I got super lucky, someone created a restart policy for Podman just a week ago. It works without changing anything to my docker-compose.yml files, as long as the file states restart: always. Following Alpine’s Wiki to install and setup Podman followed by the instructions on this Github Repository and everything works quite well on Alpine Linux.

I’ll have to play around with Podman some more and give it time to see how it holds up, but so far it seems promising.

I’ve spent a few hours with Podman and I was able to get my reverse proxy and a couple smaller services running which is quite nice. I’m using Alpine Linux so there were some extra steps I had to follow but their wiki handles that pretty good. The only issue I need to figure out is how to auto start my services on a system restart since Podman seems to focus on Systemd development. This seems like a good start but I think I need to figure out how pods and containers work in Podman first.

I’ve only started learning this stuff not too long ago but I’m surprised how relaxed Docker is with port management. I was under the impression that docker is more secure because it’s containerized. Even more surprising was how little documentation there is for how to secure Docker ports.

A couple weeks ago I stumbled on to the fact that Docker pretty much ignores your firewall and manipulates iptables in the background. The way it sets itself up means the firewall has no idea the changes are made and won’t show up when you look at all the firewall policies. You can check iptables itself to see what docker is doing but iptables isn’t easy or simple to work with.

I noticed your list included firewalld but I have some concerns about that. The first is that the firewall backend has changed from iptables to nftables as the default. That means the guide you linked is missing a step to change backends. Also, when changing back ends by editing /etc/firewalld/firewalld.conf there will be a message saying iptables is deprecated and will be removed in the future:

# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#	- nftables (default)
#	- iptables (iptables, ip6tables, ebtables and ipset)
# Note: The iptables backend is deprecated. It will be removed in a future
# release.
FirewallBackend=nftables

If following that guide works for other people, it may be okay for now. Although I think finding alternative firewalls for the future may be a thing to strongly consider.

I did stumble across some ways to help deal with opened docker ports. I currently have 3 docker services that all sit behind a docker reverse proxy. In this case I’m using Caddy as a reverse proxy. First thing to do is create a docker network, for example I created one called “reverse_proxy” with the command:

docker network create reverse_proxy

After that I add the following lines to each docker-compose.yml file for all three services plus Caddy.

services:
    networks:
      - reverse_proxy

networks:
  reverse_proxy:
    external: true

This will allow the three services plus Caddy to communicate together. Running the following command brings up all your currently running. The Name of the container will be used in the Caddyfile to set up the reverse proxy.

docker container ls --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" -a

Then you can add the following to the Caddyfile. Replace any capitalized parts with your own domain name and docker container name. Change #### to the Internal port number for your docker container. If your ports in your docker-compose.yml look like “5000:8000” 5000: is the external port, :8000 is the internal port.

SUBDOMAIN.DOMAINNAME.COM:80 {
        reverse_proxy DOCKER_CONTAINER_NAME:####
}

After starting the Caddy docker container, things should be working as normal, however the three services behind the reverse proxy are still accessible outside the reverse proxy by accessing their ports directly, for example Subdomain.domainname.com:5000 in your browser.

You can add 127.0.0.1: to the service’s external port in docker-compose.yml to force those service containers ports to only be accessible through the localhost machine.

Before:

    ports:
      - 5000:8000

After:

    ports:
      - 127.0.0.1:5000:8000

After restarting the service, the only port that should be accessible from all your services should only be Caddy’s port. You can check what ports are open with the command

netstat -tunpl

Below I’ll leave a working example for Caddy and Kiwix (offline wikipedia)

Caddy: docker-compose.yml

services:
  caddy:
    container_name: caddy
    image: caddy:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    networks:
      - reverse_proxy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

networks:
  reverse_proxy:
    external: true

Caddy: Caddyfile

wiki.Domainname.com:80 {
        reverse_proxy kiwix:8080
}

Kiwix: docker-compose.yml (if you plan to use this setup, you MUST download a .zim file and place it in the /data/ folder. In this case /srv/kiwix/data) Kiwix Library .zim Files

services:
  kiwix:
    image: ghcr.io/kiwix/kiwix-serve
    container_name: kiwix
    ports:
      - 127.0.0.1:8080:8080
    volumes:
      - /srv/kiwix/data:/data
    command: "*.zim"
    restart: unless-stopped
    networks:
      - reverse_proxy

networks:
  reverse_proxy:
    external: true

What I’m interested in from a firewall is something that offers some sort of rate limiting feature. I would like to set it up as a simple last line of defense against DDOS situations. Even with my current setup with Docker and Caddy, I still have no control over the Caddy exposed port so anything done by the firewall will still be completely ignored still.

I may try out podman and see if I can get UFW or Awall to work as I would like it to. Hopefully that’s not to deep or a rabbit hole.

When it finally came to the firewall, after realizing I was working with docker containers and my brain said “no more rabbit holes, friend.” Thanks for the information.

