Niceee, that is really easy Thanks!

What’s the recipe?

Like 150 micrograms lol

I think it’s cool that I can take that config and drop it into kubernetes and it usually just works. I don’t have a cluster anymore, but if I decide to use one in the future, the overhead will be negligible

Sure thing, I’ll edit this reply when I get back to my computer. Just note that I also have a tailscale and nginx container in the pod which are not necessary.

You’ll see my nginx config which reverse proxies to the port the service is running on. On public servers I have another nginx running with SSL that proxies to the port I map the pod’s port 80 to.

I usually run my pods as an unpriviledged user with loginctl enable-linger which starts the enabled systemctl --user services on boot.

All that being said I haven’t publically exposed linkwarden yet, mainly because it’s the second most resource intensive service I run and I have all my public stuff on a shitty vps.

Edit: My opsec is so bad hahaha

Edit2: I just realized the caps I gave were to the tailscale container, not the linkwarden container. Linkwarden can run with no caps :)

I added the tailscale stuff back

files:

linkwarden-pod.kube:

[Install]
WantedBy=default.target

[Kube]
# Point to the yaml in the same directory
Yaml=linkwarden-pod.yml
PublishPort=127.0.0.1:7777:80
AutoUpdate=registry

[Service]
Restart=always

linkwarden-pod.yml:

---
apiVersion: v1
kind: Pod
metadata:
  name: linkwarden
spec:
  containers:
    - name: ts-linkwarden
      image: docker.io/tailscale/tailscale:latest
      env:
        - name: TS_HOSTNAME
          value: "link"
        - name: TS_STATE_DIR
          value: /var/lib/tailscale
        - name: TS_AUTHKEY
          valueFrom:
            secretKeyRef:
              name: ts-auth-kube
              key: ts-auth
      volumeMounts:
        - name: linkwarden-ts-storage
          mountPath: /var/lib/tailscale
      securityContext:
        capabilities:
          add:
            - NET_ADMIN
            - SYS_MODULE

    - name: linkwarden
      image: ghcr.io/linkwarden/linkwarden:latest
      env:
        - name: INSTANCE_NAME
          value: link.mydomain.com
        - name: AUTH_URL
          value: http://linkwarden:3000/api/v1/auth
        - name: NEXTAUTH_SECRET
          value: LOL_I_JUST_PUBLISHED_THIS_I_CHANGED_IT
        - name: DATABASE_URL
          value: postgresql://postgres:password@linkwarden-postgres:5432/postgres
        - name: NEXT_PUBLIC_DISABLE_REGISTRATION
          value: "true"

    - name: linkwarden-nginx
      image: docker.io/library/nginx:alpine
      volumeMounts:
        - name: linkwarden-nginx-conf
          subPath: nginx.conf
          mountPath: /etc/nginx/nginx.conf
          readOnly: true

    - name: linkwarden-postgres
      image: docker.io/library/postgres:latest
      env:
        - name: POSTGRES_PASSWORD
          value: "password"
      volumeMounts:
        - name: linkwarden-postgres-db
          mountPath: /var/lib/postgresql/data

  volumes:
    - name: linkwarden-nginx-conf
      configMap:
        name: linkwarden-nginx-conf
        items:
          - key: nginx.conf
            path: nginx.conf
    - name: linkwarden-postgres-db
      persistentVolumeClaim:
        claimName: linkwarden-postgres-db-claim
    - name: linkwarden-ts-storage
      persistentVolumeClaim:
        claimName: linkwarden-ts-pv-claim

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: linkwarden-nginx-conf
data:
  nginx.conf: |
    #user  nobody;
    worker_processes  1;
     #pid        logs/nginx.pid;


    events {
        worker_connections  1024;
    }


    http {
        include       mime.types;
        default_type  application/octet-stream;


        sendfile        on;

        #keepalive_timeout  0;
        keepalive_timeout  65;

        gzip  off;

        # set_real_ip_from cw.55.55.1;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;

        server {
            listen       80;
            server_name  _;

            location / {
                    proxy_pass http://localhost:3000/;

                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Port $server_port;
                    proxy_set_header X-Forwarded-Scheme $scheme;
                    proxy_set_header X-Forwarded-Proto  $scheme;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header Accept-Encoding "";
                    proxy_set_header Host $host;
            }
        }
    }

I also have a little helper script you might like

copy.sh:

#!/bin/bash

SYSTEMD_DIRECTORY="${HOME}/.config/containers/systemd"
POD_NAME="linkwarden-pod"

mkdir -p "$SYSTEMD_DIRECTORY"
cp "${POD_NAME}".{kube,yml} "${SYSTEMD_DIRECTORY}"/

systemctl --user daemon-reload

So I have mine running in a podman quadlet. It runs as root in the container but it is unpriviledged. Mine has NET_ADMIN and SYS_MODULE but I honestly can’t remember why… SYS_ADMIN seems extreme though

Edit: I’m dumb, and the linkwarden container has no capabilities set. I set them for the tailscale container which definitely needs it.

A little but there is also systemd integration with podman.

However for that I usually set up a lingering user with limited permissions. For some cases you need rootful though.

That’s really interesting. What about 0.0.0.0? Does it resolve to localhost or the “public” ip?

I would have whipped the Scopuli.

I use privatebin. Has some good features but I dont think it has login

You can set up multiple remotes for a repo and push to a local git server and github at the same time

Try running docker logs for the tailscale container to see if it gives any more info

Have you tried taking the metwork config out of the compose file and just letting podman handle it?

Just to offer the other perspective. I started with podman years ago. I knew very little about containers and I would say it made the learbing curve a lot steeper. Most guides and README’s use docker and when things didnt work I had to figure out if it was networking, selinux, rootless, not having the docker daemon, etc… without understanding fully what those things were because I didn’t know docker. But when I started running stuff on kubernetes, it was really easy. Pods in podman are isomorphic to kubernetes pods. I think the pain was worth it, but it was definitely not easy at the time. Documentation, guides, and networking have improved since then, so it may not be as big of a deal now

Quadlets with podman have completely replaced compose files for me. I use the kuberentes configs. Then I run a tailscale container in the pod and BAM, all of my computers can access that service without have to expose any ports.

Then I have an ansible playbook to log in to the host and start a detached tmux session so my user systemd services keep running. Its all rootless, and just so dang easy.