I use socket activation instead of running reverse proxy with `CAP_NET_BIND`. Caddy supports socket binding, and can handle SSL certs. I now just log-in every week or so and run `journalctl --user -f --since "2025-11-09" --grep "error"` to check for anything going on.