What if you need to manage your assistant from another machine? Whatever you do, never change the bind address to 0.0.0.0. That exposes the Gateway to your entire network.
Instead, use one of these 2 approaches:
1. Tailscale Serve. Creates a private WireGuard mesh between your devices. Run tailscale serve --bg 18789 to expose the Gateway only to your Tailnet.
2. SSH tunnel. Run ssh -L 18789:127.0.0.1:18789 user@your-server from your remote machine. This forwards port 18789 through the encrypted SSH connection. The Gateway still binds to loopback on the server.
Both options keep your Gateway off the public internet. Pick whichever you're more comfortable with.