This Ghost site is running on my local nas, using an ISP that has implements Carrier-grade NAT (cg-nat).

So for the technically inclined, one might wonder. How is it possible to expose a host to the internet, while the host is hidden behind multiple layers of nat translation(s). And the solution turns out to be really simple.

Cloudflare has several 'zero trust' solutions, and one of them is called Cloudflare Tunnel. This tool is really nice, as it allows hosts to be reachable via dns from the internet through a tunnel in full control of the user.
Way more information can be found on their information page.

My implementation

So, with the above information shared, how did I implement this?

On my nas, I am running docker & docker-compose, which meant that I could get away with setting up a simple docker container that provides the endpoint on the blog side.

version: "3.8"
services: 
  cloudflared: 
    image: cloudflare/cloudflared 
    container_name: cloudflare-tunnel 
    restart: unless-stopped 
    command: tunnel run 
    environment: 
      - TUNNEL_TOKEN=<REPLACE ME WITH THE TOKEN FROM CLOUDFLARE>

Then on the Cloudflare dashboard, I configured which 'lan'-local name, should map to which internet dns name. And that was basically it.
For completeness, I changed the URL of the blog to match, which might be something that is, or isn't needed on an individual use-case.
I assume that Cloudflare would have enough functionality to do rewrites and such, but I don't want to spend too much information on reading their extensive documentation and just get things working.