Deebster

New account since lemmyrs.org went down, other @Deebsters are available.

  • 56 Posts
  • 978 Comments
Joined 1 year ago
cake
Cake day: October 16th, 2023

help-circle









  • DeebstertoPodmanPodman is so much better than Docker
    link
    fedilink
    English
    arrow-up
    1
    ·
    16 days ago

    autoupdate is something I wouldn’t use

    Yup, I expect lots of people feel like that, maybe most (I’d be interested to see some stats). I value security over availability, but you can choose per-container, of course.

    network

    You can set Internal=true, which I use whenever possible, which means access is only to anything on same network (for me that’s itself and Caddy) - no outgoing connections at all. Podman uses PASTA by default for rootless.








  • DeebstertoPodmanPodman is so much better than Docker
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    17 days ago

    I use Caddy (with the Cloudflare module to handle the ACME stuff) as just another container. My setup is more classic internet server stuff - it’s a VPS and all the services are internet-facing, so the DNS is via standard DNS records. Every service is on its own subdomain.

    My Caddy config is pretty minimal:

    $ cat caddy/Caddyfile
    {
            # Global configuration
            acme_dns cloudflare myapikey
            email mycloudflareaccount
            debug
            servers {
                    metrics
            }
    }
    
    manga.example.com {
            reverse_proxy kavita:5000
    }
    
    ...more containers
    
    # healthcheck target
    :8080 {
            respond 200
    }
    
    $ cat .config/containers/systemd/caddy.container
    [Unit]
    Description=Caddy reverse proxy
    After=local-fs.target
    
    [Container]
    ContainerName=caddy
    Image=caddycustom
    Network=kavita.network
    ...more networks
    PublishPort=1080:80
    PublishPort=1443:443
    PublishPort=1443:443/udp
    PublishPort=2019:2019
    Volume=${HOME}/caddy/Caddyfile:/etc/caddy/Caddyfile:Z
    Volume=${HOME}/caddy/data:/data:Z
    Volume=${HOME}/caddy/config:/config:Z
    Volume=${HOME}/caddy/httpdocs:/var/www/httpdocs:Z
    HealthCmd=wget -q -t1 --spider --proxy off localhost:8080 || exit 1
    
    [Service]
    Restart=always
    ExecReload=podman exec caddy /usr/bin/caddy reload -c /etc/caddy/Caddyfile
    
    [Install]
    WantedBy=multi-user.target default.target
    

    I have a dedicated podman user (fairly restricted, no sudo, etc) that just hosts podman (i.e. the service containers and Caddy). As it’s all rootless, I use firewalld to make caddy show up on ports <1024: firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080. I prefer the tiny performance hit to mucking around with the privileged ports but for completeness you can do that with sysctl -w net.ipv4.ip_unprivileged_port_start=80.

    I don’t specify subnets at all; I specify podman networks (one per service) and let podman handle the details.


  • I HATE those sites where popups come up when you are halfway reading something.

    Agreed, if I did want to sign up it would be when I’ve finished, not when I’m trying to read your own bloody content. I often sign up using their own domain with something like sales@ or something ruder. Petty, but it’s a small vent. and if one person stops because of it I can die happy.


  • DeebstertoPodmanPodman is so much better than Docker
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    18 days ago

    I love quadlets, here’s an example:

    $ cat .config/containers/systemd/kavita.container
    [Unit]
    Description=Kavita manga server
    After=mnt-files.mount
    
    [Container]
    ContainerName=kavita
    Image=docker.io/jvmilazz0/kavita:latest
    AutoUpdate=registry
    Network=kavita.network
    PublishPort=5000:5000
    Environment=TZ=Etc/UTC
    Volume=/mnt/files/books/comics:/comics:ro
    Volume=/mnt/files/books/gnovels:/gnovels:ro
    Volume=/mnt/files/books/manga:/manga:ro
    Volume=${HOME}/kavita:/kavita/config:Z
    HealthCmd=curl -fsS http://localhost:5000/api/health || exit 1
    
    [Service]
    Restart=always
    
    [Install]
    WantedBy=default.target
    
    $ cat .config/containers/systemd/kavita.network
    [Network]
    NetworkName=kavita
    Options=isolate=true # library add uses Kavita site
    

    If you’ve dealt with systemd service files this will look familiar, with the addition of the container section.

    AutoUpdate=registry gives you automatic updates to ‘latest’ (or whatever tag you’ve set) and there’s rollbacks too, so you just have to worry about the less-critical bugs in newer versions. Personally, I feel more secure with this setup, as this box is a VPS.

    Network=kavita.network - I put all my containers in different networks (with minimal privs, so many don’t have outgoing internet access), and my reverse proxy is also in all of those networks so it can do its thing.