watchdog_timer

I could be mistaken, but I believe Cloudflare doesn't allow second-level subdomains on their free plan

Yes, there are many different ways you can accomplish this.

I would be more interested in an smtp relay service like ghettosmtp which could tunnel through CGNAT.

I don't think so. (I've asked about this on Cloudflare's forum in the past.) You can host a mail server at home, but not through a Cloudflare tunnel. A domain's MX record for its mail server must point to an A or AAAA record, but a Cloudflare tunnel can only be specified using a CNAME record.

I haven't tried it, but there's a Nextcloud app called Skyprint

Has anyone tried Sentora or CloudPanel?

Are you connecting to NPM over a Cloudflare tunnel, or is Cloudflare only handling your DNS?

What error messages are you getting in your tunnel's error logs? You can view the live logs by going to Zero Trust -> Access -> Tunnels on your Cloudflare dashboard. Click on your tunnel's name, then the connector ID, then "begin log stream".

Or, from the command line, you can add the flag --logging DEBUG to your cloudflared application at start.

After enabling logging using either of these methods, try to load your site in your browser and see what error you're getting.

Are you wanting to enable this setting in NPM so https addresses will work on your local network? I ask because the tunnel already encrypts the traffic outside your network. Changing your tunnel's forwarding address from http://nginx:80 to https:nginx:443 only encrypts the traffic between the cloudflared and NPM daemons running on your computer. It really isn't necessary since it's internal to your server.

If that's the reason why, did you install a certificate in NPM that's specific for your domain?

i haven't used prosody, but it appears you can create your own client certificate using Cloudflare then manually install it in prosody

I self-host incoming mail and send outgoing mail using Mailjet's free plan to ensure deliverability. I've used them for several years and found them very reliable. Occasionally our outgoing mail is routed to spam despite having our DKIM and SPF records set per Mailjet's instructions. I'm not sure anyone else would be consistently better based on emailtooltester.com's annual deliverability reports. Their maximum attachment size is 15 MB, but they don't recommend anything over 5 MB, as some providers block anything larger than that (which I've found to be true).

How is their system currently set up? Do they print to a network printer? What outputs the PCL file, and what happens to it?

linuxserver.io has a reverse proxy container called SWAG that integrates fail2ban with an Nginx reverse proxy. You could set that container up as a proxy to your other containers, then point your Cloudflare tunnel to the reverse proxy. I'm in the middle of setting this up on my own homelab, so feel free to reach out if you have any questions.