Love keycloak. What I would do differently though is run it on a host (or in a k8s pod) & have it serving via http to localhost, then use cloudflared to tunnel & present it as https. Saves messing around with certificates etc, it's all automatic.
I had this discussion before and thought long about using Caddy, but then decided for nginx, directly on the host, basically following this reasoning [1].
My main motivation is that there is just more information available for nginx due to its wider use. And when you need to customize Caddy due to different requirements by services, you end up with the same or worse complexity compared to an nginx .conf. Nginx is just very robust and the configuration is not so hard to get used to.
My go-to for anything more complicated is definitely NGINX, but for ease of use in a very straightforward docker containers running HTTP services, it’s hard to beat the ease of use of the modified version of Caddy I linked
