🔐 Harden the host
Terrarium secures the VPS itself first, with SSH hardening and safer defaults, so your management surface is not a raw fresh-server free-for-all.
Give each workload its own hardened LXC container, keep it private by default behind NAT, manage it from built-in web UIs, publish only what you mean, and rewind mistakes in small ZFS-backed steps. Lock anything behind single sign-on and user management

Why people use it
Terrarium is for people who want to give agents and development tools room to operate without turning the whole host into a shared blast radius. Each workload gets a real container. The host stays hardened. Recovery gets a built-in time machine.
What changes
The most important part is not flashy, but it changes how comfortable the whole system feels.
Containers are not exposed directly to the internet. They sit behind LXD's private bridge and NAT, which means:
0.0.0.0 inside the container is still not automatically publicThat is why Terrarium works so well for non-experts. You can run a lot inside a container without accidentally publishing all of it.
Management without memorizing everything
Terrarium is friendly to terminal users, but it is also practical for people who do not want to manage a whole host from raw commands alone.
If you want the visual tour, start with Management GUIs.
What Terrarium installs