If you use a Let’s encrypt certificate for your public domain, then you can save yourself from adding the custom CA to the containers. So you’ll only have to setup your internal revers proxy.
Even easier, if you can allow containers (seafile and seadoc) from your internal network to access thenselved through the external proxy, then you just do that. i.e. internal network container → seafile.mysite.keenetic.link → external proxy → internal network container
Although I find value in having the containers unable to access the internet and be accessible only through the reverse proxy.