I think you're misunderstanding the objective. I don't want most of my services (e.g., personal finance, photos, Plex, etc) to terminate at a public IP, that's the whole point of the private network in the first place. So for those explicitly private services, we now need DNS and TLS and in the latter case ideally something like LetsEncrypt so you don't have to manually rotate your certs (but the normal verification methods don't work because your service isn't accessible to LE in the first place--maybe you can run some bastion/proxy?).