I’ve switched over to using a publicly resolvable domain name, but with a lan prefix (e.g. lan.mystuff.dev) so that I can do DNS challenge let’s encrypt certs.
Paired with PowerDNS that acts as an authority for the lan.mystuff.dev domain, I can go to a legit certificate/SSL protected https://sonarr.lan.mystuff.dev url. If I wanted to, I could add cloudflare records for the same services exposed through my router (Like for vpn.lan.mystuff.dev) so that both internal and external resolution is possible.