I run a reverse proxy that handles the TLS termination for that reason.
Services themselves are constrained to the server, bound to listen on 127.0.0.1 only.
Key is only available to the reverse proxy.