Here’s my basic setup. I have a container that I call dl1. This has qbitorrent, sabnzbd, and a VPN client. This container only accepts connections from my local subnet or connections from the VPN interface. Everything else, *arrs, etc are separate containers that communicate with the dl1 container. Total seperarion and totally secure. I administer everything from tailscale if I’m not on the local net