That sounds fine. I would only say don’t use Syncthing to actually make your backups. My preference and recommendation is restic, possibly combined with the helper utility autorestic.

Lidarr isn’t really meant for that so you’re always going to fighting things I unfortunately

NPM likes to eat the let encrypt requests which is what I’m assuming is breaking the cert gen inside the container. I believe you can work around this, but honestly I’d recommend just moving to a more advanced but more flexibile proxy solution.

Personally I recommend Traefik. There isn’t a friendly gui to help you but once you wrap your head around it things just work. It also allows for defining proxy parameters right in your compose file via labels so it takes out the need to log into NPM and manage proxy entries there. Just deploy you’re compose fils and you’re off.

As far as making what you’ve got just work, you can either try to get NPM to stop intercepting the LE cert requests or hack up the signal-tls-relay container and jam the NPM certs into it. I wouldn’t recommend either of these options though. I’ve been in a similar scenario and it’s this among other reasons why I moved off NPM. I started with NPM because I thought it would be simple and easy and it is, right up until you want to do a thing even slightly outside of its fairly limited box.