I had a double NAT setup like that. Run a firewall like OPNSense as a Proxmox VM, and give it a WAN interface on the ISP router’s IP range; then run everything else on a different subnet, using OPNSense as the gateway. On the ISP router, put OPNSense’s WAN IP in the DMZ. Then, do all your hardening using OPNSense’s firewall rules. Bonus points for setting up a VLAN on a physical switch to isolate the connection.

The ISP router will send everything to OPNSense’s WAN IP, and it will basically bypass the whole double NAT situation.

The orange menace apparently just defunded it so we’ll see

Does Caddy use certbot to do the renewal? A long time ago DNS was a pain but now it seems like a lot of providers are supported.

Rosanne Barr? The one who did the crotch-grabbing Star Spangled Banner in the early 90s and got fucking shredded by the rednecks and conservative Christians? How the fuck did she end up being a pied piper to their crazy?

If you are really looking for hassle-free this is it. LetsEncrypt root certificates are already trusted by most devices so when your friends come over and wanna control the media library or whatever you don’t need to install your locally hosted CA’s self-signed certificates on their phone.

Also certbot and a cron or systemd timer is all you need; people have rolled all these fancy solutions but I say keep it simple.

There are very few Americans who aren’t confused and outraged at this administration’s treatment of Canada

It’s like the orange asshole though the snark in the South Park movie was serious