DNS challenge with a reverse proxy is that answer. I’ve been doing this for a while now and it works great. Most other answers here are work arounds or not very robust.
This is the way: https://youtu.be/liV3c9m_OX8
I do this with authentik for sso
I have local only things like vaultwarden and external things like seafile.
Yes.
Vaultwarden.local.example.com
And
Jellyfin.example.com
This is the best and most robust way to do this