I use Caddy (with the Cloudflare module to handle the ACME stuff) as just another container. My setup is more classic internet server stuff - it’s a VPS and all the services are internet-facing, so the DNS is via standard DNS records. Every service is on its own subdomain.
I have a dedicated podman user (fairly restricted, no sudo, etc) that just hosts podman (i.e. the service containers and Caddy). As it’s all rootless, I use firewalld to make caddy show up on ports <1024: firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080. I prefer the tiny performance hit to mucking around with the privileged ports but for completeness you can do that with sysctl -w net.ipv4.ip_unprivileged_port_start=80.
I don’t specify subnets at all; I specify podman networks (one per service) and let podman handle the details.
I use Caddy (with the Cloudflare module to handle the ACME stuff) as just another container. My setup is more classic internet server stuff - it’s a VPS and all the services are internet-facing, so the DNS is via standard DNS records. Every service is on its own subdomain.
My Caddy config is pretty minimal:
$ cat caddy/Caddyfile { # Global configuration acme_dns cloudflare myapikey email mycloudflareaccount debug servers { metrics } } manga.example.com { reverse_proxy kavita:5000 } ...more containers # healthcheck target :8080 { respond 200 }$ cat .config/containers/systemd/caddy.container [Unit] Description=Caddy reverse proxy After=local-fs.target [Container] ContainerName=caddy Image=caddycustom Network=kavita.network ...more networks PublishPort=1080:80 PublishPort=1443:443 PublishPort=1443:443/udp PublishPort=2019:2019 Volume=${HOME}/caddy/Caddyfile:/etc/caddy/Caddyfile:Z Volume=${HOME}/caddy/data:/data:Z Volume=${HOME}/caddy/config:/config:Z Volume=${HOME}/caddy/httpdocs:/var/www/httpdocs:Z HealthCmd=wget -q -t1 --spider --proxy off localhost:8080 || exit 1 [Service] Restart=always ExecReload=podman exec caddy /usr/bin/caddy reload -c /etc/caddy/Caddyfile [Install] WantedBy=multi-user.target default.targetI have a dedicated podman user (fairly restricted, no sudo, etc) that just hosts podman (i.e. the service containers and Caddy). As it’s all rootless, I use firewalld to make caddy show up on ports <1024:
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080. I prefer the tiny performance hit to mucking around with the privileged ports but for completeness you can do that withsysctl -w net.ipv4.ip_unprivileged_port_start=80.I don’t specify subnets at all; I specify podman networks (one per service) and let podman handle the details.
Thanks so much! I’m only just about to make the switch to Podman, sounds like it’s going to make life a good bit simpler.
My pleasure! Answering your question is a good motivation to actually document my setup.
Also, if you’re moving configs over, you might find podlet useful.