DO NOT call the police. They will confiscate the server as evidence, and lacking any other suspect, you will be their primary lead. Police aren’t about convictions or justice, they want to consider a case solved.

By law, you are not liable. But because of law enforcement incentives, it will absolutely become your problem.

Good move. I have my home network and its home lab the same way I run my work networks and server clusters:

1. Management network over regular copper ethernet. This is what’s routed over VPN for remote access. IPMI also connects here for when something really stupid happens.
2. High speed fiber connecting all the servers. Not routed out - it’s only used for comms between the servers. This serves as a backup in case the management port dies. It has saved me a couple of times: shell in to one of the others the normal way, the from there I can jump into any other server via the fiber connection.