If your running behind OPN/PFsense I’ve found the easiest solution for internal only SSL is to use the router to create the certificate chains. Yes you’ll have to import 1 CA cert on each end user device but only the one then you can crank out internal certs without and https warnings or domain constraints/challenges.

I’ve had relatively good luck with docker in containers but eventually decided to run docker in VMs as I only semi trust most docker apps and like the added security I get from having it in a full VM in full isolation. Some of the workarounds for docker in LXCs are far from security best practices.

Yes, Alpine maintains Nextcloud in their repos. I mount my NFS share to the Proxmox host (you can mount using the gui and set it to any form of storage you want) then bind mount the share folder to the LXC. I moved from docker in a VM to this LXC with no disruption to my data.

Alpine packages services like Gitea and Nextcloud which Debian does not. This makes keeping up to date alot simpler for myself but that’s personal preference.

Quadlet looks very interested, I’m reading the docs now. Thanks

The simplicity of docker with much better security. Honestly the main appeal of having my homelab is to play with technologies and learn new things. The couple times I’ve skimmed the docs for Kubernetes it seemed over complicated for a personal homelab.

This is extremely helpful and gives me all the answers I was looking for. Thank you