Securely accessing self-hosted apps locally, while online or offline, and remotely using the same hostname URLs

[Enixile]

My spouse and I would like to be able to securely access our self-hosted apps such as Home Assistant and Jellyfin locally, while online or offline, and remotely using the same hostnames URLs (without specifying IPs or ports). Also, I'm interested in SSO and ad-blocking. Could someone please help me understand the best option(s) to achieve this? I've been reading about and experimenting with various technologies such as Wireguard, Tailscale, SWAG, Authelia, Cloudflare, and NextDNS, but I haven't been able to figure out the right combination and want to avoid spending too much time or money on something that won't ultimately work. For example, it seems that Tailscale could support most of these requirements, but it won't work offline. Would Wireguard + SWAG + Authelia + NextDNS work, or am I missing another gap? I haven't purchased my domain yet, and I see that Cloudflare has features such as tunnels that may be another option, but I'm not sure how everything else fits in, and it seems that using streaming apps such as Jellyfin violate their TOS. I would appreciate any guidance. Thanks!