I run freeipa internally, which handles all internal https certs (as well as nice things like handling non sudo auth so I can just ssh to machines from an already authed machine without a PW prompt, and doing ldaps for internal things that support it)

For external web, I have a single box running nginx as a reverse proxy thats web exposed. That nginx box has letsencrypt certs for the public web stuff. The nginx rp has the internal CA on it and will validate the internal https certs (no mullet SSL here!)

I also do different domains for internal vs external, but thats not a requirement for a setup like this

Rhasspy. Idk if rhasspy3 is out fully, but I would wait for that and then set it up. (I have began to see the home assistant side being released - its supposed to tie in a lot better than rhasspy2, and even brought the dev on to the HA project)

Highly recommend a soda stream, or soda stream alternative. My go to is 4 or 5 drops of lime juice in a glass, then the carbonated water. Tastes identical to the canned stuff, but way cheaper (and maybe less preservatives? Idk if the canned water has anything besides fruit juice and water)

I also occasionally like root beer if I’m eating something junky like a pizza slice or burger. I bought a bag in a box of syrup from the small root beer brand I enjoy, and can make my own for a few cents instead of a few bucks per bottle. Plus, I can control the concentration depending on how sweet my sweet tooth is feeling that day