I've figured it out, so this is my 2 cents to this great project.

So, we've just installed self-hosted standalone ztnet at debian 12, according to official documentation: https://ztnet.network/installation/linux

Our LAN ip is 192.168.0.10, our local domain name is ztnet.mydomain.lan, our ztnet web ui is at http://192.168.0.10:3000

We need to make web ui listen only on 127.0.0.1:3000, for this we edit /opt/ztnet/server.js and change line const hostname = process.env.HOSTNAME || '0.0.0.0' to const hostname = process.env.HOSTNAME || '127.0.0.1'

Next, we need to edit /opt/ztnet/.env to reflect our changes, according to environment variables in documentation about NEXTAUTH Configuration: https://ztnet.network/installation/options#nextauth-configuration:
NEXTAUTH_URL should be https://ztnet.mydomain.lan and we add NEXTAUTH_URL_INTERNAL=http://127.0.0.1:3000 line.

At third step we install caddy according to its official documentation: https://caddyserver.com/docs/install#debian-ubuntu-raspbian.
Then we need to edit our caddy configuration file (/etc/caddy/Caddyfile) to use self-signed certificate, it should look like this:
ztnet.mydomain.lan {
tls internal
reverse_proxy 127.0.0.1:3000
}
and make some magic to allow caddy to add self-signed certs to local root CA with this command: sudo HOME=~caddy caddy trust following this comment: https://github.com/caddyserver/caddy/issues/4248#issuecomment-882895673
The last is to restart needed services or reboot our server.
And that's it! If ztnet.mydomain.lan is resolving to 192.168.0.10 (our ztnet web ui) we can access it at https://ztnet.mydomain.lan adding exception for our self-signed cert in browser.

Hope this guide will be helpful for others and not consist of rude mistakes.

If you won't add A record for ztnet.mydomain.lan in dns, you could change NEXTAUTH_URL to https://192.168.0.10 and do the same in Caddyfile - it would work too.

Thx for the write-up and applogize for not chiming in earlier, been super busy.

We need to make web ui listen only on 127.0.0.1:3000, for this we edit /opt/ztnet/server.js and change line const hostname = process.env.HOSTNAME || '0.0.0.0' to const hostname = process.env.HOSTNAME || '127.0.0.1'

Just a tip.
You can set HOSTNAME and PORT directly in .env file

Thanks again for that great software! Using .env file is more convenient, agreed, I don't guess it earlier.