Best practice for structuring a hassio setup

Hey there,

using homeassistant for more than 2 years now in a virtual env on my little i5 server with a lot of other services. I played a lot around with a lot of tools and devices… Now I like to restructure and build it up from the ground with the things I find usefull for my needs

Question is, what is the best practice to set this up? I currently have my setup ported to hassio with the supervisor as docker with a lot of addons. I like the simplicity and fact that I dont have to maintain every single part of it.

But I’m struggeling the the structural side of things. All my services and addons are currently setup without ssl since I manage my connections with an overlaying nginx installation on the same host. I have only port 443 forwarded and I like to keep it this way.
But all the addons rely on proper encryption if i like to use them in the ingress/iframe side of hassio reachable from the web.

Would it be feasible to use the nginx porxy manager, not as an addon but as an overlaying service like my nginx configuration, and use all the addons with subdomains? But what to do with the addon configuration. As far as I understand they need the ecnryption inside the addon configuration with the proper certs.

I can’t wrap my brain around that setup… any input would be appreciated.

tl;dr how to setup hassio with all the addon features on a shared host as secure as posibble with only port 443 open to the web.