Just want to chime in and say I finally have it working. Thank you to everyone who offered tips! I know this is baby steps stuff for a lot of people here, but I’m going to post my solution in case any other noobs like me come across this thread in the future.
Traefik internally for reverse proxy of all resources I want named and given certifications, (man that was a difficult one to get working, maybe go Caddy). Cloudflare DNS-01 challenge to pull Let’s Encrypt certs (which works no matter where your DNS records are pointed, took a while to understand that).
Initially I tried to use Adguard Home for local DNS rewrites but had all kinds of issues that I still can’t explain. I finally gave in and switched to PiHole and now it’s working (possibly due to the way PiHole has options for DNS and CNAME records?).
PiHole doing internal DNS records, and my Unifi gateway set to look at PiHole as primary DNS. The (most frustrating for me) trick was figuring out how to configure PiHole correctly. For local PiHole DNS records, there is only one, traefik.mydomain.com > 192.168.1.X (Traefik address)
The rest of the services are individually set up as CNAME records in PiHole pointed to the Traefik URL, such as: home-assistant.mydomain.com > traefik.mydomain.com. I don’t know how many videos and google searches it took to make this sink in. I was hoping a wildcard would work here to save a bunch of typing, but no such luck, I have to enter them all individually.
Once that’s working and all resources are available locally, even with the internet down, it’s time to work on external access. Cloudflare wildcard DNS records are pointed to the Pangolin on VPS. Newt sits locally to make the tunnel work. Pangolin is pointing resource URLS to the Traefik URL again (service.mydomain.com > traefik.mydomain.com), with TLS enabled.
Gotchas that cost me a lot of wasted time: Browser DNS caching. Use private windows and close them periodically to flush cache. If you’re on Mac and primarily use Safari, but want to test in other browsers, make sure you go into the MacOS security settings and allow Firefox/Chrome/Etc to have local access to discover devices. I had no idea this setting would prevent webpages on local servers from loading. I about pulled my hair out. Oh and probably just go Caddy unless you hate yourself and want to waste days learning how Traefik works for no good reason!
Hope this helps. Also, feel free to chime in if there is a better way to do this stuff.
My next step will be trying to get this all working with Netbird or maybe Headscale, and PocketID or Authentik.