and here I thought it was because I’ve blocked close to 300 users.

I2P is a secure network protocol. to your ISP it’s just an encrypted stream.

it can work across any network connection. Bluetooth, Lora, ARRL, etc.

the way I interpreted your comment presented the possibility that the ISP would cut services based on the content being hosted, not as a wide area communications disruption.

https://geti2p.net/en/

your shits gay and you sound retarded

you’re that guy. congrats!

I2P

makes sense but wasn’t that already fixed with dockers rootless patches?

question, why would you leave docker for podman?

PostgreSQL

fuckin gross!

OP ignore anyone saying wireguard is better than openvpn, it’s not. they are two solutions used to solve for multiple problems.

openvpn is highly configurable and is more widely supported across almost all platforms but the learning curve is medium to difficult.

wireguard is easier to setup for first timers and has stronger encryption but lacks multiplatform support and has shorter track record ensuring security and viability.

some say wireguard is “faster”, but I haven’t seen any real world instances of this being true unless you get close to the theoretical full saturation of a 1g interface. unless you’re dealing with HA or high throughput apps in a commercial setting I doubt you will run into that issue.

personally I prefer openvpn because I use it across multiple platforms and have peace of mind knowing it’s a tried and tested solution with decades of public and private support.

I mount them directly from the NAS inside docker volumes.

if there are any configuration/local data files that need to be persistent, those are usually kept in ~/project/{container}. the compose file is kept at the root project directory.

home user is a daemon user created specifically for running docker containers that does not have root privileges.

pihole has got the best UX for DNS management hands down. it’s easy, not overly complicated, and perfect for entry-level selfhosting.

the fact that it actively blocks ads is a bonus.

I do not recommend using a seven year old as a server for the following reasons.

1. their parents will get mad
2. the neighbors might call the police about all the children you have racked in your basement
3. they have poor computing power, wait until they’re at least in their late teens (although software updates come too late and the system is usually very unstable at that time.)
4. think of the smell! your house will smell like a kindergarten
5. food costs are already high enough, add two or four growing kids to that budget and it’s far cheaper to run a couple Dell R610s every month.

overall, not worth it mate. good luck though!

this is what I’m talking about when it comes to the selfhosted communities.

if you don’t know how to properly segment and vlan your network, you have no business exposing your shit to the internet.

I wouldn’t go onto a teen community and spout off how to make explosives even though they’re relatively safe to a trained individual.

same reason behind not allowing a hobbyist and amateur community to think that iptables and firewalld is the best/only solution.

it’s dangerous and someone will get hurt eventually.

this is selfhosted. a community that’s predominantly amateur or hobbyist.

• anyone gaining physical or remote access to the device can set rules. by protecting the entire network with a hardware firewall you mitigate attack vectors from other hardware on your network that become compromised.
• iptables and firewalld are notorious for locking users out of the system by overzealous or green system admins. in the msp world this happens practically by the hour.
• iptables and firewalld can be used against you in the event of a breach. one of the first things an attacker may attempt is to forward ports and lock system admins out as they take over the system.
• make sure you save your rules properly or they’ll be gone after a reboot or botched upgrade
• migrating your rules from one system to another when you’re changing hardware or restoring a system is a huge pain in the ass.
• got a network change that’s going to modify the subnet your systems are on? get ready to migrate all 15 of your devices one by one for the next 8-15 hours (depending on the complexity of your rules)

it’s far easier, and safer to have all your network config done in the network. from system migrations to securing/hardening. it’s far more efficient and effective to have a single source of truth that manages network routing and firewall rules. hell, you can even have a redundant or load balanced firewall configuration if you’re afraid of a single point of failure.

point is, firewalld and iptables is for amateur hour and hobbyists.

if you want to complain that “docker doesn’t respect system firewalls” then at least have the chutzpah enough to do it the right way from the beginning.

What if you rent a bare metal server in a data center?

any msp will work with your security requirements for a cost. if you can’t afford it, then you shouldn’t be using a msp.

Or rent a VPS from a basic provider that expects you to do your own firewalling?

find a better msp. if a vendor you’re paying tells you to fuck off with your requirements for a secure system, they are telling you that you don’t matter to them and their only goal is to take your money.

Or run your home lab docker host on the same vlan as other less trusted hosts?

don’t? IDK what to tell you if you understand what a vlan is and still refuse to set one up properly to segment your network securely.

It would be nice if there was a reliable way to run a firewall on the same host that’s running docker.

don’t confuse reliable with convenient. iptables and firewalld are not reliable, but they are certainly convenient.

You may say these are obscure use cases and that they are Wrong and Bad. Maybe you’re right, but personally I think it’s an unfortunate gap in expected functionality, if for no other reason than defense-in-depth.

poor network architecture is no excuse. do it the proper way or you’re going to get your shit exposed one day.

this is the second time I’ve seen a post like this.

docker has always been like this. if it’s news to you then you must be new to docker.

if you’re using the built in firewall to secure your system on your wan, you’re doing it wrong. get a physical firewall. if you’re doing it to secure your lan then you just need to put in some proper routes and let your hardware firewall sort it out with some vlans.

don’t rely on firewalld or iptables for anything.