This is what I do as well. I have a public DNS record for my internal reverse proxy IP (no need to expose my public IP and associate it with my domain). I let NPM reach out to the DNS provider to complete verification challenge using an account token, NPM can then get a valid cert from Let’s Encrypt and nothing is exposed. All inbound traffic on 80/443 remains blocked as normal.

I use the Amplipi from Micro-Nova for whole-home audio and I love it. It’s local, open source and has a Home Assistant integration.

The main unit has 6 zones, but expansions units can be added. I think it supports up to 4 simultaneous streams. We use 2x AirPlay streams, and a turn table connected via RCA, but many other options are supported. They detail it all on their website and GitHub repo.