Incorrect. Not run as root, but launched by root in a system service (runs as the pipewire user).

Oh, I didn’t realize this was for plain containers, sorry.

For that I use Ansible to deploy the containers in my server. The secrets are stored encrypted in my local machine with passwordstore and I use the passwordstore lookup plugin to load them in the playbooks/templates.

In my homelab I use Bitnami’s sealed secrets to commit the encrypted secrets to git and deploy with ArgoCD.

I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy