I used a bridge interface and assigned a static ip via my router/dhcp server.
This seemed the simplest to me and the most like running a separate vm.
It means that host networking in docker will behave as it should.
As it turns out, MAC addresses in systemd-nspawn are hashed from the jail name, so they are stable.
stux i notice you run your networking as such.
atm i have mine as bridged as well.
but i set in truenas admin UI settings to use a 192.168.0.210 for a static ip.
then for the docker jail created by jailmaker, this also is set to a static ip (you have to modify a file within the jailmaker location. refer to jailmaker advanced networking)
this way i can get nginx proxy manager to work without fighting with truenas for ports 80 and 443.
but you said you set your static ips via router dhcp.
then how about containers, can they be set with their own static ip? how do you do that? 
before i would use portainer to setup a macvlan to setup static ip via the portainer UI.
The other method is adding the networking via docker compose (this i had trouble with, so i didn’t resort to this method though i’m aware of it). But when switching over to dockge, they do have a basic networking setting, but overall they seem to want you to put the networking stuff within docker compose if you want that (something i didn’t have to do in portainer)
so this part i am still figuring out.
But for now i am getting by with the defaults, everything just works with just
networks: {}
maybe it’s not ideal/hardened setting, but it just works for a lan only homelab docker setup 