Self-host your own ACME server. Then you can use certbot pointed there.

These instructions are old so not sure if newer/better ways, https://blog.sean-wright.com/self-host-acme-server/

Sounds like bridge mode is needed for the vm’s network interface in virt.

I would say proxmox ve is easier to start with.

The container method used should be whatever you are more familiar with or prefer. They both have their own quirks, pros, & cons.

SELinux - If you don’t want to deal with SELinux then set it to permissive mode. If you want to keep in enforcing mode you need to create the appropriate policies, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/configuring-selinux-for-applications-and-services-with-non-standard-configurations_using-selinux

Firewall - If you don’t want it’s protection then look up instructions to stop & disable it on your distro.

Port forwarding - From linux container side you either need to specify host networking or the ports you want to allow through, there is no avoiding that if it needs to be network accessible. If you want it internet accessible then you need to setup port forwarding on your router.

Have you looked into something like yunohost? It may be the kind of thing you’re looking for.

If your router lets you try adding a static route for the tailscale IP/subnet to the laptop with IP forwarding enabled.

This project, https://neko.m1k1o.net/#/getting-started/examples , looks like a good base to try running regular GUI apps via docker & web.

edit: and here’s the git with Dockerfiles, https://github.com/m1k1o/neko-apps

They changed quite a few things between DSM 6 & 7 and unfortunately one of them broke easy use of those USB sticks. I didn’t want to mess with the internal config of the Synology NAS too much so used the VM approach with the HA image and mapped the USB stick to it.