harbormaster VS https-portal

I use an HP ProLiant Microserver with four drives in a ZFS RAIDZ array and an SSD for the OS. For software, I mostly run it in Docker using a very small container orchestration program I wrote:

https://gitlab.com/stavros/harbormaster

I needed something that would restart containers automatically when I pushed to a branch, so I wrote a few lines of code to do it:

https://gitlab.com/stavros/harbormaster

As far as PaaSes go, it's probably the simplest, and works really well.

I was in the same boat as you and built something simple that I really like:

https://gitlab.com/stavros/harbormaster

It'll just pull some repos, make sure the containers are up, and make your configuration simple and discoverable. It really works great at that.

I do this for our services, it works great and we can easily put SSO in front of them with CF Access. I publish a Docker container that you can use as a sidecar for your Compose deployments:

https://gitlab.com/stavros/docker-cloudflared

I use this with Harbormaster (https://gitlab.com/stavros/harbormaster) so I can expose containerized stuff without ever forwarding any ports outside of Docker.

I use Dokku for that (I can share my Bitwarden repo if you want, the entire thing is four lines or something). I also made https://gitlab.com/stavros/harbormaster for things that weren't so "web server -> app -> database" and love it.

I had the same problem and didn't want to manage things by hand, so I wrote Harbormaster:

https://gitlab.com/stavros/harbormaster

It basically pulls Compose apps from the git repositories you specify, builds the containers and makes sure they're running. Pretty simple and works really well for me.

(This post should read "Argo tunnel" instead of just "Argo")

I did the same to enable secure access to services via SSO at work. I used Harbormaster[1] to deploy Compose files, but it's otherwise the same setup.

One of the big advantages this has is that the services can't be accessed any other way (not even from the same host, as they only listen inside the Docker network). That makes it hard to forget some port exposed because you listened to 0.0.0.0 instead of localhost.

Cloudflare access is very easy to set up SSO with, as well. I'd recommend this setup if you need it, though for home usage I usually just set up Caddy as a reverse proxy with basic auth, as I'll be the only person using this and I don't want Cloudflare MITMing my personal stuff.

[1]: https://gitlab.com/stavros/harbormaster

Something like harbormaster? https://gitlab.com/stavros/harbormaster

HTTPS-PORTAL has everything I need.

If you use LetsEncrypt and Docker, I can recommend HTTPS Portal to automatically manage your SSL certs: https://github.com/SteveLTN/https-portal

I use it for my blog and have never had any issues with certs being renewed well in advance of their expiration date.

This looks awesome!

What I couldn't immediately see from skimming the repo is:

How hard would it be to use a docker-based automatic https proxy such as this [1] with all projects?

I've had a handfull of docker-based services running for many years and love the convenience. What I'm doing now is simply wrap the images in a bash script that stops the containers, snapshots the ZFS volume, pulls newer versions and re-launches everything. That's then run via cron once a day. Zero issues across at least five years.

[1] https://github.com/SteveLTN/https-portal

HTTPS-PORTAL [DockerHub, GitHub]

You're welcome! I might sound "advertise-y" here, but perhaps you can look into Nginx Proxy Manager or Https-Portal as well since they do involve Nginx.

For the nginx reverse proxy I use this https proxy. It sits on top of all my containers, enables and renews https automatically with let’s encrypt and has very good defaults.

You can use https://github.com/SteveLTN/https-portal. You’ll be up and running in 5 minutes.