Also gufw is just a simple graphical user window that that’s built on top of ufw. I was using VNC when I began learning all this and planned on using gfuw. By the time I finished the guide, I had become comfortable handling everything from the terminal alone. It’s was just kinda there in the guide at that point.

That’s good to know about docker. I ran into issues modifying docker-compose.yml files while a container was up so I just made it a habit to shut containers down before making changes. I can see using pull while a container is up being more important for places concerned about unnecessary downtime though.

I’ll be using whitelists to manage federation in order to keep things small. Also I am only interested in allowing people in my local community to join since that’s the goal I am working towards.

I am also interested in seeing how it does hold up in the future but it’s not a permanent solution. It’s why I went through the process of learning RSync so I can hopefully have a simpler data migration process and setup whenever that time comes.

I wanted to share the process for everyone since a lot of what’s in the guide could be useful for anyone with more appropriate server solutions, especially regarding Cloudflare’s services.

The Pi itself was convenient for learning since wiping everything to start over is simple and quick.

I haven’t had a chance to really test how Lemmy and PieFed work long term on the Pi 5 yet. So far it’s been quick and responsive and I’m still using wifi instead of a direct ethernet connection to the main modem. Ethernet is for the future. I still have more work to finish on the Pi 5.

The Pi 5 is also running Kiwix, Dufs for file sharing and a static page. All run through their own docker containers. With only me using it, everything seems to run just quite smoothly.

My goals with the Pi 5 aren’t long term. I’m using it more as a working example until I can get better equipment for hosting but that involves other plans for a local project I want to put my energy into now.

You’ll definitely want to use a reliable type of USB media storage with good read and write speeds. An SD card won’t do well considering these webapps are database heavy and will be constantly writing stuff.

Lemmy easy deploy seems interesting, if you can get caddy in that script to handle TLS encryption certificates, It should do nicely. I struggled with Let’s Encrypt and went a different route for now.

I had a nice weekend which was needed. Met up with a friend to go to a techno party. One guy who came and danced with us for a while called us cute. I’m guessing he saw us having a good time enjoying the music and talking to people and it seemed like he enjoyed our vibes. It was a super nice compliment for both of us though.

After the party my friend and I went back to her friend’s apartment to chill until the morning when I could catch a train back home. We talked and shared music while she sketched away. It was so chill and a nice way to unwind.

When she dropped me off at the station, she gave me a hug that felt a little extra, like there was a little appreciation behind it. I think she was happy to have someone who was able talk and laugh about some small mistakes which she was able to learn from throughout the night.

I treat her like a person just as I would with anyone else. It makes me feel good to have that affect on people. It also makes me a little sad that this type of treatment towards other people seems to be rare… It really takes far less energy to be accepting than it does to wake up angry and bitter at innocent people.

Other than that, I’m really growing tired and frustrated with technology dependence we are being cornered into using. Technology is a constant source of frustration and yet it feels like the majority have normalized the use of technology and headaches it comes with. It feels absurd and it’s exhausting.

I’m trying hard to enjoy the moments and people that bring me happiness but there are times where my mind wanders towards the future. It gets so hard to breath in those moments…

When I get the motivation again I will give this a try. A while ago I was wondering if a tool like this existed so it’s nice to see it pop up now. Thank you for this.

For verification I used the built in certificate manager in Nginx Proxy Manager. I generate an API key from Cloudflare for a DNS zone:zone:edit key with the domain I am using. Then I chose DNS verification in Proxy Manager and put the API key in the edit box. This has been successful every time.

Do you use Cloudflare Tunnel or are you using Cloudflare as a Dynamic DNS? I’ve had issues with certbot but I think I just wasn’t using it properly, what process did you use for DNS verification?

I’ll give your suggestions a try when I get the motivation to try again. Sort of burnt myself out at the moment and would like to continue with other stuff.

I am actually using the Cloudflare Tunnel with SSL enabled which is how I was able to achieve that in the first place.

For the curious here are the steps I took to get that to work:

This is on a Raspberry Pi 5 (arm64, Raspberry Pi OS/Debian 12)

# Cloudflared -> Install & Create Tunnel & Run Tunnel
                 -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/
                    -> Select option -> Linux
                    -> Step 4: Change -> credentials-file: /root/.cloudflared/<Tunnel-UUID>.json -> credentials-file: /home/USERNAME/.cloudflared/<Tunnel-UUID>.json
              -> Run as a service
                 -> Open new terminal
                 -> sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml
                 -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/
              -> Configuration (Optional) -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/
                 -> sudo systemctl restart cloudflared
              -> Enable SSL connections on Cloudflare site
                 -> Main Page -> Websites -> DOMAINNAME.COM -> SSL/TLS -> Configure -> Full -> Save
                    -> SSL/TLS -> Edge Certificates -> Always Use HTTPS: On -> Opportunistic Encryption: On -> Automatic HTTPS Rewrites: On -> Universal SSL: Enabled

Cloudflared complains about ~/.cloudflared/config.yml and /etc/cloudflared/config.yml not matching. I just edit ~/.cloudflared/config.yml and run sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml again followed by sudo systemctl restart cloudflared whenever I make any changes.

