I recently finished something like this at home, npmplus+pihole. I’ll never do it again, and the moment it breaks I’ll go back to just using Tailscale’s MagicDNS

Pasting a comment I made in another similar thread:

I use a reverse proxy (caddy), and point a domain at my machine.ts-domain.ts.net which hosts caddy

this way I can go to service.my.domain instead of machine:port as long as I’m connected to tailscale. any devices not on my tailscale network just get bounced if they hit the domain

Caddy with DNS provider module: https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148

Personal solution:

• Openssl certs (lots of youtube videos on best practice there).
• nginx reverse proxy manager
• adguard home using the dns rewrite pointing to the wildcard domain.

This is enough i find for intranet use. You can get fancy and put it over a wireguard or tailscale network too.

Use a piehole for your DNS and send the endpoints to an NGINX host

1. Point the hostname of your service to the IP of the proxy in the DNS.

2. For the certs you need an internal CA. I use Step CA which has ACME support so the proxy can get certificates easily.

3. Add the root CA certificate to your computer certificate trust store.

4. Profit!!

I have a pretty similar setup currently running but I bought a public domain that I use for my certificates.

I used to have a pi-hole as my DNS server where I entered all subdomains and pointed them at the right address, namely my reverse-proxy.

My reverse-proxy, Nginx Proxy Manager, got the certificates from my domain registrar and forwarded the requests to the correct services based on subdomain.

Imma be the problemXY guy here - ditch the https part. without it, you don’t gotta deal with certs, signing, shit that’s outside your LAN, etc. it’s your LAN, do you really need that level of security? who’s gonna sniff packets and shit on your LAN?

now all you need is pihole where you set up your hostnames (jellyfin.lan, nextcloud.lan, etc.) and nginx proxy that maps e.g. jellyfin.lan to 192.168.0.123:8096. both of them run plenty fine in docker.

I don’t know of an all-in-one-place guide but there’s not a whole lot to it. Just look up how to do each of the parts you mentioned. I’d say that buying a domain and using LetsEncrypt is not really in the self-hosting spirit (i.e. you should run your own DNS and CA) but it’s up to you. Running a serious CA with real security is quite hard, but for your purposes you can just do whatever. There are various programs or scripts for it. I still use CA.pl from the openssl distro, but that’s very old school and people here hate it. Anyway, you will do a little head scratching to get everything working right, but it will be educational, so you’ll get something out of it in its own right.

It’s probably just easier to use public certs with DNS verification than building and distributing your own certs.

I think you could achieve this with largely the same method as typical when using Nginx, Caddy, etc.

The main difference is that where you’d usually use ACME/Let’s Encrypt - you’ll likely need to generate your own certs using a took like mkcert. You’ll need to get the CA cert used to generate the SSL certs and install it on any other systems/browsers that will be accessing the apps over https (mkcert will install them for the system you generate from).

I have a similar setup, with a public domain hosted by cloudflare. Internally, I use caddy with the DNS feature pointing to the cloudflare using their API and letsencrypt certs.

Something like this: https://webenclave.com/2024/11/07/setting-up-a-secure-local-network-with-caddy-cloudflare-dns-and-lets-encrypt/

I can also share more details, maybe my compose files and caddy setup if you need them.