I ran a podman quadlet setup as a test some time ago. My setup was a little like this:

• Create a pod if the app uses multiple containers
• Create a seperate network for each app (an app is either a single container or multiple containers grouped in a pod)
• Add the reverse proxy container to all networks
• I don’t expose any ports to the host unless necessary

If you create a new network in podman you can access other containers and pods in the same network with their name like so container_name:port or pod_name:port. This functionality is disabled in the default network by default. This works at least in the newer versions last I tried, so I have no idea about older podman versions.

For auto-updates just add this in your .container file under [Container] section:

[Container]
AutoUpdate=registry

Now there’s two main ways you can choose to update:

1. Enable podman-auto-update.timer to enable periodic updates similar to watchtower
2. Run podman auto-update manually

# Check for updates
podman auto-update --dry-run

# Update containers
podman auto-update

If you run adguard home it’s pretty easy. Just add a DNS rewrite to your local IP.

How are you running nginx and immich exactly? With containers or on the host?

I don’t know nixos that much but that looks like nixos configuration to me, so it’s running on the host I assume?

Some feeds I follow

• Adventures in Linux and KDE: https://pointieststick.com/feed/
• F-Droid: https://f-droid.org/feed.xml
• GamingOnLinux: https://www.gamingonlinux.com/article_rss.php
• Project Zomboid: https://projectzomboid.com/blog/feed/
• This Week in KDE Apps https://blogs.kde.org/categories/this-week-in-kde-apps/index.xml
• This Week in Plasma: https://blogs.kde.org/categories/this-week-in-plasma/index.xml