The lemmy instance works fine so far. I had some problems migrating the nginx config file from the lemmy manual migrated to traefik, but it works with this guide here.
I'm not really forwarding ports, but I'm rather using a more complex setup. I have two devices - my router and an external VPS hosted in a datacenter. These devices are connected via WireGuard. On the VM where all my services are installed there is traefik installed which is used as reverse proxy for the services and does TLS. The VPS has HAProxy configured to the internal VM in TCP mode, which makes the services available from outside and is important to get valid Let's Encrypt certificates as I'm not using DNS Verification.
I know it's a bit hard to understand, but it works fine for me and I'm not depending on any third-providers (other than the Hoster of the VPS, which I can easily swap if needed).
You can add the device you want to use PiHole with to your WireGuard VPN and set the DNS property for the Interface.
Then you need to add the PiHole machine to the VPN, if it is not already reachable (or you use your existing machine in the internal networking with masquerade)