How to deal with certificates?
i would use selfsinged certificates for the containers that MUST have one and then just terminate it at the reverse proxy
2
How would you secure a KVM VPS, with pre-Wireguard Linux kernel and no access to ports 80/443?
you can change what ports Caddy use you might have an issue if you want to get ssl certs with lets encrypt
2
How to prevent rogue docker containers from wreaking havoc?
o use podman and dont run any container as root if it need root i will use a VM
1