Thanks for the detailed response, great to learn from people who know this stuff in such depth.
The private CA option does sound quite appealing. I guess it’s not the biggest data leak for people to know that I use internal services and perhaps some of their names (I would want a wildcard approach I think for convenience so that slightly decreases the problem) but I would of course rather avoid it.
So I guess it comes down to just how difficult/time consuming it is to set up and use compared to the public DNS approach. Can you go into more detail on how this would work and how I can set it up using OPNsense? I currently use Unbound for all my local services as DNS. Are there any other downsides to this approach to be aware of or just straight up preferred for my relatively simple use case?
For the most part I am wanting to access services running on other servers from one central access VM server. So does that mean I only need to setup one certificate and store it in that one trust store potentially? Eg. For accessing the Proxmox web admin GUI running on another server.
Regarding the basic vs forward auth question:
To clarify, I am only wanting to access services from within the same local network from home. No access required from the Internet and so I don’t want to open/forward any ports. My question was more around the need for auth at the Caddy level at all. I had the impression that I could still type the ip and port into my web browser as usual and bypass Caddy’s domain name resolution stuff and hence its basic auth too. But I think you are suggesting that is not the case?
In either case, I do like the idea of an added security layer to stop attackers moving within my network. Most services have their own authentication ( eg. Proxmox admin page) but it could be good to have another layer Eg. With Authelia as you suggest. I would just need to work out if that would complicate future automation attempts. Mostly I imagine I can handle those jobs by communication between servers with ssh though, rather than needing direct service access, so it’s probably all good!
Thanks for your help!