Of course it is. You get to maintain all the server architecture yourself.
I don't have a need to give people public access but if I did I would set up Authentik and proxy everything through it and hand out usernames to people I want for the whole thing (or per app). You would open only :443 and not worry about a thing.
As a bonus use caddy as forward auth, create a wildcard subdomain (cloudflare dns supports it), configure caddy for wildcard domains for sub-sub domains and dns cert verification via cloudflare token. This way nobody even knows your real domain names. Nothing they can see in DNS or certificate transparency logs. (This is my working theory. I haven't actually researched it too deep but I am doing it.) You add a new app/site in caddy's config and everything else is completely automatic. You can even use dynamic dns with a client or a script that uses the same cloudflare token to update your IP.
As I said above. Don't even need to have a public IP on this machine. Better if you don't in case something like docker or an AI agent accidentally opens a port. (Your router already protects you but I am talking about if this was on a cloud host or an ISP that gives you real IPs for each of your machines)
I don't have a need to give people public access but if I did I would set up Authentik and proxy everything through it and hand out usernames to people I want for the whole thing (or per app). You would open only :443 and not worry about a thing.
As a bonus use caddy as forward auth, create a wildcard subdomain (cloudflare dns supports it), configure caddy for wildcard domains for sub-sub domains and dns cert verification via cloudflare token. This way nobody even knows your real domain names. Nothing they can see in DNS or certificate transparency logs. (This is my working theory. I haven't actually researched it too deep but I am doing it.) You add a new app/site in caddy's config and everything else is completely automatic. You can even use dynamic dns with a client or a script that uses the same cloudflare token to update your IP.
As I said above. Don't even need to have a public IP on this machine. Better if you don't in case something like docker or an AI agent accidentally opens a port. (Your router already protects you but I am talking about if this was on a cloud host or an ISP that gives you real IPs for each of your machines)