Is self hosting it with Forgejo over Tor an idea?
If you don’t want to get a domain name perhaps you can go with Duck DNS then use Caddy for the reverse proxy to your NextCloud instance. Download the DuckDNS plugin for Caddy and set up DNS Challenge to have Caddy fetch a Let’s Encrypt cert for you and update it when needed.
You also have the option to point your DuckDNS domain name to a private IP address on your LAN if you need to.
The only bad part is that you have to type a long URL but you will also get a valid cert with a free domain.
I have the same issue when I’m on PIA VPN. Like you I just use DuckDuckGo.