Podman or rootless docker? - eviltoast

I’m moving to a new machine soon and want to re-evaluate some security practices while I’m doing it. My current server is debian with all apps containerized in docker with root. I’d like to harden some stuff, especially vaultwarden but I’m concerned about transitioning to podman while using complex docker setups like nextcloud-aio. Do you have experience hardening your containers by switching? Is it worth it? How long is a piece of string?

  • bigdickdonkey@lemmy.caOP
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 month ago

    I would love to see your compose file. I already have to run special steps on my nextcloud-aio to use it with a reverse proxy so I’m interested in moving away from it.

    • brewery@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      pastebin.com/DiHX2vg2

      Hopefully this works and you can see the compose file. I’ve put a few things in [square brackets] to hide some stuff, probably overly cautiously. I have an external network linked to NPM and in that, I use nextcloud-server for IP address and 80 for the port (it’s the inside container port, not 8080 on the system - that took me a long time to figure out!). Add a .env file with everything referenced in the compose file, then (hopefully!) Away you go

      • bigdickdonkey@lemmy.caOP
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        Thanks for sharing this! It also took me a while to understand the difference between the Expose dockerfile command and the --publish cli command