@jdaviescoates Correct, if you use Gandi API you are using wildcard certs and good.
When a cert is issued, most of the current certificate providers these days "log" the domain name as part of the https://en.wikipedia.org/wiki/Certificate_Transparency project. These reports can then be scanned later. For example, go to https://crt.sh/ and search for say %google.com%. This gives various subdomains of google. When you use wildcard certs, only *.domain.com is logged and thus the subdomain is hidden. So, if you install searx at mysecretsearch.domain.com, there is no way for anyone to know the subdomain mysecretsearch since DNS has no subdomain search.
I took a quick look at that some time ago, but it wasn't that trivial for me at least unless I would rewrite parts of the element table management around sorting. Happy to accept any patches there of course.
I finally got mine...weird though; I had to go into settings to turn it on. Forget where exactly, since I did that a couple days ago, but super appreciate the idea, love the thread, and happily continuing to package several more things (OpenSlides is complete, and I've resumed work on Zammad). Just for the sake of interesting trivia, I've also done a fully custom build that actually builds & deploys itself when a GH release is tagged on its repo, as well as a spike on a fully custom multi-protocol SSO tool (read IdP) intended for Cloudron-only deployment...more on that someday in the future if it lives on.
Definitely want to build the same deployment pipeline you have. And also, I look forward to hearing your SSO ideas in the future. ️