What I’m trying to do:

I’ve recently set up a home media server (Jellyfin, Radarr, Sonarr, etc) and would like to be able to give external access to the Jellyfin server to a few family members. Additionally, I’d like to establish an internally and externally accessible dashboard (probably using Homepage) that facilitates access to various services (e.g. Sonarr, Radarr, qBittorrent), as well as Frigate’s dashboard, and allows access to a separate Home Assistant box’s dashboard.

Ideal set up:

The dashboard would be accessible through https://dashboard.lemtrees.com/. Individual services would be accessible directly through https://.lemtrees.com/ (e.g. https://sonarr.lemtrees.com/). Access to this dashboard should be safe and secure, and accessible from anywhere (i.e. not just my phone or a pre-approved device) if possible. Access to this dashboard would facilitate access to the Home Assistant box’s HA dashboard.

The external Jellyfin access needs to be rather simple, so ideally I could tell my family members to just install the Jellyfin app and point them to https://jellyfin.lemtrees.com/. It is my understanding that this traffic should not go through Cloudflare in order to not violate their TOS.

Current set up:

• Domain
  • I have a domain name I wish to use (not actually lemtrees.com) through Namecheap.
• Internal network config
  • Outside -> Comcast router (in Bridge Mode) -> Google Home wi-fi router
    • Wi-fi devices (e.g. phones)
    • 8-port Netgear switch (Ethernet devices)
      • “Media Server” PC
      • “Home Assistant” Intel NUC PC
      • Personal PC
      • Various device gateways (e.g. Philips Hue, Lutron Caseta)
    • (Note: The Google Home app is used to establish DHCP IP reservations / static IPs)
• “Home Assistant” Intel NUC PC
  • Home Assistant OS (handles home automation)
  • PiHole (currently used to resolve “mediaserver” as the correct IP address internally)
  • Updates a DuckDNS entry (which isn’t presently used)
  • (Note: Home Assistant dashboard is not presently accessible externally but I would like it to be)
• “Media Server” PC
  • Runs Debian
  • Hosts media (one SSD for the OS/etc, multiple HDDs for media storage)
  • Runs Jellyfin server
  • Runs the *arrs, like Sonarr and Radarr
  • Runs NordVPN
  • Runs qBittorrent (network access bound to NordVPN)
  • (Note: Presently do NOT have Docker installed but will)
  • Frigate NVR
    • (Note: Not yet installed/configured, will get set up on Docker)
    • Will provide Wyze cam access and recordings
    • Will stream one Wyze cam to Twitch

What am I after?

Please recommend how to get from where I am to my “ideal set up”. I’ve been reading and frankly just feel a bit overwhelmed. Lots of people want to make things complex just for the challenge of setting it up, but I do that kind of thing all day at work and here I just want to easiest to set up and maintain solution available.

Everything I read seems to have some reason why it won’t work, but I may be misunderstanding some of them and especially how they work together. Cosmos Server seems to require that all of my apps be in Docker containers (which isn’t the case), Tailscale seems to require that I set up a VPN for whoever wants to use it (not an option for family or for getting to my dashboard from a work PC), Authentik might work for the dashboard (but not all of the apps support SSO) but not for a Jellyfin server, etc. I’m still wrapping my head around setting up a reverse proxy, a VPN tunnel or Cloudflare or something (or just somehow using my NordVPN connection?), not needing to forward ports, etc.

I would greatly appreciate any assistance in wrapping my head around a straightforward way to get my “ideal set up” working.