you are lucky we just created a 101: reverse proxy post explaining basic concepts of reverseproxy
your config.php settings look almost good for a reverse proxy
usually this is not required…
trusted_domains should contain your public domain xyz.duckdns.org…
nextcloud/all-in-one/blob/main/reverse-proxy.md - AiO is a specific installation method and the doc you used likely doesn’t fit you bare-metal installation.
you can not have valid public certificates issued to ${internal host} or ${ip address}… you need to configure your reverse proxy to serve xyz.duckdns.org (and issue TLS certificates for this domain).