I don’t know of any guides targeted at this use case.

my solution relies on whitelisting pubkeys at the relay, so only allowed users can read/write. afaik most OSS relays support this to some extent. then it’s just a matter of running the relay somewhere accessible, whether it be a VPS provider in the cloud or something self hosted like Umbrel