Can't you just install this type of app to your phone or pc?

For one instance of app, it's possible to install it onto a single machine.

Things get tricky when you want to access the data from multiple devices. Even trickier, when several people want to access it. After a certain point, it's easier to have a "cloud" solution. And since "cloud" is just somebody's else computer, why not make this a computer YOU own?

Lack of time or interest (or both) in: managing local DNS, using .home.arpa and running own CA.

It's tricky (especially running your own CA in a proper way), and not everyone wants to do it. Also, running it in a proper way it requires knowledge, and some people don't have it...

Actually, distribution of your root CA certificate is not that difficult.

NOTE: this addresses strictly OP's question about LAN-only access. External access or varying devices used to access is a completely different story.

Do you monitor network traffic?

Generally, no. But I seriously restrict container networking, most of my containers are unable to reach internet, unless absolutely necessary. Also, my firewall is not super-restrictive, but it is different from defaults :)

Sometimes I do some monitoring though.

Yes, there are risks:

• First, updates can break things. Already explained here.
• Second, exposing Docker socket to Watchtower means you have to trust it ultimately. Any vulnerability in WT can lead to whole system compromise.

Personally, I use DIUN. It just sends me notifications about available updates. I update things manually later. My system is pretty well isolated from outside world, so no need to hurry.
On a VPS, I would prefer a different approach though.

• good-looking domains instead of IPs
• tons of subdomains instead of ports
• universally recognized TLS certs via Let's Encrypt. DNS challenges are the way to go - you don't even have to expose your HTTP server
• dynamic DNS, again available via API
• inbox@yourdomain.com (better not to self-host, but to use an email provider)

Consider adding couple of screenshots or even a small sped-up GIF to the GitHub, right at the top. Also, GDrive video is loading extremely slow, better host it YouTube/Vimeo.

Congrats!

Knowledgebase + OIDplus + scripts/configs in git repo.

I chose local instance of Wordpress for my knowledgebase a decade ago. Today I'd probably use Bookstack.

Not exactly a NUC - a fanless MSI Cubi N with Celeron N4000.

Bare metal Ubuntu Server running nginx + docker-compose for everything other.

Everything in my LAN is TLS-protected. Primarily because of convenience (no 'unsafe' warnings), unification (all I do everywhere is TLS). Also for learning purposes (I like challenges). Security is on the last place here (but is still important to me).

Probably your main threat is not people, but malware. Especially since they are not tech-savy. Remember how $35M of crypto assets were recently stolen: in the beginning it was a LastPass engineer who did not update his Plex instance.

Probably not your case, but that's what I use for my homelab:

• OIDplus for keeping OIDs, IPs, .home.arpa subdomains etc
• local-only Wordpress as a knowledgebase. Today I'd probably chose Bookstack, but it did not exist 11 years ago....

A DMZ is always recommended in such cases.

> Should I create a sub network and get a raspberry pi to host these apps?

Yes, it's always better. However, Pi may be overpriced now. Take a look at NUC-sized miniPCs, for roughly the same price you'll get much more computing power.

Well, I'm running my own CA/PKI just for the sake of it. Still very useful and more private and convenient for my homelab+.

As for apps themselves, some of them are really useful to me:

• bookmarks (own software)
• Samba/WebDAV
• knowledgebase (WordPress)
• IoT stuff (own software)

The others are useful, but I still haven't unleashed their true potential:

• NextCloud+Collabora
• (photos solution, deciding on it now)
• Gitea

The third group helps me to run my homelab:

• OIDplus
• speedtest
• monitoring
• NTP
• sandboxes/playgrounds
• (internal mail server, still choosing)

Tried these, but decided not to use, at least for now:

• PiHole (using uBlock/MikroTik DNS+firewall for now)
• Grist