Thanks for sharing this with the community @leerob. Couple issues I wanted to point out:

Certbot renewal

It appears that your nginx/certbot setup is not able to handle automated renewals. I didn't look too carefully but it might be that you need to manually set up an acme-challenge block in the nginx config.

Exposed ports

Another issue I noticed is that your setup is exposing the app and db to the world. Usually you'd want to only expose TCP 80 and 443, and UDP 443 (for http/3).

Here are some ways to improve this:

• Configure a firewall at the provider level (Digital Ocean has a free firewall service you can apply to droplets). To further protect the droplet, you can also configure the firewall to only open port 22 for known IPs.
• Configure a software firewall in the OS, but make sure it's done right as there are pitfalls and Docker might still punch a hole through it. These might be useful: Summary of the issues about custom iptables rules moby/moby#45524 https://docs.docker.com/engine/network/packet-filtering-firewalls/#docker-and-iptables-chains
• Properly Dockerize nginx + certbot and only expose the nginx service. Remove all other port bindings in the docker-compose configuration or bind them to localhost/127.0.0.1 so they are not accessible to the outside world directly.