[vladvasiliu]

Fair point.

It's true that in my case, one of the first things I did was set up DNS. My lab also has a public domain name that I manage through Cloudflare, which also gives me easy SSL [0] for my services.

---

[0] "easy" as in I don't have to have an open port for Let's Encrypt. And I'm also uncomfortable with giving full DNS access to every service, because I haven't yet found a registrar with sane access control for zone management.

[arjvik]

I've never tried this before, but take a look at https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se..., specifically the CNAME and ACME-DNS methods.

[vladvasiliu]

I was familiar with the CNAME workaround, but it's not practical, since I'd have to manage X different zones, one for each redirection. I thought about abusing DuckDNS or something similar for this, but I figured it wouldn't be fair, so I never did.

At one point I set up an internal Smallstep CA [0], which kinda worked but was pretty fragile, so I abandoned it.

I didn't know about ACME-DNS. It looks interesting, but for the time being tunneling everything through Cloudflared works well enough for my needs.

[0] https://smallstep.com/

[Macha]

So what I did was put acme-dns on a publicly accessible server I have, and use DNS zone delegation to that, as like you, my provider basically gives you an all or nothing API key as far as DNS access goes.