They work great for stateless services that you don't modify for your use case. I've had a wireguard server and client container, both based on linuxserver/wireguard, in a fairly weird setup within Nomad, running in production for over a year with no issues.
The trick was to isolate the weirdness in the wgconf files, the permissions of the containers, and their shared netns (a nomad group, in this case, with its netns configs tweaked by a startup script). The Dockerfile is simply FROM linuxserver/wireguard:latest.
(It's wrapped in a Dockerfile so its rebuilds are limited to when we rebuild our images (every commit), but AFAIU the linuxservers setup, it can also pull in wireguard updates at runtime.)
The trick was to isolate the weirdness in the wgconf files, the permissions of the containers, and their shared netns (a nomad group, in this case, with its netns configs tweaked by a startup script). The Dockerfile is simply FROM linuxserver/wireguard:latest.
(It's wrapped in a Dockerfile so its rebuilds are limited to when we rebuild our images (every commit), but AFAIU the linuxservers setup, it can also pull in wireguard updates at runtime.)