piggybacking on this, due to the ease of getting a cert for a subdomain, basically one cert per app ... just have one cert per "compose stack"
and it's perfect acceptable to run them with rootless docker-in-docker or on separate VMs to get security. the one true sacred nginx in front of everything is nice, but also has access to everything.
of course, the lack of public IPv4 addresses in many homelab/selfhosted/hobbyist situations is the true forcing factor. (an gettting a wildcard cert is very easy with certbot nowdays, so I understand the lure.)
and it's perfect acceptable to run them with rootless docker-in-docker or on separate VMs to get security. the one true sacred nginx in front of everything is nice, but also has access to everything.
of course, the lack of public IPv4 addresses in many homelab/selfhosted/hobbyist situations is the true forcing factor. (an gettting a wildcard cert is very easy with certbot nowdays, so I understand the lure.)