[...]Can the described setup (1) make the devices vulnerable, to which ports are forwarded (malware injection, data theft, …) or even (2) make other devices on the LAN vulnerable, that don’t have anything to do with the servers?

Yes and Yes.

Is it safe[?]

This is probably a personal opinion depending on what you call "safe". In practical terms, however, there are probably two things to consider:

• Modern servers are constantly under a barrage of automated exploit scripts (which is usually how most attackers target victims).

• Most of these threats can be mitigated with regular software updates, a minimal amount of precaution and some proper security settings (which you can reasonably research).

Bottom line, if you do go this route, you will be playing amateur sysadmin for your network (likely reading logs, checking for software updates, etc). If you don't mind taking on this role, you can be relatively safe with a home setup. Otherwise, traditional 3rd-party services might be more your speed.

My network setup is quite simple: one router, connects to the internet, all devices in the house directly connect to that router.

This can be relatively safe with the correct firewall settings in place. That said, you might want to dedicate a cheap PC (an old one or maybe even a Raspberry Pi) to doing firewall duty with something like pfsense.

Is it safe to forward ports like 80 to devices in such a LAN, or should I even refrain from registering the router’s public IP at a DDNS?

This is admittedly anecdotal but having had an extremely similar setup for years for testing and personal use, I have never had an issue with security.

Regarding Apache/Nginx and MySQL specifically, just as some small tidbits:

• Make sure Apache/Nginx isn't acting as an open proxy (which is ripe for abuse and makes your server a target). This danger is generally mitigated with some simply configuration commands (such as those detailed here for Apache).

• For Apache, I would recommend disabling .htaccess files.

• For MySQL, one big issue is using browser-based administration tools such a phpMyAdmin. Along with WordPress, when reviewing logs, this is some of the most attacked software I have seen (likely because SQL injection can be potentially so powerful). Any web app that connects to a database should be properly secured but running tools like these are (potentially) asking for trouble.

• Note that the above goes hand in hand with limiting database server access to only selected local computers and limited database permissions.

• SQL injection attacks can help be mitigated by Web Application Firewalls (WAF). Third party services such as CloudFlare offer these kinds of services (currently $20/month with other features as well) for a "set and forget" solution. However, it is fairly easy to add this kind of feature yourself via Apache or Nginx with modules such as ModSecurity.

As a last word, the basics for securing your web server and MySQL are well-documented and usually fairly simple to research e.g "How do I secure Apache on Linux" or "How do I prevent SQL injection attacks". These both bring up common tips that will prevent most malicious users from messing with your systems.

You can get fancy, of course, and try to add extra security (such as a true DMZ) but this is potentially a lot more work.