Grafana, fronting information from Prometheus, Loki and Telegraf/influxdb since I’m used to that from work and has been a bit more set and forget compared to node_exporter. Easier to add in plugins as well instead of a new container/service to scrape.
I have rokus and use a pihole plus NAT routing rules to force them to not use hard coded DNS so they can’t reach their APIs and most ad domains and while not perfect I don’t see many ads. Maybe the odd poster scrolling around to get to Plex or Netflix
I think the simplest setup is keeping all the apps and services on the local network and doing something like this guide so they are always behind a VPN. Then setup another VPN on unraid or another device to access from outside the local network. There are plenty of other guides for unraid and Plex and the arr stack out there, unraid is just what I use but can use whatever OS you would prefer.
https://unraid-guides.com/2021/05/19/how-to-route-any-docker-container-on-unraid-through-a-vpn/
I use Kavita and KavitaEmail to organize and have a frontend for my books, and the latter to email them to my kindle if it’s not on there yet. My kavita container is stopped most of the time because I already know what I’m going to read next and just need it up to sync or send new books.
Used to just have my library I exported from Amazon and ebooks com on a single folder on my NAS, kavita helped clean it up a bit.
I also tried audiobookshelf but mostly for audiobooks and podcasts and didnt quite fit my workflow I already had and liked using kavita and Antennapod.
Fair, I was more thinking from the server side not the client side where cloudflare certs are the ones seen first.
I have a cloudflare tunnel setup for 1 service in my homelab and have it connecting to my reverse proxy so the data between cloudflare and my backend is encrypted separately. I get no malformed requests and no issues from cloudflare, even remote public IP data in the headers.
Everyone mentions this as an issue, and I am sure doing the default of pointing cloudflared at a http local service but it’s not the ONLY option.
Also posted it because unraid is not moving solely to annual subscriptions as your title and others have indicated. Previous pro and other fully included lifetime subs are just increasing in price and a lower tier is coming in to place.