The configuration step is just there as reference for myself, it’s not necessary for a simple setup.

The tunnel is nice and convenient. It does the job well. I just have a strong personal preference to not depend on large organizations. I’ve installed Timeshift as a backup management for myself so I can easily revisit this topic later when my brain is ready.

Nginx Proxy Manager has been handling certs for me, I’m not sure how it handles certs since it’s packaged in a docker container. I can only assume it does something similar to Caddy which also automatically handles certificate registration and renewals. So probably certbot.

All I know is that NPM has an option for DNS challenges which is how I got my certs in the first place.

That’s what I thought. NPM is handling the certs just fine.

Could it be that I’m setting up the reverse proxy wrong? Whenever I enable SSL on that reverse proxy, the connection just hangs and drops after a minute. I’m not understanding why it’s doing that.

My ISP blocks incoming data on ports 80 and 443. I also require a Dynanic DNS to handle my changing IP address. The only way I found to obtain a Let’s Encrypt certificate is through a DNS challenge in this situation.

I can definitely run without Cloudflare but I won’t have SSL which will affect federation.

For the moment I’m not saying much specific about it. There’s no real big reason, it’s just sort of how I like to do things. My parents always joked that I’d come back married one day and not even mention it.

I can try to message you when I’m satisfied with the progress of it. Otherwise I’ll be around these posts in the future. After learning this much about networking, I’ll feel pretty relieved. I’ll be ready for the bigger and more important steps that come next.

I’ve been unimpressed with the Christmas holidays since leaving my first job as a grocery store worker as a highschool student. My family has finally stopped buying me presents except for my mom who insists on buying me some sort of useless novelty item that’s functionally impractical. Last year it was a bulky multi-tool pen that was too heavy to write with… Capitalism really sucks the humanity out of everything, especially the holidays.

Not too excited about the family dinner together. My parents and sister will spend the day talking constantly at and over each other while I’ll be mostly mute, answering yes/no questions occasionally. I just don’t have the energy anymore to correct all thier wildly incorrect assumptions and unnecessary views they have about me based on the useless labels they’ve applied to me.

The brain has been highly uncooperative over the past weeks but over the last week I’ve made a lot of progress on a local community project I’m working on. I have most of the groundwork prepared. I’ve also got a good starting point and mostly clear direction for it as well.

I’m in the process of learning how to self host a lemmy instance. I’m hating every moment of it but I’m making progress. It’ll be worth it in the end. After I set up a proper community page I’ll be ready to start promoting the idea locally.

I’m still considering creating a related community on another instance. I’m trying to craft this project in a way that is easily accessible and adaptable to the needs of any local community.

At the speed I’m going, and with all the holidays here, I’m hoping to be ready within the first couple weeks of January.

The modem/router also handles port forwarding which has been pretty common on all the modem/routers I’ve used in the past. Didn’t even register that as a concern haha.

That’s good to know the Pi can handle DynDNS as well. Would be nice to keep all that information contained to one device, simply for my sanity.

I checked the router settings and there seems to be a setting specifically for Dynamic DNS Client. There’s three options included with DynDNS, NoIP and DtDNS. NoIP says it’s free so I will probably use that service.

I’m going to assume having that setting there is a good sign for me and what I want to do. Possibly reduce some potential headaches.

I’ll consider PieFed in the future as well. It does have some features and ideas overall that seem appealing to me. One thing at a time though.

I do intend to buy appropriate storage when the time comes. It’s convenient to backup and restore an sd card image while I figure things out as I’m just starting out.

Would the public IP in this situation just be my home IP address? I’m assuming that the TLD provider would have an account settings page to set the IP reference?

Is there any recommendations for any additional security for a lemmy instance, or is it even necessary for a small scaled, social media site?

The year is 2024, we stuffed a group of people into reservations and federally announced that we don’t need to provide clean drinking water to the people forced into those reservations. You mentioned that yourself.

Just because there’s no bullets flying does not mean these people aren’t suffering. Physically, mentally, it’s pain for them. I stand by my statement.

The yikes should be pointed at those to enable these horrifying actions. The yikes should be pointed at those who refuse to acknowledge these horrifying actions.

Proven? Provide proof.

You seem to know what these people need. What are you willing to do for them? Would you rather fight and die for the Country of Canada or for the people whose land has been stolen?

It sucks being forced to pick a side. I hate it. I don’t want it. I want to live in peace but bad people keep doing bad things. My life is threatened when any other group of people are targeted. Sitting on the sidelines pointing fingers at everyone just lets the bad people gather more strength. A person’s inaction is someone else’s death.

To be transparent on my part, I have not done anything to help beyond learning and listening. I am however working on a project currently that aims to bridge the knowledge gap, even just a little bit.

It’s easy to say things, a lot harder to do them.

If it came down to it, I’d die fighting for indigenous people. Invading forces means nothing. If Russia or China took over Canada, that just means even more genocide so what’s the difference if Canada is already commiting genocide.