Pi-Hole, Firewall/VPN, NextCloud Server, and Security Tool Test machine AIO?

Hello,
I am looking utilize NextCloud at home. I have used other cloud services and I think from the outside, NextCloud seems to be cool. In general, because of my profession (security), I am hesitant of adopting cloud technologies, but their convenience is obvious. At the same time, I wish to combine a number of other features for other reasons and I am wondering if it can be done as an all in one.

Questions

  1. If hosting my own at home Next Cloud, using 2FA, E2E encryption, encryption at rest, and maybe even a wrapper like BoxCryptor, is it sensible to still have the NextCloud server behind a linux firewall?
  2. The idea is that I will have a wi-fi hub and wired switch also behind my VPN and firewall, so that all devices by default go via a VPN and all meaningful traffic is encrypted. Can NextCloud be setup behind something like this? How does access to the internet work?
  3. Pi-Hole (I have never set this up and have a few questions). The Raspberry Pi for the Pi-hole concept is merely a low cost computing system that can run linux. So, I suppose any machine running linux can implement the pi-hole concept. Is this correct? From a network perspective, should this even be connected to the same physical hardware or could one create a virtual machine to black hole all the traffic?

I plan to buy a restored formerly very high end workstation. Years ago, I set up a VMWare server for CCIE classes and education with less robust hardware and from the hardware perspective, I have all the confidence this will work. But, it seems the virtual routing can be a bit messy and hence I am wondering how access and security work with these specific features/tools.