Yes, you'll want to use two separate repos if you do it this way - the mirror will stay signed by the GPG keys of the distribution, while your repo with custom packages will be signed by a GPG key you generate (and your nodes will need to trust).
An alternative to mirroring is apt-cacher-ng
- it's configured as an apt proxy on your nodes, and will handle all package requests. On the first request for a given package, it will download a package from the upstream internet repo; on subsequent requests, it will serve that package from cache. So you get the bandwidth savings of a local mirror without having to keep a copy of the entire repo (80% if which you'll never use).
For your internal repo of custom packages, use reprepro
- it'll handle all the file structure and signing, you'll just need to deal with setting up the GPG key and feeding it .deb files.
For package conflicts, the client systems will determine which to use - generally, this is done by comparing the version string on the two different packages, but can also be affected by pinning.