Simon-RedditAccount

As for your question itself - you probably want a reverse proxy. Almost any web server can act as a reverse proxy; nevertheless Caddy, Traefik and nginx do it better than others.

Caddy is extremely user-friendly. Take a look.

omv.home.arpa {
  reverse_proxy 10.0.0.2
} 
proxmox.home.arpa { 
  reverse_proxy 10.0.0.3 
} 
serviio.home.arpa { 
  reverse_proxy 10.0.0.4:23423 
} 
portainer.home.arpa { 
  reverse_proxy 10.0.0.4:9000 
}

All DNS "A" records for your domains should point to IP of machine where your Caddy is.

I personally use nginx.

Not exactly a NUC - a fanless MSI Cubi N with Celeron N4000.

Bare metal Ubuntu Server running nginx + docker-compose for everything other.

I asked EODdoUbleU on the parent comment here, but could you please reply to that question as well?

Planning to use Yubikey for one of my subCAs. Do you know a good writeup on OpenSSL+Yubikeys?

Also, which Yubikey slot do you use for storing the cert/pkey?

Finally! A ~~worth opponent~~ fellow who also cares about having proper OIDs and AIA :)

Everything in my LAN is TLS-protected. Primarily because of convenience (no 'unsafe' warnings), unification (all I do everywhere is TLS). Also for learning purposes (I like challenges). Security is on the last place here (but is still important to me).

Probably your main threat is not people, but malware. Especially since they are not tech-savy. Remember how $35M of crypto assets were recently stolen: in the beginning it was a LastPass engineer who did not update his Plex instance.

Probably not your case, but that's what I use for my homelab:

• OIDplus for keeping OIDs, IPs, .home.arpa subdomains etc
• local-only Wordpress as a knowledgebase. Today I'd probably chose Bookstack, but it did not exist 11 years ago....

A DMZ is always recommended in such cases.

> Should I create a sub network and get a raspberry pi to host these apps?

Yes, it's always better. However, Pi may be overpriced now. Take a look at NUC-sized miniPCs, for roughly the same price you'll get much more computing power.

Well, I'm running my own CA/PKI just for the sake of it. Still very useful and more private and convenient for my homelab+.

As for apps themselves, some of them are really useful to me:

• bookmarks (own software)
• Samba/WebDAV
• knowledgebase (WordPress)
• IoT stuff (own software)

The others are useful, but I still haven't unleashed their true potential:

• NextCloud+Collabora
• (photos solution, deciding on it now)
• Gitea

The third group helps me to run my homelab:

• OIDplus
• speedtest
• monitoring
• NTP
• sandboxes/playgrounds
• (internal mail server, still choosing)

Tried these, but decided not to use, at least for now:

• PiHole (using uBlock/MikroTik DNS+firewall for now)
• Grist