So Tailscale has this whole series about hosting services on one's Tailnet using Docker. Their approach is to run Tailscale in Docker and have the services' containers share its namespace by setting `network_mode: service:<tailscale_service_name>`. I am trying to understand why this is better than just binding the service's port to the Tailscale IP of the host device, given that option is not even mentioned in any of their blog posts. The only advantage I can think of is that you get to have different Tailscale rules/configurations for different services. In my case, this is not an advantage because I will run Tailscale on the host anyway and I won't have different configurations for each service. Can anyone help me understand? https://tailscale.com/kb/1282/docker

I'm looking into self-hosting a SearXNG instance for my own use. One thing I don't get is how the results are aggregated if I'm using a local instance. Is it just going to all the configured search engines and making requests? If that's the case, what's the benefit of using SearXNG instead of just going to that search engine myself from a privacy perspective?

I am on a shared network. I'd like to self host services and access them from all my devices but I do not want these exposed to other people in my network. I've noticed that I can just change the port mapping in Docker to `<Tailscale IP>:<port>:<port>` from `<port>:<port>` and it just works. Works as in the service is accessible from my Tailnet, inaccessible from the local network or the internet. Is it really this easy or am I missing something? Just sounds too good to be true so I am suspicious it might somehow be insecure.