I have a coworker that likes to pick fun at my usage of CLI tools. He said it’s confusing “why would I use a terminal when the GUI was made after?”. They vehemently hate anytime they have to work with CLI.

I watched them use an FTP program to download and change one value in a .conf file. Like they downloaded the file, opened it in notepad++, changed one thing, saved it, reuploaded / overretten the original. I tried to show them how to just use nano and got told their way was “better since you could ensure the file was replaced”. Its okay, I’ve secretly caught them using it a couple times lol

The rules still apply to the host, just not inside the container. Docker is just ignoring the rules. If you block all ports but then have port 81 open like you do in that section of docker compose, you would think that UFW would block docker but thats not the case. Going to http://yourip:81/ will show then NPM gui, even if you specifically use ufw to block 81. If you only expose port 80 and 443, you should be fine. Your NPM container would have to be compromised then they would have to break out of the container.

Also I think your issue is with your DNS. You should have an A record for the IP pointing to example.com and then a CNAME record pointing to sub.example.com

Docker completely ignores UFW rules. If you check your ip tables you’ll see docker rules are put in before UFW. For the 504 though, it sounds like traffic is not getting to NPM. Have you routed ports 80 and 443 to the docker container?

I use headscale on a VPS as an ingress point into my network and I love it. On top of headscale, I use two instances of traefik to make my network. I have one instance of traefik running on the vps which runs a couple of services that I want running 24/7(headscale-ui is nice). It pulls a subdomain certificate for TLS. So any services under say *.vps.example.com get routed to the VPS.

Then I have a wildcard TCP rule pointing the rest of the network traffic to my home server through headscale. My home server is running another instance of traefik where all my services are running. This pulls another wildcard cert for the rest of the *.example.com subdomains.

Cool thing about this setup is I can now have my DNS server rewrite *.example.com to my servers LAN IP. Now when my device is home, it works even when WAN is out. But when I’m out and about, it hits the public DNS and goes through my VPS. With traefik I can write a not !ClientIP rule and essentially block the VPS. Now I can host a service at home but also block it from being accessed from the public. But if I need access to the LAN remotely, I can just use a tailsacale client and get into headscale and see everything.

Its an odd network, but it’s super flexible and works very well for my use case. If you have any questions I’d love to help you set something like this up :D

The over lap of docker containers needs to happen from inside the perspective of the container. If you send Radarr to pull a movie from bittorrent, they both need to “be in the same spot”. If bittorrent thinks it’s saving a movie to /data/torrent then Radarr also needs to see the movie at /data/torrent.

That’s why so many guides use the /data/ label scheme. Its just easy to use and implement. Side note, for hard links to work, all the folders need to be on the same drive. Can’t hard link between different drives.

Ah sorry to hear that. Did you find something better that works for you? I’m open to suggestions :D

I followed along the nixos wiki for kubernetes and creating the “master” kublet is super easy when you set easyCerts = true. Problem is, it spits out files to /var/lib/kubernetes/secrets/ that is owned by root. Specifically, the cluster-admin.pem file. If I want to push commands to the cluster using kubectl I have to elevate to a root shell. I could just chmod or chown the file but that seems like a security risk.

Now I’m not familiar with k8s at all. This is my first go through, so I could be doing something wrong or missing a step. I saw something about the role based security but I haven’t jumped down that rabbit hole yet. Any tips for running kubectl without root?

I’m working on my first kubernetes cluster. I’m trying to set the systems up with NixOS. I can get a kublet and a control plane running. But I’m getting permission errors when trying to use kubectl rootless on the system running the control plane. I think I figured out which file i need to change, now I just want to record that change in my configuration.nix.

Well yeah let’s elaborate on that. Merriam-Webster defines elitism as

1. Leadership or ruled by an elite
2. The selectivity of the elite
3. Consciousness of being or belonging to an elite.

That comment was suggesting open source tools while you’re posting in an open source social media platform in a community that is geared towards open source software. Please explain how that comment fits the definition above. It’s not elitist to assume that you’ve heard of git if you’re posting here. Someone suggesting something to you is not elitist just because it doesn’t work for you.

I don’t think I’m better than you because I know git or nix, but I do know that in the right circumstances, knowing how to use git or nix is a very valuable tool. I would love to help you solve your problems with these tools if given the opportunity. When a member of the community finds a tool they love, they just want to help others and suggest what worked for them. You really think that’s elitist attitude?

You talked about linux devs not embracing change and then promptly shit on NixOS for not understanding it lol

That’s actually a couple versions behind. I’ve got an XCover 6 Pro for work and I absolutely love it. The notification light and customizable buttons are my favorite.

I’m going to suggest something a bit more out there. You can setup this whole thing with NixOS. I have a bunch of docker containers that run as a systemd service, declared with Nix and personally, I like it very much. It’s also got everything else you want but the atomic upgrades are top tier in NixOS.

For example if you want NoIP and Cockpit just add this bit to your configuration.nix

    environment.SystemPackages =[
        pkgs.noip
        pkgs.cockpit
    ];

Adding something like docker or podman is just as easy with a one line like

    virtualisation.docker.enable = true;

There is always a bit of a learning curve when doing anything with Nix but I find the buy in to be worth it. Here’s a blog post about converting docker compose files over to the Nix format. This really isnt necessary as you could just make the systemd service run a oneshot against a docker compose file but this blog has a lot of nice examples.

https://mrupnikm.github.io/en/posts/nix-docker-containers/

If you have any questions please let me know :D

Ohhh come on now, you’ve got too see the irony here. Don’t you get tired of repeatedly adding that license? No, of course not. You just like the attention, it’s okay lol I won’t tell anyone your secret ;)