Found this article on LET but it's from 2016 and commenters did not have a high opinion of author's skill.

So just want to check what if that's still roughly state-of-the-art?

Not looking to defend against sophisticated attackers (RAM dump etc) and I'm fine with OS partition being unencrypted. Database / docker / home should be though.

A solution compatible with ansible deployment would be a bonus since that's the next thing I'm tackling.