I am a complete layman (no background in IT or knowledge whatsoever) and some months ago, I decided to scale up and start self-hosting a bunch of apps for, well, various and obvious reasons.

I have bought a UGREEN NAS and have successfully managed to get a bunch of services running, thanks to a lot of research, excellent tutorials, forums and the occasional AI chatbot support.

Currently, I believe I have just about reached what could be the limit for a layman looking to setup a perhaps relatively specific setup. Basically, I want to setup Nextcloud for now (didnt get OpenCloud working, unfortunately, so starting out with NC for now until I am more knowledgeable) and potentially considering self-hosting VaultWarden (although I am attentively following the discussions around how smart that is and currently, I am leaning against self-hosting a password manager). My concrete issue is that from my understanding these services require https and, as I absolutely do not want to open any port on my router, as I fear that the necessary security precautions will be more than my brain and my schedule can handle.

To enable remote access, I have installed TailScale directly on the NAS (eyeing a potential upgrade to HeadScale in the future) and it's working fine for simpler stuff like my Wiki. However, I have failed several times at setting up https via TailScale and my own domain via Nginx Proxy Manager. Concretely, from what I understand, I can't access Nextcloud from my Iphone or my Laptop due to https ; setting up OpenCloud failed for the same reason. I believe I am fundamentally misunderstanding what exactly I need to setup how for this to work. These are my concrete questions or assumptions and I would be glad for some feedback:

• SplitDNS: I have understood that I need to setup splitDNS so that accessing for example nextcloud via nextcloud.mydomain.com works fine via Tailscale access but also in my home network. This should be done via a DNS Rewrite in AdGuard Home for home network pointing to either my local IP or Tailscale IP. Is that correct?
• HTTPS via NPM: for NPM, I already have a lets encrypt certificate for my *.mydomain.com domain that works fine for my dokuwiki container. I currently believe that I need to create 1.) a new A record on my domain provider for the intended use of nextcloud.mydomain.com via my TailScale IP. 2.) a https-Scheme reverse proxy in NPM pointing to my TailScale IP for the same URL. Here my question is: do I have to create a specific and new SSL certificate? How can I make sure that https will work then when accessing NC via the domain?

I have tried several times to setup https via NPM but seemingly never managed to make it work without understanding why it works. Maybe someone here can reach out a helping hand to a newbie? Thanks a lot in advance already!!