how are you trying to run podman?

If you just want a similar setup as with docker I’ll recommend this:

https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md

Lingering (running services without login / after logout)

https://github.com/containers/podman/issues/12001

https://unix.stackexchange.com/questions/462845/how-to-apply-lingering-immedeately#462867

sudo loginctl enable-linger <user>

https://github.com/containers/podman/blob/main/vendor/github.com/containers/storage/storage.conf

Check out the storage.conf to use the fuse-overlay driver.

I like podman-compose and i have a start up script that restarts all my containers at reboot, as my user.

Also use the full link to your images, like docker.io/image oder where ever you get your images from.

have fun :)

I use glance.

Yes all users that have containers running, that should keep running need lingering.

The Services do not restart themself. I have cronjob that executes podman start --all at reboot for my “podman user”.

I’m running podman and podman-compose with no problem. And I’m happy. At first I was confused by the uid and gid mapping the containers have, but you’ll get used to it.

This are some notes I took, please don’t take all of it for the right choice.

Podman-Stuff

https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md

storage.conf

To use the fuse-overlay driver, the storage must be configured:

.config/containers/storage.conf

[storage]
  driver = "overlay"
  runroot = "/run/user/1000"
  graphroot = "/home/<user>/.local/share/containers/storage"
  [storage.options]
    mount_program = "/usr/bin/fuse-overlayfs"

Lingering (running services without login / after logout)

https://github.com/containers/podman/issues/12001

https://unix.stackexchange.com/questions/462845/how-to-apply-lingering-immedeately#462867

sudo loginctl enable-linger <user>

You need a wildcard cert for ypur subdoman:

*.legal.example.com

Then point that record to 127.0.0.0. This will not resolve for anyone. But you’ll have an internal dns enty (useig pihole/adguard/unbound) that redirects to your reverse proxy.

You could also point to your revers proxy internal address instead of 127.0.0.0.

This video could help you: https://www.youtube.com/watch?v=qlcVx-k-02E

Sorry I have no idea how traefik works, but I’ve seen that this new video ist out. It might help you.

https://youtu.be/n1vOfdz5Nm8

Yes… That is also my understanding.

I do. If you run caddy with network_mode: hostor better with network_mode: "slirp4netns:port_handler=slirp4netns" it should work.

also adding:

cap_add:
      - net_admin
      - net_raw

Podman + Caddy does it for me.

You need to adjust the “minimum” port a user can bind. Podman tells you how to do it (or a quick google search).

I played with this problem too. In my case I wanted a zigbee usb to be passed through. I’m not sure if this procedure works with gpu though…

This was also needed to make it work: https://www.zigbee2mqtt.io/guide/installation/20_zigbee2mqtt-fails-to-start.html#method-1-give-your-user-permissions-on-every-reboot

devices:
      # Make sure this matched your adapter location
      - "/dev/ttyUSB.zigbee-usb:/dev/ttyACM0:rwm"

Also I passed my gpu to immich. But not 100% sure it is working. I’ve added my user to the render group and passed the gpu like the usb zigbee stick:

devices:
      - "/dev/dri:/dev/dri:rwm"  # If using Intel QuickSync

The immich image main user is root if imI remember correctly and all permissions that my podman user 1000 has are granted to the root user inside the container (at least this is how I understand it…)

For testing I used this: https://www.zigbee2mqtt.io/guide/installation/20_zigbee2mqtt-fails-to-start.html#verify-that-the-user-you-run-zigbee2mqtt-as-has-write-access-to-the-port It should be working with gpu too.

I can test stuff later on my server, if you need more help!

Hope this all makes sense 😅 please correct me if anything is wrong!

I’m sorry to hear that. But the dev points that out very clear on the docs etc.

From what we self hosters are used to, this does not happen often, but it can.

Hope you can recover!

Immich is very cool. Be carefull to read every release note and do not auto update. There are can be breaking changes! In total im happy with immich!

I understand this, but that way you always read the update notes and you control what version you install. This can be a good practice.

That stuff breaks is not so nice though.

First, I think you can close that port. You don’t need incoming traffic on that port.

I myself use Vaultwarden. But looking on the documentation you need to configure the enviroment correctly.

Very nice write up. Thank you for sharing. One thing I like to add.

I’ve personally moved away from nginx proxy manager, because I read an article that it has some vulnerability that don’t get fixed in time. Also there are a ton of issues open on git hub. So I move to caddy, witch also is super easy to set up.

I use tandoor, try it. I like it very much.

Audiobookshelf is quite nice too. The ebook reader isn’t quite there yet, but it develops very fast. Also apps for Android and iOS

I’ve got myself a second router and created a second wifi and lan with it. All my smart home devices are in there and also the tv.

I’ve just posted a little example. I’d recommend doing it this way. No more thinking about what port is allready exposed etc

Caddy would have the bridge proxy network and the port 443 exposed.

version: "3.7"

networks:
  proxy-network:
    external: true
# needs to be created manually bevor running (docker create network proxy-network)
services:
  caddy:
    image: caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data:/data
      - ./config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
    networks:
      - proxy-network

Other services:

version: "3.7"

networks:
  proxy-network:
    external: true

services:
  app:
    image: app
    container_name: app
    restart: unless-stopped
    volumes:
      - ./app-data:/data
    networks:
      - proxy-network

Caddy can now talk to the app with the apps container_name.

Caddyfile:

homepage.domain.de {
    reverse_proxy app:80
}

So the reverse proxy network is an extra network only for containers that need to be exposed.