@neil this is a good approach. In this case, these PCs will be used in a youth center, so access to them is managed by a remote FreeBSD server (connected via VPN) that handles logins, access time, and so on. The server sends commands (via SSH) to a MikroTik router/firewall/access point to open or close NAT rules, firewall rules, and similar as needed.

Users log in and, after authentication, an X session (with the MATE desktop) is launched via Docker, which they can use freely for the assigned time. At the end of the session, the container is destroyed and recreated.

This setup was originally based on virtual machines, but since 2019 it has been managed this way. I am now working on a new setup based on FreeBSD, using jails instead of containers. It works quite well, I just need to fine-tune a few things, but given the urgency here, I used the already prepared and well-tested setup on Debian 13.

I am preparing 8 PCs, and I have around a hundred deployed overall. From time to time I update the “desktop” Docker container and, via a private registry, the machines download the updated image on the next boot, making it available to users.

It has proven to be very reliable, requiring very little intervention over the years, aside from occasional hardware failures.