Emma Thorpe
1cb8371775
Enable Docker and expose the daemon over TCP 2375 by extending the systemd docker.socket ListenStream (avoids the daemon.json hosts vs unit -H fd:// conflict). The port is not added to allowedTCPPorts; instead an nftables rule accepts it only from the trusted LAN subnet. Plain 2375 is root-equivalent, so the source restriction is the only safeguard -- mTLS on 2376 is the documented upgrade path.