wg-quick creates a systemd service for each wireguard config you have. So if you set up a tunel called wg0, you should be able to run ‘sudo systemctl enable wg-quick@wg0’ This will make your tunnel connect on every boot. I have the same setup on my proxmox, so i can reach certain services of my homelab proxied through a root server (the other end of the wireguard tunnel)
Decryption is not related to root permission.
If the ENCRYPTED drive is mounted to the container, then the container can decrypt it.
If the DECRYPTED drive is mounted to the container, then the container never knows it was encrypted in the first place.
Second case is easier BTW. Just mount the drive on your host, type in the encryption password and you get a new, unencrypted drive. Specify this new drive in your docker compose/docker file.
Generally, Linux Servers are best administered from a command line. At least in the beginning to set everything up. In turn they are faster on lower hardware as they dont even have a graphical desktop at all so need less resources. You could of course install a windows server OS. They can be fully administered through Remote Desktop and a GUI.
There are multiple projects to make self hosting more accessible (like casaOS). They automate many steps of the setup and then offer you a webUI for further steps. Maybe have a look here https://github.com/awesome-selfhosted/awesome-selfhosted?tab=readme-ov-file#self-hosting-solutions
You most likely pay for a maximum CPU capacity and your Server cant go above that no matter what you run. Your vps provider doesn’t care what that CPU power is used for.
However with limited resources, the tarpit might use up all CPU power and the rest of the webserver will crawl to a halt.