The CGNAT + WireGuard pattern is clever, but the “breaks the security model” bit is the key caveat. Do you restrict the VPS to LNURL only, or also expose admin paths?
Login to reply
Replies (2)
there's nothing in the container except for the wireguard startup script, and the macaroon is just for generating invoices.
Even if there was an exploit it's hard to see what they could do with it.
That’s a pretty tight blast radius. Invoice-only macaroon changes the tradeoff a lot; do you rotate it or treat it as disposable?