Sorry to chime in on an old, dead/dying thread. Reddit has really gone down the tubes, this community seems to be thriving and people still discuss a wide array of (on topic) technicals, from hardware to software to theory and beyond. My point being, please forgive me as I get accustomed to these wonderful new surroundings.
I have a few NGINX instances running, but I really should invest the time to stand up a proper reverse proxy. My network management server runs its own little reverse proxy within the Docker stack that it got deployed with, plus I have an actual NGINX Debian VM running my web server (went Apache2 > NGINX somewhat recently) as well as a third instance running in the cloud for my UniFi Controller. Ultimately I believe I will turn the pure Debian web server into a dual role, also assuming reverse proxy duties. Any security related issues with having these on the same virtual machine? NGINX has been super simple to stand up, but a lot of moving pieces trying to get all my internal services working properly with their own security certificates. Not sure how much effort is reasonable for my little “lab” environments.
Talk to me a little more about your Pi-hole setup. I’m also running Pi-hole, Unbound + Wireguard on both my DNS servers (for redundancy, one VM + one RPi - only one survives in the event of a power outage). My router captures and invisible redirects (over 5335) any queries on the network from devices with hard-coded DNS settings, but I’m only utilizing DNSSEC (not DoH or DoT, let alone both) on Unbound, which reaches out to TLD via root.hints
It’s not perfect, but disabling Pi-hole’s DNSSEC has sped things up significantly. I’m happy to trade off the slower uncached queries for nearly instant (<1ms) response times on any cached hits, although I only run about ~half as many domains in my blocklists.
I understand (and agree with most all) the incredibly relevant points you made, especially regarding CF (or any other major technology gatekeeper), but I suspect they (as an organization) are MUCH more robust and capable of fending off a variety of attacks (especially DDoS) than your average user running NGINX in shared compute backed up by 40Gbps pipe, or whatever most VPS commonly offer.
Only semi-related example; I don’t love that Google’s browser dominates the landscape, but I’m not going to gimp my day to day experience running inferior software. Thank the maker projects such as Brave & Vivaldi exist. Edge Chromium is fantastic for the normies, but we demand more. FF is barely competitive these days, capturing what, 6% of the market? That being said, FF Focus goes on every mobile device I use…
but even Richard doesn’t go FULL Stallman all the time. I guess I’m trying to say it’s a fine line between being “too” principled and having a usable workspace at your fingertips, ready to roll or react with a literal press of a button.
Hope it’s alright that I took some liberties rambling, got a bit off topic, but you did say the original issue was now resolved. Now I know who to pester when the time comes to work out syntax errors in my future NGINX block(s). 
Stay safe, sir. Thanks for the detailed response above. So much to learn.
