I took some inspiration from that community documentation and put it all together as part of this repo: https://github.com/davidjb/turris-omnia-tls. This setup aims to simplify the configuration by using the Acme.sh client’s hooks as much as possible and improve TLS config following Mozilla’s recommendations.
One key change is that I don’t run lighttpd on port 80, so there’s no possibility of accidentally exposing the Foris/LUCI interface to the Internet if the firewall changes associated with Acme.sh were to fail or otherwise be interrupted.
Suggestions/pull requests are welcome; likewise the licence is permissive so have at it.