NewDataEngineer

IaC stands for infrastructure as code.

Traefik's dynamic file config just scans a folder for .yaml files. So i just generate a file automatically with the container's network address and copy the file into traefik's folder.

Traefik just looks for the container address in the file (either IP or container name). The files are basically the yaml version of the docker label.

I’d rather not mount the docker sock into my reverse proxy,

You don't have to if you use the dynamic file config. I've mentioned this before and debated to the ends of earth for even suggesting such a thing. But it all aspects is dynamic file configuration better.

Of you use IaC in your set up, it gets even easier because then you can just set up templates that automatically create file configs and add them to your reverse proxy seamlessly.

Right now with one Terraform apply, I create my docker container, traefik config and my homepage service.

Headscale the self-hosted server is unofficially but decently supported by tailscale the company. They employ the dev and don’t seem to be trying to kill the project or mess with it much.

Probably because they're smart and realise the people who self host probably wouldn't spend money on tailscale, and those who'd buy tailscale subscriptions wouldn't have the time/resources to self host it. Win win.

Yes. I bought a libre pi to use as a backup DNS. Besides the minor tweaks, it's been running perfectly. Also only ~€75 for the libre+case+SD card combo.

Why don't you just dockerize treeline? It's all python and Java. Looks easy enough.

by redeploying the stack

That's the point. With dynamic files you can add new Middleware or even route already exposed ports all on the fly. You're telling me you can change a docker label and keep your service running with 0 downtime?

If you've figured that out please share a link because my experience has been otherwise.

What I haven’t figured out yet is whether or not I can give my docker services their own IP on my router for access from another system on a fixed or reserved IP.

You can. You have to set up a macvlan on your network and then assign an IP to your container that sits on your router's subnet.

I can only use traefik with a macvlan because Synology DSM uses ports 80 and 443. I assign traefik its own IP and use pihole's DNS to route wildcard subdomain to it.

I wrote a guide in my trillium notes. If you're interested I can share.

For those using traefik I would recommend the dynamic file config. You don't have to take down your containers just to change a proxy setting.

Bitwarden has a CLI that you can script with. Also vaultwarden is the FOSS version.

Just in case you want to try.

Thanks. I knew about bit/vaultwarden but I just looked and I see that there is a Terraform module and the UI looks good.

Thanks.

I wish there was something between hashicorp vault and keepass. I want a nice simple UI that even my family could use with Terraform integration. Anyone know of such a program?

I suspect they are both using the same interface wg0. I did a quick Google and it looks like you can do the following in gluetun

WIREGUARD_INTERFACE=wg1

This is my suspicion as you're using essentially two wireguard instances at the same time.