> I think partially is not having to worry about certs is a nice reason to hide behind the proxy.

Use Caddy. I never worry about certs.

Interesting. I've done a lot of manual work to set up a whole nginx layer to properly route stuff through one domain to various self-hosted services, with way to many hard lessons when I started this journey (from trying to do manual setup without docker, to moving onto repeatable setups via docker, etc.).

The setup appears very simple in Caddy - amazingly simple, honestly. I'm going to give it a good try.

Or certbot-plugin-nginx if you prefer a bit less magic.

Don't you need a cert anyway to secure the connection from Cloudflare to your server?

Cloudflare explicitly supports customers placing insecure HTTP only sites behind a cloudflare HTTPS.

It's one of the more controversial parts of the business, it makes the fact that the traffic is unencrypted on public networks invisible to the end user.

You could use a self-signed cert, since cloudflare doesn't care about that.