I’ll admit I’ve only really been doing all of this fun self-hosting stuff for about 4 years now but I have been learning computer since Apple II. With my local fiber internet I have a static IP address and seem to have no barriers to expose my hosted websites to the internet. I’ve never used cloudfare and can’t imagine why I would need it. Use NGINX reverse proxy manager at both home and work. Some people have to jump through all these hoops and I’m just curious to know what situations necessitate all the extra hassle.
You are self hosting probably open source stuff you found on GitHub. It’s probably not commercial but community based. I support opensource but they don’t have as much resources to make sure the services are fully secure. That’s one thing.
The second thing is you like tinkering but you probably haven’t researched anything about cybersecurity, it’s a full time job.
The only sliver of hope you have when opening a service online is to hide your ip and setup some access rules. You chose to not even do that.
If you hook up cloudflare tunnels, you’ll quickly notice how many bots check your ip/domain, all the freaking time.
I use their WAF rules extensively to limit access to my server to a few IPs for my family and friends.