• 0 Posts
  • 11 Comments
Joined 1 year ago
cake
Cake day: June 21st, 2023

help-circle







  • what is the bare minimum of security measures you can do?

    I guess just the normal things with p2p stuff: make sure no ports are exposed except for the essentials, update software, use SSL wherever possible.

    When you don’t use VPN, people will see your actual IP adress and will launch the same kind of attacks, they also launch on servers [1] to try to hijack your system and add them to their bot net.

    [1] port scans, login-attemps, applying known exploits. If this doesn’t sound scary, you should try operating a server that is exposed on the internet and then look at the number of login attemps.



  • I recommend to use relevativ paths in the compose files. e.g.

      - '/home/${USER}/server/configs/heimdall:/config'
    

    becomes

      - './configs/heimdall:/config'
    

    you may want to add ":ro" to configs while you are at it.


    also I like to put my service in /srv/ instead of home.


    also I don't see anything about https/ssl. I recommend adding a section for letsencrypt.


    when services rely on each other, it's a good idea to put them into the same compose file. (on 2nd thought: I am not sure if you already do that? To me it is not clear, if you use 1 big compose file for everything or many small ones. I would prefer to have 1 big one)

    you can use "depends_on" to link services together.


    you should be consistent with conventions between configurations. And you should remove config-properties that serve no purpose.:

    • you don't need to specifiy "container_name", when it would be same name as the service
    • PUID=1000 and PGID=1000 shouldn't be needed, I think.
    • sometimes you add explicit ":latest" to the version, and sometimes you don't

    while you are at it, you may want to consider using an .env file where you could move everything that would differ between different deployment. e.g.

    • PUID
    • TZ
    • exposed ports, maybe

    consider using podman instead of docker. The configuration is pretty much identical to docker-syntax. The main difference is, that it doesn't require a deamon with root privileges.


    you may want to consider to pin version for the containers.

    pro version pinning:

    • no unexpected changes, when you restart the container (e.g. because you accidentally pulled)

    con version pinning:

    • when you DO want to make an update, you have to spent 2 minutes to go to docker hub to find out which version you want.