so heres my final caddyfile

{
        # LetsEncrypt account
        email example@email.com
}

# Dashboard
https://dashboard.nm.secret.domain {
        # Apply basic security headers
        header {
                # Enable cross origin access to *.nm.secret.domain
                Access-Control-Allow-Origin *.nm.secret.domain
                # Enable HTTP Strict Transport Security (HSTS)
                Strict-Transport-Security "max-age=31536000;"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Disallow the site to be rendered within a frame on a foreign domain (clickjacking protection)
                X-Frame-Options "SAMEORIGIN"
                # Prevent search engines from indexing
                X-Robots-Tag "none"
                # Remove the server name
                -Server
        }

        reverse_proxy http://127.0.0.1:8082
}

# API
https://api.nm.secret.domain {
        reverse_proxy http://{public ip}:8081
}

# gRPC
https://grpc.nm.secret.domain {
        reverse_proxy h2c://{public ip}:50051
}