docker-traefik VS tang

https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml under the Traefik section has it commented out. It's a big file but I just remember it having it. They set the domain names in an .env but you could just type it in.

So I tried running this script as part of a larger plan to re-work all of my containers.

For roughly similar needs, I used the guides at SmartHomeBeginner to help design the foundation. For me, docker is what makes managing everything manageable. I have one 24/7 Linux server running as the docker host (and Traefik, Plex, AdGuard, MongoDB, FileRun, oauth, sycthing, ...) containers doing what I need. If using docker, the host distro barely matters.

Check out this. The author and the discord channel are very active, lots of guides for various scenarios and different apps, plus the github has his compose files and a bunch of other config and examples too. It's how I got started. https://www.smarthomebeginner.com/

I really got started with a docker-compose setup by using smarthomebeginner. The guide I followed is fairly complex; it includes a reverse proxy and setting up ssl certificates using CloudFlare.

# Plus d'informations sur la façon d'utiliser ceci: https://github.com/htpcBeginner/docker-traefik/pull/228

https://github.com/htpcBeginner/docker-traefik/blob/master/docker-compose-t2.yml (always over 50 containers)

Have a look at clevis and tang. These allow you do have one server - which could be your remote you want to pull from - to be source of the LUKS decryption on the system using tang.

I found that running tang[1] at home and needing to decrypt that box (can be a Pi or whatever) requiring a complex passphrase is very sufficient. You can even just unplug it at night if it makes you sleep better.

https://github.com/latchset/tang

There are 3 ways to unlock a volume in a headless environment: - use a keyfile, located on an already available volume - use your device's TPM and utilize systemd-cryptenroll - use Clevis/Tang to unlock volumes remotely

This is why on headless servers you use tang (ideally, multiple tang servers)

Sharing my notes on running a Tang server on OPNSense, in case it is useful for somebody else.

We use clevis against multiple tang servers to provide Network Bound Disk Encryption (NBDE). It's possible to also use TPM2 but it's easier to use multiple tang servers (requiring more than one server to decrypt) in the datacenter.

For automating unlocking of encrypted drives, look into tang . Here is a red hat guide on setting it up. You will want to be running this on another device on your network, i run it on my router with openwrt since its a local device thats on 24/7. Basically it will unlock your disks as long as your server is on your network, so if your machine or drives are stolen or removed from your network they will just be encrypted as usual. Obviously use a strong encryption password.

There are other ways to bind data, e.g. "network binding" with Tang server.

I wonder if https://github.com/latchset/clevis and https://github.com/latchset/tang (complementary projects) will help here.

Yes you can, using either Mandos or Clevis and Tang. https://www.recompile.se/mandos https://github.com/latchset/clevis https://github.com/latchset/tang. Basically on boot the server gets the key from another(s) servers. You could use a hidden raspberry pi for example.