I’ve been researching zero-trust for my homelab recently and I’m considering OpenZiti instead of Cloudflare since I think it can all be self-hosted. The BrowZer from OpenZiti is especially interesting to me. The fact that I’m behind CGNAT is a hurdle though.
https://github.com/rsmsctr/vaultwardenGuide
It doesn’t cover backups though. It uses Caddy instead of NGINX, and it uses DuckDNS to point a subdomain to your private IP address of your Vaultwarden server, so it will only be accessible in your LAN.