IDtheTarget Vaultwarden is fantastic; I've been using it for a couple of years. Just a simple docker pull, and you're up and running. It runs very happily on a Raspberry Pi; it's really lightweight.
You can either use a real domain or issue your own self-signed certificates for an internal IP address or something like a .internal domain. I went the self-signed route, but only because I already have some internal services for which I've provisioned certificates; Caddy/Cloudflare is going to be better, and ultimately, I'd like to migrate all of my internal stuff to that approach to avoid the hassle of deploying certificates onto all of my and my wife's devices. Either way, I'd strongly suggest using a VPN and not exposing anything publicly, just to reduce attack surface.
The Bitwarden app is great, and it handles both TOTP and passkeys seamlessly. They did a major rewrite of the apps about a year ago, and there were teething pains, but it's all in the past now. If you're seeing a bunch of 1-star reviews, it was probably from the Dark Times while they were working out the kinks.
Yes, BW stores the TOTP and passkeys as part of the same record as the username/password by default, but you could make separate entries (although I'm not sure why you'd want to). I'm pretty sure all password managers behave that way.