I did the same as the OP except I use Amperfy on iOS and Tempo on Android. Navidrome is super simple to setup and finds new music immediately. Never breaks. It's not exposed to the Internet directly but via a Cloudflare tunnel (like the OP) and an obscure url that I'm the only one to use.
I also wrote a little Python script to transform Spotify playlists into Youtube lists of urls. Shazam can add songs to a Spotify playlist so it's a way to discover new music.
The obscure URL kind of doesn't matter if you are on an ipv4 address. There's only so many of those around. People skip scanning by url and go straight to iterating through ips.
I hate to be that guy. Obscurity is not security.
There's technically no distinction between a random url, and a random prime that is part of a keypair. There's a difference of "degree" of randomness, but not of approach.
In both cases you get owned if somebody guesses your random bytestring.
You're right, but I'm not really after "security". It's not like I'm hosting state secrets.
I may move to tailscale though, which would be the same thing without exposing anything publicly. Besides I already use tailscale for other things.
Don't worry, we hate you being that guy too ;)
Obscurity sometimes gets you enough, if only just cleaner log files. Something something threat model.
I know. I know it's way easier. And i know everybody hates that guy :)