since i forgot to answer the identity part, to get single signon for the services, you can use somthing like keycloak, but not all services support oidc signin. if you need freeipa or AD, you can always use a bhyve vm
https://vermaden.wordpress.com/2024/03/10/keycloak-on-freebsd/
i think this might be worth a watch: https://www.youtube.com/watch?v=S3u8OtjfGFE
FreeBSD ships with jails in the base system, those offer a nice way to isolate services. Its also realy easy to create one:
bsdinstall jail <empty folder>
This will guide you through the interactive system install for a jail install. Have a look in jail.conf, and maybe grab a sample config from the handbook. If that is a little involved, you could also install a jailmanager like ipcage or ezjail. (Truenas was a nice webui but wont get updates much longer) Combined with zfs datasets for the different services, you can even get different snapshot and backup options for the different jails and services.
Hope this answers some questions.
I have never had to to do this, but I think the way you would go about this is to pass the card to a linux vm. https://xyinn.org/md/freebsd/wifibox
ghostbsd is based on freebsd as far as i know, so most of it should the same but i habe not used it yet