Another option if you need public access without something like tailscale would be to use ddns and a AAAA record. Something like https://github.com/ddclient/ddclient would help do that.
That way if the IP changes, you’d pick up on the change for your vanity url within a few minutes… and can get https certs for that url as well.
Edit: I reread the OP. This doesn’t help if clients need direct ipv4. Sorry about that.
Another option if you need public access without something like tailscale would be to use ddns and a AAAA record. Something like https://github.com/ddclient/ddclient would help do that.
That way if the IP changes, you’d pick up on the change for your vanity url within a few minutes… and can get https certs for that url as well.
Edit: I reread the OP. This doesn’t help if clients need direct ipv4. Sorry about that.