Thanks to both of you, my same thoughts, but I also wanted to hear an outside perspective as I am not so well versed in IPv6. But it sounds reassuring. Shall I also consider exposing some HTTP/S services for media over IPv6 is also relatively safe, as long as I have MFA etc?
- 7 Posts
- 111 Comments
Joined 2 years ago
Cake day: July 2nd, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
1·2 months agoThe problem is that I have a couple of services listening on different ports and I want to use the reverse proxy to listen to incoming requests and route the traffic to the corresponding ports. I also want to issue SSL certificates and serve the traffic over TCP port 443.
Yes, I know that, but I just don’t want to remember the port numbers or create some bookmarks.
I think I can create a CNAME record for *.media to point to the Tailscale address of the reverse proxy and then use the reverse proxy with Cloudflare API key to serve SSL certificates from my domain.
I am currently struggling a bit with the setup though.
I have a registered domain name already, but I am behind CGNAT and I don’t really have a public IP.
I want to allow access to my services remotely only through Tailscale.
I will definitely do that, I just want to finish the whole setup.
I am playing around with Podman Quadlet and that’s one hell of a rabbit hole. I have everything up and running, and now I need to configure the containers, and probably will deal with other pain points, etc.
The good thing is that I have documented the whole process so it is reproducible but it took me quite some time to figure out everything.
Because it is beginner friendly and it has a lifetime license I guess and it is not yet enshittified.
Nice, thanks for sharing. How did you solve the file permission issue?
Also I see you put all your services as a single pod quadlet what I am trying to achieve is to have every service as a separate systemd unit file, that I can control separately. In this case you also have a complication with the network setup.
You can actually set your user to linger with
sudo loginctl enable-linger $USERI will test your setup and report back if it works.
By the way what was the reason to switch back to Docker Compose?
There are no logs in journalctl, just when I check the status of the systemd services I see that the container service has crashed and after 5-6 restarts it gave up.
I was thinking of installing the latest podman 5.7.0 and try with it, as there are quite a few updates between that one and 5.4.2 that comes as standard on Rocky.
I can try to upload my container services and network tomorrow and share the link here.
Absolutely plus I love the idea of having them as separate services. I just don’t know how to configure them apparently.
Did you create a separate systemd network for your Quadlets or are you using a bridge or host network?
I don’t know, I tried even with uptime-kuma and Homepage but as soon as I start the service it kills it after 6 unsuccessful restarts. Maybe I will spin up a completely new VM tomorrow and start from scratch.
I think the problem might be with the data directory permissions, even though I have added the subuid and the subgid to my user and enabled the lingering on the user.
But I did so many things so there is a chance it is already quite messed up.
Obsidian with Syncthing running on both your Android and your server for syncing your notes.
I have a lifetime Plex pass, but recently I switched to Jellyfin because I got sick and tired of Plex’ shenanigans.
Here you need to decide if you want to run Plex/Jellyfin on the same server or not. And how important power consumption is for you.
You should also consider if you are planning to run only the NAS or some other VMs/containers on that machine. In that case you might consider 32 Gb of RAM to be more future proof.
The problem with unRAID is that you don’t really know when their product will be enshittificated. A very fresh example is Plex which was great for years and now is a bloated utter mess. They have changed their licensing policy and made the product legitimately worse for the end customers. And don’t want to be cynical but the chances are that unRAID will go that way too sooner or later.
Elasticsearch should work too
Do you have a GitHub repo? As I am building my system like this and was thinking of exactly using Podman and quadlets.
True, maybe the best way then is to expose them only within your Wireguard network.