I’m moving to a new machine soon and want to re-evaluate some security practices while I’m doing it. My current server is debian with all apps containerized in docker with root. I’d like to harden some stuff, especially vaultwarden but I’m concerned about transitioning to podman while using complex docker setups like nextcloud-aio. Do you have experience hardening your containers by switching? Is it worth it? How long is a piece of string?

  • brewery@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    10 days ago

    Not sure if it makes a difference and not quite your question but I’ve just switched away from nextcloud-aio to just having my own docker compose, so I have better control and know what’s going on more. I always found it funny and when installing on a new VPS decided to try. It was surprisingly straightforward and Ive been able to install everything I need.

    Let me know if my docker compose would help. I still need to add the backup solution but it’s going to be straightforward as well.

    • bigdickdonkey@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      10 days ago

      I would love to see your compose file. I already have to run special steps on my nextcloud-aio to use it with a reverse proxy so I’m interested in moving away from it.

      • brewery@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 days ago

        pastebin.com/DiHX2vg2

        Hopefully this works and you can see the compose file. I’ve put a few things in [square brackets] to hide some stuff, probably overly cautiously. I have an external network linked to NPM and in that, I use nextcloud-server for IP address and 80 for the port (it’s the inside container port, not 8080 on the system - that took me a long time to figure out!). Add a .env file with everything referenced in the compose file, then (hopefully!) Away you go

        • bigdickdonkey@lemmy.caOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 days ago

          Thanks for sharing this! It also took me a while to understand the difference between the Expose dockerfile command and the --publish cli command