I had to restore my homelab and took the opportunity to move from docker to rootless podman quadlets. Well almost full rootless, I kept pi-hole and caddy at the root level because I did not want to deal with sysctl.
I have everything running but for now I have to disable my firewall. With docker I was using this script: https://github.com/chaifeng/ufw-docker But I’m having a hard time finding an alternative for podman.
Do you know how any scripts that would magically fix podman and ufw? Would it be a better solution for me to manage iptables manually?
My needs are pretty simple as I do not really care if the ports are visible on my private network, I just want to allow specific IPs on port 80 and 443.
Edit: the issue I’m facing is that I’m allowing some specific IPs to access my network, but when I enable ufw the traffic is blocked. I had the same rules using docker and everything was working fine. I can notice that sometimes the traffic goes through and other time it is blocked. Much like with docker when you don’t use the script and the traffic will be blocked or not depending on what wrote the iptables rules last.
I wanted to do something similar. But I grouped some containers using pods and it seems it broke the networking.
Eventually I kept the pods, and exposed everything to the host where caddy can meet the services there. Not the cleanest way, especially as my firewall is turned off.
ah you may need to make sure the pods are added to the network. i specified the network in the .pod quadlet.
im kinda digging the podman network setup as I dont have to map a bunch of port 80s to ports on the host and keep track of them. i can just tell the proxy whatever service is running on http://{container_name}:80. that is, after I found out I needed to make a new podman network because the default “podman” network doesn’t do DNS lol.
Ah I think you may have solved part of the problem. I tried to use a network and have container name resolution but it failed. That’s why I went with pods and publish ports directly to the host.
I will try to use a dedicated network with DNS on, thanks!