I have a similar setup. I use d.rymcg.tech (a configuration manager for Docker, as well as a collection of open source web services and config templates) and have Traefik (reverse proxy) on a Digital Ocean dropet connected to a VM in my home lab through wireguard. This framework allows me to put authentication and authoriation in front of any apps/services I’m hosting (HTTP basic auth, oauth2, mTLS). This setup allows me to control what is allowed access from outside of my home, without opening any ports.
I should add the d.rymcg.tech includes step-ca if you want to host your own CA server, but I agree with @[email protected] : it’s not necessary for securely hosting services, and ir can be dangerous I’d not done carefully.