What isn't covered

While this guide is complete and we have a working, auto deployed website, there are a few things that can be done that are outside the scope of this guide.

• Running docker as non-root.
• Using docker secrets to store the sensitive env variables.
• Setting up proper docker networks, we currently just have a single one that everything is on.
• Setting up the private registry behind Tailscale - Can use a wild card SSL cert for a domain, then have the registry sub domain point to your Tailscale IP address, and still get SSL but only available on Tailscale.
• Delving deeper in to iptables - its complicated, theres probably so much more you can do.
• Using SSH certificate and passcode instead of user and password to connect to the server in general and via the GitHub Action.
• Backing up Portainer.
• PostgreSQL backups or even read replicas.
• Redis cache handling for allowing multiple replicas of the website container being launched.
• Multiple nodes and constraining containers to particular nodes and load balancing with high availability.