$ cat .config/containers/systemd/kavita.network
[Network]NetworkName=kavita
Options=isolate=true# library add uses Kavita site
If you’ve dealt with systemd service files this will look familiar, with the addition of the container section.
AutoUpdate=registry gives you automatic updates to ‘latest’ (or whatever tag you’ve set) and there’s rollbacks too, so you just have to worry about the less-critical bugs in newer versions. Personally, I feel more secure with this setup, as this box is a VPS.
Network=kavita.network - I put all my containers in different networks (with minimal privs, so many don’t have outgoing internet access), and my reverse proxy is also in all of those networks so it can do its thing.
Any chance you could go into more depth on your reverse proxy config? By the sounds of it you’re doing exactly what I would like to do with my services. Which reverse proxy are you using? What does your config look like? I’ve been trying to get both nginx and caddy working in the last 2 weeks and I’m REALLY struggling to get subnets working. My ideal setup would be using Tailscale and being able to follow the scheme service.Device.tailXXXX.ts.net. I’m struggling to find the reverse proxy config and DNS entries on my local network to get that working. I’ve seen comments saying people have done this, but none of them have shared their configs.
I use Caddy (with the Cloudflare module to handle the ACME stuff) as just another container. My setup is more classic internet server stuff - it’s a VPS and all the services are internet-facing, so the DNS is via standard DNS records. Every service is on its own subdomain.
I have a dedicated podman user (fairly restricted, no sudo, etc) that just hosts podman (i.e. the service containers and Caddy). As it’s all rootless, I use firewalld to make caddy show up on ports <1024: firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080. I prefer the tiny performance hit to mucking around with the privileged ports but for completeness you can do that with sysctl -w net.ipv4.ip_unprivileged_port_start=80.
I don’t specify subnets at all; I specify podman networks (one per service) and let podman handle the details.
I’m considering just doing a full refactor and start from fresh containers and configs. My current setup is running on a very jank Garuda install that has been my test bench/living room PC for a while. I’m looking to put the poor thing out of its misery and let it retire to just video streaming and some light gaming from the couch.
I love quadlets, here’s an example:
$ cat .config/containers/systemd/kavita.container [Unit] Description=Kavita manga server After=mnt-files.mount [Container] ContainerName=kavita Image=docker.io/jvmilazz0/kavita:latest AutoUpdate=registry Network=kavita.network PublishPort=5000:5000 Environment=TZ=Etc/UTC Volume=/mnt/files/books/comics:/comics:ro Volume=/mnt/files/books/gnovels:/gnovels:ro Volume=/mnt/files/books/manga:/manga:ro Volume=${HOME}/kavita:/kavita/config:Z HealthCmd=curl -fsS http://localhost:5000/api/health || exit 1 [Service] Restart=always [Install] WantedBy=default.target$ cat .config/containers/systemd/kavita.network [Network] NetworkName=kavita Options=isolate=true # library add uses Kavita siteIf you’ve dealt with systemd service files this will look familiar, with the addition of the container section.
AutoUpdate=registrygives you automatic updates to ‘latest’ (or whatever tag you’ve set) and there’s rollbacks too, so you just have to worry about the less-critical bugs in newer versions. Personally, I feel more secure with this setup, as this box is a VPS.Network=kavita.network- I put all my containers in different networks (with minimal privs, so many don’t have outgoing internet access), and my reverse proxy is also in all of those networks so it can do its thing.Any chance you could go into more depth on your reverse proxy config? By the sounds of it you’re doing exactly what I would like to do with my services. Which reverse proxy are you using? What does your config look like? I’ve been trying to get both nginx and caddy working in the last 2 weeks and I’m REALLY struggling to get subnets working. My ideal setup would be using Tailscale and being able to follow the scheme
service.Device.tailXXXX.ts.net. I’m struggling to find the reverse proxy config and DNS entries on my local network to get that working. I’ve seen comments saying people have done this, but none of them have shared their configs.I use Caddy (with the Cloudflare module to handle the ACME stuff) as just another container. My setup is more classic internet server stuff - it’s a VPS and all the services are internet-facing, so the DNS is via standard DNS records. Every service is on its own subdomain.
My Caddy config is pretty minimal:
$ cat caddy/Caddyfile { # Global configuration acme_dns cloudflare myapikey email mycloudflareaccount debug servers { metrics } } manga.example.com { reverse_proxy kavita:5000 } ...more containers # healthcheck target :8080 { respond 200 }$ cat .config/containers/systemd/caddy.container [Unit] Description=Caddy reverse proxy After=local-fs.target [Container] ContainerName=caddy Image=caddycustom Network=kavita.network ...more networks PublishPort=1080:80 PublishPort=1443:443 PublishPort=1443:443/udp PublishPort=2019:2019 Volume=${HOME}/caddy/Caddyfile:/etc/caddy/Caddyfile:Z Volume=${HOME}/caddy/data:/data:Z Volume=${HOME}/caddy/config:/config:Z Volume=${HOME}/caddy/httpdocs:/var/www/httpdocs:Z HealthCmd=wget -q -t1 --spider --proxy off localhost:8080 || exit 1 [Service] Restart=always ExecReload=podman exec caddy /usr/bin/caddy reload -c /etc/caddy/Caddyfile [Install] WantedBy=multi-user.target default.targetI have a dedicated podman user (fairly restricted, no sudo, etc) that just hosts podman (i.e. the service containers and Caddy). As it’s all rootless, I use firewalld to make caddy show up on ports <1024:
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080. I prefer the tiny performance hit to mucking around with the privileged ports but for completeness you can do that withsysctl -w net.ipv4.ip_unprivileged_port_start=80.I don’t specify subnets at all; I specify podman networks (one per service) and let podman handle the details.
Thanks so much! I’m only just about to make the switch to Podman, sounds like it’s going to make life a good bit simpler.
My pleasure! Answering your question is a good motivation to actually document my setup.
Also, if you’re moving configs over, you might find podlet useful.
I’m considering just doing a full refactor and start from fresh containers and configs. My current setup is running on a very jank Garuda install that has been my test bench/living room PC for a while. I’m looking to put the poor thing out of its misery and let it retire to just video streaming and some light gaming from the couch.