How do people automate this kind of thing, like rolling out a specific image via CI?
Generating the systemd files, copying via scp and systemd reload via scripted ssh?
For my home servers which just run personal things (like a kanban board as a todo list) I just use watchtower[0]. This requires mounting the docker socket into this container, which is not ideal.
In a production environment, id expect pinning of the docker sha and setting docker tags as immutable. Some software projects exist to scan for updates and draft PRs automatically for changes (I can't remember the name of the software but it begins with R).
I use it for my home server and I love it because it takes care of Dockerfiles too and version changes are saved in git, which means that a rollback is just a matter of switching back to a previous commit and rebuilding your containers (in addition to restoring a backup of your Docker volumes).
I guess in "Make it as simple as possible, but not simpler", scp is too simple for you? But you also mentioned five different beasts to master, so I'm not so sure ;)
If all you need is to update some files, with minimal error handling, scp is fine! (Well, rsync is probably a better option now, but scp would still work.)
As you get progressively bigger, you can consider other options.
