mtls over nginx is the simplest way. but be aware that while it works great on desktop browsers, other reduced browsers (incl mobile) often don't support it.

^ that is the way. works well on desktop browsers, but others like mobile often don't support mtls :(

nope, but you're not the first one to ask, so maybe I'll write that one day.

two repos, one local one remote, alternating between them manually, using https://gitlab.com/stormking/resticguigx/ (I wrote that)

I've switched over my own server last week, using ansible to generate the systemd files, and it worked great. It's just a dozen containers or so.

The only problems I had were with container interdependencies (network-mode=container:x). That didn't work so well with systemd, restarting and updating, but when I used a pod instead these problems all went away.

So I can't say I regret my experience so far. Now I'll be starting to use it at work too, where the user-namespace problem rears its head, but only because we have this very specific, very dumb big lamp dev container that houses apache, sql, redis, and more under one supervisord. That's why we have more than one user in it and frankly that's our own damn fault! When you make proper containers they shouldn't have more than one user in it and then userns=keep-id should work just fine.

So far, I fully recommend podman.