It’s generally fine to open it up, if your somewhat know what you’re doing. I wouldn’t do it without some protection measures like fail2ban and making sure HA is always up to date.

Nabu Casa, the manufacturer of HA, has a paid option where they take care of publicly accessing your local HA instance. I think that’s a good solution as well. It includes backups on their servers.

A good, simple solution is Cloudflare.

Why? Because you can lock it down to specific people, for example only to those who have these 4 email addresses.

They need to enter the code received via email ever month or so. Everyone else, no code no access.

I use nginx proxy manager and then a cloudflare to protect my actual IP

I’ll add pangolin to the list of things to think about trying. It was relatively easy to set up and it can run locally or on a vps. If it’s on a vps you dont need a constant IP or ddns because your hone server will connect to pangolin on the vps and the vps will serve the apps. youll point the dns records to your vps.

It’s what i use for my extended family to reach my immich instance. No complaints yet whatsoever. It’s traefik+crowdsec+wireguard under the hood but all abstracted into a maintained, easy to use GUI. Youll have granular control over which users can use which services/subdomains and geoblocking etc is effortless.

I put a centralised authentication layer (pocket id) on top of it for easier enrollment across various apps im running but for homeassistant only the built in 2FA should be enough.

I have it available via a reverse proxy with vouch proxy enabled for 2FA.