Alright, let me tell you how this is now actually a good thing:

I had a spare unused TLD lying around (don’t ask) and just switched OpnSense to announce it as the new local domain.

Now that I have a proper separation of outer and inner zones, I can start issuing proper TLS certificates for internal services. 💖