I use linuxserver.io's nextcloud docker image. While I've seen people struggle to setup Nextcloud properly to the point of just giving and installing the snap version of it, I can count the number of times I've needed to do manual interventions for nextcloud with LSIO's nextcloud image. It works like a charm.
Same. I've written many custom bash scripts with it and just about the only thing I know about bash is that it starts with a #!/bin/sh line at the top.
It's also very good at explaining things even though you have to prod it many times to give it direction otherwise it can get lost in its own cloud.
Sure.
So local traffic is how devices in one network communicate. E.g say you have two computers in your home network, as long as they are joined to your wi-fi they can "talk" to each other without any intermediary between them.
Since VPN clients take over your device network, they also setup special rules to bypass your local network so that your device can continue to talk to other devices in your home network.
Tailscale doesn't setup these rules and instead expects you install Tailscale to the other devices to continue this inter-connectivity. Could be a malevolent move so that they can jack up the number of installs but I think it's totally dumb.
Split tunneling is a way to tell the VPN client to bypass an app so that the app does not use the VPN network and uses your local network instead.
Tailscale doesn't respect local traffic and they have refused to add split tunneling on their Android VPN client. For these simple reasons, I would never take this product seriously.
Depends with your security priorities and if you trust the software you plan on using. Securing software/docker containers can be as deep deep a rabbit hole as you willing to go.
I don't check it all the time like a maniac but I have a glances docker running on my main server.
Installing fail2ban and not configuring it is as good as not installing the program in the first place.
Include unattended-upgrades with configuration for security updates. This is essential to any actively accessible server.
Some good advice here. I would say avoid using network_mode: host unless you really have to. And make use of no-new-privs feature. This is easy to do and IMO bare minimum for preventing rogue actions from containers.
This is a skill issue. Shut down every thing you don't consider a necessity. Problem solved.