Just cause you’ve never seen them doesn’t make it not true.
Try using quadlet and a .container file on current Debian stable. It doesn’t work. Architecture changed, quadlet is now recommended.
Try setting device permissions in the container after updating to Debian testing. Also doesn’t work the same way. Architecture changed.
Redhat hasn’t ruined it yet, but Ansible should provide a pretty good idea of the potential trajectory.
You don’t. That’s not what caddy is. Use a bastion for ssh.
Edit: link https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump