Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Setting the address pool was needed to use Unbound (goes great with Pihole), but isn't necessary. Instead of this base, you can use any subnet defined [https://www.arin.net/reference/research/statistics/address_filters/](here) and it will work with Unbound. The storage driver was already like that. The data-root is self-explanatory. More details - install https://github.com/azlux/log2ram to lower sd card usage - sudo apt install -y ufw UFW is an awesome yet simple firewall. Look into it. - I personally email myself at every SSH login and shell use. Look into setting up exim4, then add echo "message" | mail -s 'subject' [email protected] at the end of ~.bashrc and /etc/ssh/sshrc (create this one if it doesn't exist). I also added SMS notifications, your phone provider likely has a system setup that you can trigger too. Check your_provider sms api to see how to do this. - look into setting up unattended-upgrades, you will likely have to sudo nano /etc/apt/apt.conf.d/50unattended-upgrades to change default settings. Add packages by checking sudo apt-cache policy. - Look into setting up a backup system, it is very important. I like Duplicati because it's easy, find something for you. - Rootless Docker doesn't update automatically for now, remember once in a while to upgrade it manually. - Look into setting up logrotate whenever you install a new package and it has logs in a file in /var/log. The default settings are in /etc/logrotate.d, it's not complicated. I do it for all my public Internet facing containers in order to avoid growing 10GB log files and wonder why my system is bugging. - Set up fail2ban in a container for all your public Internet facing services (I avoid this for SSH, if Docker bugs then you can't ban IPs for SSH). crazymax/fail2ban is great. - containrrr/watchtower:arm64v8-latest is nice to auto-update containers - pihole/pihole + klutchell/unbound is great for recursive DNS + filter queries - SECURITY: setup a network every time you need 2 containers to talk. I currently have around 40, and that caused some network collisions with default settings (Docker gave the same address to 2 networks) so I setup every network manually (just copy-pasting).
Setting the address pool was needed to use Unbound (goes great with Pihole), but isn't necessary. Instead of this base, you can use any subnet defined [https://www.arin.net/reference/research/statistics/address_filters/](here) and it will work with Unbound. The storage driver was already like that. The data-root is self-explanatory. More details - install https://github.com/azlux/log2ram to lower sd card usage - sudo apt install -y ufw UFW is an awesome yet simple firewall. Look into it. - I personally email myself at every SSH login and shell use. Look into setting up exim4, then add echo "message" | mail -s 'subject' [email protected] at the end of ~.bashrc and /etc/ssh/sshrc (create this one if it doesn't exist). I also added SMS notifications, your phone provider likely has a system setup that you can trigger too. Check your_provider sms api to see how to do this. - look into setting up unattended-upgrades, you will likely have to sudo nano /etc/apt/apt.conf.d/50unattended-upgrades to change default settings. Add packages by checking sudo apt-cache policy. - Look into setting up a backup system, it is very important. I like Duplicati because it's easy, find something for you. - Rootless Docker doesn't update automatically for now, remember once in a while to upgrade it manually. - Look into setting up logrotate whenever you install a new package and it has logs in a file in /var/log. The default settings are in /etc/logrotate.d, it's not complicated. I do it for all my public Internet facing containers in order to avoid growing 10GB log files and wonder why my system is bugging. - Set up fail2ban in a container for all your public Internet facing services (I avoid this for SSH, if Docker bugs then you can't ban IPs for SSH). crazymax/fail2ban is great. - containrrr/watchtower:arm64v8-latest is nice to auto-update containers - pihole/pihole + klutchell/unbound is great for recursive DNS + filter queries - SECURITY: setup a network every time you need 2 containers to talk. I currently have around 40, and that caused some network collisions with default settings (Docker gave the same address to 2 networks) so I setup every network manually (just copy-pasting).