Full disclosure, I'm pretty new to selfhosting myself, and I haven't written a guide like this before, but hopefully this scatterbrained writeup is enough for someone out there lmao

This is just what works for me and how I set it up. Always open to ideas for improvement as well.

I'll preface by saying networking and especially netsec are arguably my weakest areas in all of this.

Been running a home server (technically 2 since my NAS is a separate box) for about 3 months ago with about 40 services running. Works great. It's almost entirely for myself while my wife uses a few things here and there. Remote access has been perfectly fine through Wireguard - I have a chained VPN setup where wg-easy allows LAN access while also tunneling outbound traffic through Proton, mostly because Android devices don't let you use multiple VPNs at a time and I didn't want to keep switching back and forth.

But I realized it'd be nice to have a few services more accessible. Sharing photo albums and jellyfin with family, and my wife wants a music stack and audiobooks for herself - teaching her Wireguard was easy, but it'd be more convenient to just not have to remember to that.

So here's the barrage of questions.

1. Pangolin seems undoubtedly the best way to do this. I plan to set up a VPS running Pangolin and Headscale (I've already done the latter once, got it working perfectly before learning it doesn't really work when running on the same network you want to remotely access, oops)

2. What's the trick for DNS? I do run Pihole + Unbound but I really haven't touched the configuration for the latter much. From what I understand I can "override" my domain in Unbound to point to the local IP? If that's the case, any guidance to the exact configuration/syntax needed would be very helpful.

3. I obviously don't want to expose everything. I assume I can keep running Caddy locally, while only proxying what's necessary on Pangolin's end? I'm currently using a Cloudflare DNS record pointed to my private IP to skirt around certificate bullshit, last time I tried Caddy's internal cert I got an annoying "are you sure??" prompt when trying to access any subdomain, and I'd like to avoid that, so I'm not sure what the Caddy reconfiguration would involve here to prevent that prompt without manually installing the cert on every single device and browser.

4. What would I need to look at for security? I did see Crowdsec is bundled with Pangolin. Is that sufficient? Can I set up geoblocks on the Pangolin end? And regarding docker networks, I assume it would be best practice to keep any exposed services on their own isolated networks? What about ufw, is there any specific approach to setting that up?

5. I mentioned Headscale in passing - I plan to ditch wg-easy and move to a tailscale setup to remotely access any services that I don't expose through Pangolin. Last time I dabbled with it it seems simple enough, and I liked Headplane for a UI. Any gotchas I should worry about? I'd be able to close the Wireguard UDP port I had to forward for wg-easy, right? Could I route Headscale through a gluetun container to achieve a similar chained VPN setup as I have now?

6. Authentication - I have Authelia OIDC configured for every service that supports it, and a forwardAuth in caddy for anything that doesn't. How would this play together with Pangolin, which from what I understand has its own authentication system?

Any advice would be much appreciated. This would be a huge change to the way I'm currently running this thing, but would be a worthwhile upgrade for sure.