I know what you mean but using real self-signed certificates (i.e. no CA at all) with modern browsers causes so many issues I find them unusable.

I’ll mention this as no one has yet but you can be your own CA. Tools like mkcert make it easy

https://github.com/FiloSottile/mkcert

This is potentially more hassle (than using public DNS) as you have to get your CA certs onto every device. However it may be suitable depending on the situation.

You can do the same with GitLab as another option, it supports custom domains too.

Home Assistant can do shared lists and (I’ve not used them) but has some recipe add-ons. There are apps for android and iOS. It can also take care of managing the dynamic IP. Then if you want to explore home automation in future you’re ready to go.

In that case I’ll also mention that Powershell has a secure-string that allows you to load secrets from encrypted file/user input. I believe it’s secured by the user’s login/session like secret-tool. They are even remain encrypted in memory so they can’t be snooped on.

Two more options you might consider:

• secret-tool - like a vault that unlocks when a user logs in to their session. This shifts the problem to keeping the user’s login credentials secure but depending on your setup that might be preferable. Just be aware the once unlocked any process could access the vault in theory (I wish they’d add access controls…)
• podman secrets - so you can securely provide secrets to containers. You can set these once securely then nothing except processes in the container can get them.