Getting a second drive just for windows I think is a good approach. If you were to do so, it’s important that you remove all other drives while installing windows, otherwise the Windows installer will put its boot files into whatever existing EFI partition it finds.
Then using something like https://github.com/Raphire/Win11Debloat you should be good to go with a relatively clean setup.
To have a local account, I use Rufus to setup the usb installer in a way that it automatically creates the local account, and it can also disable the secure boot and tpm requirements from the installer if you want. Though I think rufus is a windows program only. I know there’s the “OOBE” approach for the local account, but I haven’t done that before. That could be an option too
Not really through Caddy but for my setup I have it so the ssh port for Forgejo is only accessible through tailscale. So for push/pulling updated my ssh config file to something like
Host git.mysite.com HostName tailscaleMachineName User git Port 1234
Then doing git pull [email protected]:user/project.git works just fine as long as I am connected to tailscale
Otherwise you could open the port for Forgejo’s ssh so that you can access it without any vpn