions to allow connections from nonprivileged high ports. Additionally I have cert-manager configured so I get real tls certificates.
I don't do much file access so can't really say if going through Nebula/nginx has any impact on performance. At least in my case it hasn't been noticable.
I put Nebula on my phone as well and set it up to use Synology Photos instead of Google Photos. My usage is pretty basic and it works well for what I need.
The best part of this setup is there's no internet access to the Synology.
Synology Office
I use the web-based Synology Office for a couple spreadsheets. It's not very exciting and I wouldn't really care if it wasn't available.
Synology Drive
I tried using Drive but found it clunky. The linux clients felt poorly maintained and outdated. I also didn't really want/need to sync data across devices. So I stopped using it and stuck with nfs.
Surveillance Station
I tried out Surveillance Station for security cameras, but wasn't terribly impressed with the software and definitely wasn't impressed withe licensing scheme. Instead I eventually went with frigate. I may or may not have written a blog post for it specfically.
LDAP
It's there but I'm not really using it. It's just doing authentication for the shares and a bit of dns for the lab.
Conclusion
I suppose it's kind of ironic that the coolest thing (the nebula vpn) about my NAS setup isn't even part of the NAS. And that also means my original goal of making the NAS boring was successful.