Traefik with Socket Activation via Podman Quadlets

Submitted ⁨⁨4⁩ ⁨days⁩ ago⁩ by ⁨starkzarn@infosec.pub⁩ to ⁨selfhosted@lemmy.world⁩

https://roguesecurity.dev/blog/headscale-quadlet

Shameless self-plug here. I wrote a blog post to document my methodology after having some issues with publicly available examples of using Podman and traefik in a best-practices config. Hopefully this finds the one other person that was in my shoes and helps them out. Super happy for feedback if others care to share.

source

Comments

Sort:hotnew top

starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
For anyone who reads this post and sees the mention of headscale – that was the overarching goal here but the blog post started getting long so I decided to chunk it up. As soon as I polish up the headscale writeup I’ve got drafted and get that posted, I’ll drop a link here just in case anyone is interested.

source
- cheeseburger@lemmy.ca ⁨3⁩ ⁨days⁩ ago
  Thanks, I’d be interested in your Headscale write up!
  
  source
  - starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
    Part 2: roguesecurity.dev/blog/headscale-quadlet-part2
    
    source
fishynoob@infosec.pub ⁨3⁩ ⁨days⁩ ago
Your blog is awesome. I have always wanted someone to break down RF homelabbing for me and I think as your blog progresses I will find such content.

I’m also looking for blogs/material on OS hardening (Linux/*nix), do you plan to write on that (and any recommendations)?

source
- starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
  What nice feedback to read. I think you and I are aligned in what this will hopefully become. I really just wanted to start publicly sharing my hobby notes instead of holing them up in a local Joplin file or something, so that’s what I’m going to do. We may have similar hobbies though, which sounds like it’ll benefit you. Haha.
  
  source
  - fishynoob@infosec.pub ⁨3⁩ ⁨days⁩ ago
    You got an RSS feed for me?
    
    source
    -> View More Comments
- starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
  Realized I didn’t answer the last question here on hardening. The answer is sure! I don’t have much planned for the blog, as I was just thinking I’d take “public notes” for my tinkerings as they came. I’ve done linux administration for a long time though so I’d be happy to put together a post on baselines and hardening
  
  source
  - fishynoob@infosec.pub ⁨3⁩ ⁨days⁩ ago
    Thanks man, that would be much appreciated
    
    source
Lem453@lemmy.ca ⁨3⁩ ⁨days⁩ ago
What’s the advantage of socket activation? Is it more secure than exposing a docker port?

source
- starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
  Great question. I tried to very briefly touch on it in the post. The bottom line is that its benefits are there mostly for rootless podman, which I’ve chosen not to implement here (yet). You can also configure it so that the socket is always active and that will then trigger the service associated with it, so that you save on resources when the service isn’t needed. However, I didn’t want to do that as it would likely increase page load time for readers.
  
  source
shadowtofu@discuss.tchncs.de ⁨3⁩ ⁨days⁩ ago
Very helpful. I was just looking at this the other day.

source
- starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
  Ah yes, those examples were helpful and definitely helped inspire this. Glad you found some value in the ramblings. Post 2 will be up soon.
  
  source
deadcatbounce@reddthat.com ⁨3⁩ ⁨days⁩ ago
Excuse the ignorance, what am I actually reading about here?

I read the first few paragraphs and an out of my league.

What are ‘we’ trying to achieve?

source
- starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
  The other poster here is correct, this is just an account of my journey through self hosting traefik, and ultimately headscale, without the hurdles along the way. I tried to include a few links to unclear terms along the way in the narrative, maybe those would help you figure things out. Unfortunately I can’t write for an audience of everyone, but hopefully you can still gain some value or learn some new things! Thank you for the feedback.
  
  source
  - deadcatbounce@reddthat.com ⁨2⁩ ⁨days⁩ ago
    Wasn’t being critical at all. Not expecting you to write for anyone.
    
    I wondered what this actually provides. If you were explaining to someone with a good knowledge of the world, not grandma!!
    
    source
    -> View More Comments
- mitram2@lemm.ee ⁨3⁩ ⁨days⁩ ago
  Just a guide on how OP selfhosts headscale using postman with a few nice features enabled
  
  source
  - deadcatbounce@reddthat.com ⁨2⁩ ⁨days⁩ ago
    Thanks fella. What do they actually do? Elevator pitch stylie!
    
    source
starkzarn@infosec.pub ⁨3⁩ ⁨days⁩ ago
Part 2 is live! roguesecurity.dev/blog/headscale-quadlet-part2

source