One box, one reverse proxy, zero public inbound ports: a private mesh for everything else.
The two-plane architecture. A public ingress plane carries the world to your apps: the visitor's browser reaches the Cloudflare edge (DNS, TLS, WAF, CDN, DDoS, optional Access), then one path per hostname (a Cloudflare tunnel dialing outbound, or a published 443 with an origin cert) to a single Traefik reverse proxy that binds 80 and 443 and routes by host and path over a private Docker network to your app containers, reached by service name rather than localhost. A separate private admin plane carries the operator to everything else over a Tailscale mesh VPN: SSH, dashboards, metrics, databases, secrets stores, and internal tools. The two planes join only at a deliberate meet point where at most one service at a time is exposed via an IP allowlist, never by accident.