Building block: the proven mf01 pattern
mf01 already publishes *.mf01.makerfloss.eu exactly this way, live since
2026-06-09:
- TLS terminates on the VPS (wildcard cert, Gandi DNS-01).
- Plain HTTP rides the
wg1 WireGuard tunnel to an internal reverse proxy.
- The internal proxy routes by Host to the right container.
TaPPaaS = the same shape, with Caddy as the internal proxy instead of an
internal Traefik. Low risk, known gotchas already solved.