My solution that took awhile to figure out is fantastic IMO. Docker containers unprivileged, with nobody permissions, with their own IPs on macvlan, with matching vlan and good firewall rules. A docker network proxy container, Traefik, Authelia, CrowdSec, and a CrowdSec Traefik Bouncer containers.