I’m looking to setup a bunch of services in a VPS, my own cloud infrastructure if you will. I will be running two VPSs, one for my work (nextcloud and extremely plain static website only) and a personal one (nextcloud, vaultwarden, piwigo, website, blog, anything else i might fancy, etc).
I’ll be using Fedora or CentOS Stream 9 for the base system. Services will run in a bunch of pods & containers.
I’ll be using podman, preferably all of them rootless. Kubernetes is not an option at the moment (I want to get the hang of things with podman first before diving into learning kubernetes)
I want to create a seperate user for each app I want to run and use rootless container in that user’s space.
I’m planning on using traefik to route requests and handle ssl certificates.
My questions:
My biggest problem: I want to run traefik in a rootless podman but I never managed to get it working.
-
Should I just run podman in a privilaged container and be done with it (with the rest in rootless containers)?
While this seems like the easiest choice, this is also a learning process for me so I’d prefer to try it in a rootless podman if possible. -
Most services I want to run require access at privilaged ports (sub 1024) but rootless podman doesn’t allow that.
One option is to enable using privilaged ports as I saw suggested somewhere. I’m not sure of the implications of that, is this a wise move?
Another option is to use firewall rules to route ports 80,443 etc to whatever unprivilaged port traefik pod is running at.
If I did that, what would happen to the domain/subdomain info?
ie bitwarden.example.com should go to one pod, www.example.com should go to another and www.example.com/nextcloud to another.
Will firewalld seamlessly pass the entire request to traefik? -
Normally most containers are designed to be run in rootful docker and use a socket. Traefik relies on this to autodetect containers.
I have no problems foregoing this feature and using manual config files.
However, I’ve seen examples for podman and enabling the socket.
I just can’t get my head around if this kind of invalidates using rootless containers in the first place. Does it? -
I can’t get traefik to work and worse, I can’t even find why it’s not working. I don’t even know where to look. I’ve never used traefik before.
Any pointers on where/how to start troubleshooting would be most welcome.
Last question: Fedora or CentOS Stream 9?
Fedora seems to be moving too fast to consider for a base system for running things like bitwarden/nextcloud on. However in the time I’ve tinkered with Fedora I’ve found it to be extremely stable.
I tried my hand at CentOS Stream 9 and I like the idea that it’s more stable. But there was a Linux vulnerability (last month I think?) and RHEL got patched, Fedora got patched but Centos Stream 9 took its sweet time about it. That looks like a major turn off. Also, they removed google-authenticator from epel packages and oathtools is a total pita to set up. So all in all Fedora looks like the winner but are there any gotchas I need to be aware of?
PS: Normally I’d solve all these by banging my head at the problem till things worked but I’m starting to run out of time so any help as detailed as possible would be most welcome.