Think of this like any specialty skill. It’s hard the first time but will quickly become second nature. But first you have some homework…

If you have a way to section off your network and understand how to expose service’s to the web you are off to a great start from the networking side.

For the ssl cert. As others have mentioned it’s time to go read up on how DNS works. You don’t need to go super technical (yet, if ever) - but getting you head around DNS delegation and registers will answer all the questions you have here. The super TLDR is you “buy” a domain and tell your register where they can tell others to find the records for that domain. Once you can prove you own the domain you can get certs. There are a bunch of options going this path, I’m most familiar with the enterprise grade choices (aka super expensive) so am not the best to recommend something for someone starting out.

Now for VMs. I’m sorry to say it’s homework time. You have three primary choices: everything in a full VM, everything in containers or a mix. If your interested in having a GUI (learn the cli when your comfortable) then I’m going to recommend you look at two different technologies: proxmox (it’s overkill but might be what you want) or virt-manager.

I was curious what distro you folks might recommend for this purpose.

This is a bit like going to an automotive forum and asking “what’s the best car to buy”. You’re going to get a lot of “I’m running <blank>” and people telling you their preferences, which is NOT the answer to your question. The answer to your question is that literally any of them would be fine for your purposes. If you’re happy with Bazzite then stick with Bazzite. There’s no reason to switch.

If I have to manage it entirely by command line, it will take 10 times longer for me to do anything I want to do, and I’d really prefer a GUI.

Then use a GUI. The extra memory used is trivial and your system will be way over-powered for a reverse proxy to a home network anyway. In Linux land there’s really no such thing as a “server distro” and a “desktop distro” for the most part. I use Ubuntu, Debian and Fedora as servers. They can all have desktops on them too.

You may find, however, that as you manage more than one system it becomes tiresome/tedious to have to use RDP for remote administration and may start learning the CLI over time. Especially since it’s often a lot easier to give somebody a list of commands to run on a forum than to say “open your network manager, which is different on Gnome from KDE, click the button that says…”.

I need something that can sit there without updating until I tell it to

Are you going to update frequently? You want to be sure you’re keeping security patches up-to-date. Auto-patching can be very good unless you have the discipline to keep up with it.

I need a domain for that, and a lot of tutorials just skip on past this step in the domain configuration screens where you “enter your DNS servers” as though I know why I’d need other DNS servers,

You’ve got a bit of reading on how DNS works. But basically there are “root DNS servers” that everybody knows by IP address that then know about other DNS servers by IP and forward traffic to them to resolve names. When you register a domain you are asking one of those DNS providers to resolve your hostname to your IP address. You can see this a bit by running dig +trace some.host.name and it will show the requests made. Your DNS servers would be the ones where you register your domain.

BUT your IP address may change. So you generally need a way to update it if it does. There are providers like dyndns.org and others (search for dynamic domain service or something) that will give you a sub-domain for free/cheap and tools to auto-update it. Something like “mysite.dyndns.org”.

I find that Debian is the go to for a stable OS. There are others for self hosting like casaos or Talos but I am a vanilla Debian man myself.

Portainer or Podman can be used to manage containers with a GUI compared to the cli.

As for proxies I use Traefik as a reverse proxy for all my Docker containers. It integrates with CertBot so it auto renews Let’s Encrypt certs.

You don’t need to buy a domain, you can use a self signed cert and install that cert onto your machine to not get cert warnings.

@ampersandrew stock Debian and apache for the win

I’m not sure what order to do those steps in: DNS servers, buying a domain, getting certs, configuring reverse proxy.

You have a lot of avenues and approaches available to you. Caddy has been a mainstay for some users. Setting up Caddy with letsencrypt is fairly straight forward. Traefik, Pangolin, Nginx, HAproxy are good candidates. Pangolin being a self-hosted tunneled reverse proxy. You could also go with the Cloudflare Tunnel/Zero Trust route. You will have to have a domain name that you can change the nameservers on to the ones Cloudflare assigns you. Most people get a cheapo domain name from NameServers or Pork Bun. From there, you install Cloudflare Tunnel/Zero Trust on your server, and connect to your Cloudflare account. The beauty of Cloudflare Tunnel/Zero Trust is that you don’t have to fiddle with opening ports and such, other than port 22 to admin the server. Cloudflare takes care of all of that.

I’m not sure what OS to put on it.

I run Ubuntu Jammy server, but there are other options. Is it imperative you have a GUI? I realize that the CLI can be daunting, but it is quite effective. I guess you could have a desktop OS to serve up services tho I’ve never done that. I’ve always just used the minimal server install of Ubuntu, then add whatever I needed later. As far as an OS recommendation, I’m a fan of Ubuntu. Mainly because that’s what I started with so I know how to drive that bus fairly well.