-
Point the hostname of your service to the IP of the proxy in the DNS.
-
For the certs you need an internal CA. I use Step CA which has ACME support so the proxy can get certificates easily.
-
Add the root CA certificate to your computer certificate trust store.
-
Profit!!
- 0 Posts
- 22 Comments
Joined 1 year ago
Cake day: September 18th, 2024
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
78·1 month agoTry to avoid installing extensions, they have too much privilege in the browser.
1·3 months agoI see, thank you.
I use Bitnami SealedSecrets. Does anyone know if that’s going down the shitter too?
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
11·5 months agoIncorrect. Not run as root, but launched by root in a system service (runs as the pipewire user).
For my simple use case (storing Velero backups), it works perfectly and with a resource footprint ridiculously low (~ 3 MiB memory when idle). In comparison MinIO used 100 times more memory.
Don’t forget the Silverbullet users.
Oh, I didn’t realize this was for plain containers, sorry.
For that I use Ansible to deploy the containers in my server. The secrets are stored encrypted in my local machine with passwordstore and I use the passwordstore lookup plugin to load them in the playbooks/templates.
The Ansible playbooks I use to deploy it are the documentation.
In my homelab I use Bitnami’s sealed secrets to commit the encrypted secrets to git and deploy with ArgoCD.
Which user do you use to run the podman command? Confirm with
whoamiNote that the sysctl
net.ipv4.ip_unprivileged_port_startcan be used to allow non-root users to bind to ports <1024, this might be configured in MicroOS, I don’t know.
I run some containers based on Fedora, mainly because I know the userspace and I don’t care about the size.
We don’t know how big is the universe beyond the observable universe.
I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy
On the other hand I value Authelia single configuration file which I can version control in git. Authentik is a click-ops burden.
2·8 months agoI’ve tried the official WireGuard app and WG Tunnel, enabling unrestricted battery use, always on VPN, allowing notifications, etc. But since I upgraded to LineageOS 22.1, the app is always killed overnight.
It kills my VPN app every night.
Can’t wait!