Lastly although I understand that the best practice is to use a bought domain and tls certs from letsencrypt (or any other public CA), I wanted to be as independent as possible for airproofed / internal environments and I went with a self-signed certificate + injection in netmaker containers solution to achieve this