Not really through Caddy but for my setup I have it so the ssh port for Forgejo is only accessible through tailscale. So for push/pulling updated my ssh config file to something like

Host git.mysite.com HostName tailscaleMachineName User git Port 1234

Then doing git pull git@git.mysite.com:user/project.git works just fine as long as I am connected to tailscale

Otherwise you could open the port for Forgejo’s ssh so that you can access it without any vpn

mfers raised the yearly price from 80 USD to 100 this year, and then they sent me an email that next year it’ll be 120! a 50% increase in two years, insane.

I use Photoprism, mainly because it seems stable so far, and it’s good enough for my needs

I can speak at least for rootless podman, I spent some hours on it and different ways I tried all ended in permission issues.

I gave up on trying to do it properly and just set the permissions of the /dev/dri device to 666, so that my podman container can use the gpu for transcoding.

Part of the issue with the container images that I tried is that they create a new user with whatever uid:gid I pass to the container, and so even if my nonroot user is part of the render group, the new user inside the container is not and so it can’t write to the /dev/dri/renderD128 (gpu), and so transcode wouldn’t work.

That’s where I left the troubleshooting at cause it was being a headache

Thanks for the resources, I’ll check them out later today!

Yeah I’m fairly certain it’s a permission issue. Having the gpu with permissions 666 makes it work inside the containers.

The thing is also that these container images (plex and jellyfin) create a separate user inside, instead of using the root user, and this new user (“abc” for lsio images) doesn’t get added to the same groups as the root user.

Also the render group that gets passed to the container appears as “nogroup”, so I thought of adding user abc to “nogroup” but still didn’t seem to work.

Thanks! I’ll take a look there

Yes I did the Systemd integration at the user level too and I quite like it

I managed this by using tailscale, with a kind of weird setup I think, but it just works.

I have tailscale on the VPS and my local server, let’s say its tailscale name is potatoserver

Then with Caddy on the VPS i have something like:

mywebsite.com { reverse_proxy potatoserver:port }

And so mywebsite.com is accessible on the clearnet through the VPS

Though given you’re getting rid of cloudflare tunnles I don’t know if you’d want to get into Tailscale. There’s Headscale too but I haven’t worked with it so I can’t comment

I found out about njal.la about 2 weeks ago, they give you one ipv4 and one ipv6 for €5 monthly, with all ports open.

No GUI though, they provide OpenVPN and Wireguard configs, which works fine for my server.

I think they only have their servers on Sweden IIRC, but at least in my experience the speeds with the Wireguard config have been great.

So far I don’t have any complains about them. Having all ports open makes setting it up on the torrent client really easy.

Hey there, thanks for the tips. It seems I can’t get the wireguard container working without the NET_ADMIN CAP. I looked at the gluetun image and it has it too. Is it possible to run a docker wireguard client without that CAP?

I recently went through setting this up. I can give you a base compose.yaml based on the one I have

For the wireguard config, you would throw your .conf file to /path/to/wireguard/config, like so: /path/to/wireguard/config/wg0.conf

This setup assumes you have ipv6 working and enabled. The wg0.conf would also have the VPNs ipv6 address. I use Mullvad too btw.

You can access Qbittorrent’s web UI through http://localhost:8090.

I’d like to note that the image I use for Qbittorrent has support built in for VPN, but with the setup I have I basically have the wireguard container with its network, and multiple containers on that same network. In theory it should work with other bittorrent clients.

And the docker images for reference:

• https://hub.docker.com/r/linuxserver/wireguard
• https://hub.docker.com/r/dyonr/qbittorrentvpn

version: '3.7'
services:
    wireguard:
        image: lscr.io/linuxserver/wireguard:latest
        container_name: wireguard
        cap_add:
          - NET_ADMIN
          - SYS_MODULE #optional
        networks:
          - wireguard_network
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=Etc/UTC
        volumes:
          - /path/to/wireguard/config:/config
          - /lib/modules:/lib/modules #optional
        ports:
          - 51820:51820/udp   # Wireguard
          - 8090:8090         # QBittorrent
        sysctls:
          - net.ipv4.conf.all.src_valid_mark=1
          - net.ipv6.conf.all.disable_ipv6=0
        restart: unless-stopped

    qbittorrentvpn:
        privileged: true
        container_name: qbtwg
        network_mode: service:wireguard
        depends_on:
            - wireguard
        volumes:
            - '/path/to/qbtconfig/:/config'
            - '/path/to/downloads/:/downloads'
        environment:
            - VPN_ENABLED=no
            - VPN_TYPE=wireguard
            - PUID=1000
            - PGID=1000
            - LAN_NETWORK=192.168.1.0/24
            - 'NAME_SERVERS=1.1.1.1,1.0.0.1'
        restart: unless-stopped
        image: dyonr/qbittorrentvpn
networks:
  wireguard_network:
    driver: bridge

The other day I learned about endlessh. I set that up, switched my actual sshd to listen on a different port, and the ssh login attempts from randoms essentially went down to 0. Pretty neat.