Right, the services should allow federation, but that doesn't mean you need to federate with the entire world. You and your friend should be able to just click "invite" in your "My Home" app to get a link to text to each other like `myhome://invite?domain=<random>.services.frienddomain.com` (or a QR code flow). Under that TLD you have well-known subdomains and TXT records for e.g. wireguard config, oauth server location, etc. When you open the link in your "My Home" app, it adds the wireguard peer and starts trying to perform oauth client autoregistration and federate any services you run. When your friend clicks your link, it'll set up the other half of those connections. Once you've both clicked, things start talking to each other. This all stays invisible to the normal Internet for anyone that doesn't know the root domain to search for records under.

This could all run on one of those $130 N150 minipcs that uses like 8W and could run 24/7. It's a lot of integration work, but there's no reason why it couldn't be a fairly off-the-shelf product.

You could also explore other service discovery patterns since buying a domain name is a pain. Like have the URL provide the initial wireguard config (including outside IP) and DNS search domain, and then the servers on each end can query (private) DNS on the other end via the tunnel for services.

Sounds complicated, but cool! Thanks for your comment!