Then you add authentik which does SSO for many app like nextcloud, immich, linkwarden etc. For apps that don't integrate, you can still use his with reverse proxy authentication (sonarr).
Naturally this is more complex to setup but nothing beats the versatility.
I can choose extra protection for things like vaultwarden (need to connect via wiregaurd). Make things external for other users to access easily (immich, jellyfin, etc). Everything is based on users that are made in authenticatik and they all have the same password with single sign on.
You would approach this is pieces. get the domain and reverse proxy working first. Then authentik. this is only realistic with docker compose.
authentik is an identity server. theres a couple free ones available, this one just worked for me. it provides oauth and ldap fallback for the jellyfin server. along with login for most of the other servers i host like nextcloud/calibre-web/lychee etc. it has a nice easy log in process along with a 'homepage' kinda thing for everything my users can access with their account. makes it easier to support the non technical friends and family.