For the NVMe, I got an Icybox NVMe enclosure because the other enclosures were problematic. I was using a "SSK Aluminum M.2 NVME SSD Enclosure Adapter, USB 3.1 Gen 2 (10 Gbps) to NVME PCI-E M-Key Solid State Drive External Enclosure (Fits only NVMe PCIe 2242/2260/2280)" - https://www.amazon.co.uk/gp/product/B07MNFH1PX
I ended up replacing it with a "ICY BOX M.2 NVMe Enclosure for M.2 NVMe PCIe SSD, USB 3.1 (Gen 2, 10 Gpbs), USB-C & USB-A Cable, Aluminum, Black" - https://www.amazon.co.uk/gp/product/B07JJXCSC4
The ICY BOX actually supports booting from it unlike the SSK so I managed to ditch the microSD card too. Here was my enquiry on the forum about it: https://forums.raspberrypi.com/viewtopic.php?t=307291
Once you're set up with Pihole running on it and can SSH into it, installing Navidrome is easy - just follow the installation guide at https://www.navidrome.org/docs/installation/linux/.
For Wireguard installation, I used https://github.com/pivpn/pivpn
I also use a Wireguard UI (which stores its configuration in a different place to the "stock" Wireguard installation in the pivpn above): https://github.com/ngoduykhanh/wireguard-ui
There are some rules to permit incoming traffic on Wireguard in and out: Post up: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Post down: iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
For DDNS, I just run a cron job that connects to a free plan on https://freedns.afraid.org/. They have a bash script to use - very simple.
I run Wireguard on my phone as an "always on" VPN which connects to the domain registered at the DDNS service, so I know that mydomain will also go home.
To get DNS working over the Wireguard, you may have to change the Pihole settings to "permit all origins" for DNS requests.
For incoming traffic at my home, the router port forwards the appropriate Wireguard port to the Pi (on its static address). The Pi is not set as a DMZ or anything.
Enjoy!