• 11 Posts
  • 1.83K Comments
Joined 1 year ago
cake
Cake day: July 7th, 2023

help-circle








  • Wireguard is a VPN, so that’s not going to help you much here unless you’re forwarding all your traffic through a remote server, in which case anyone gets in there will still be able to get your local machines. It’s another hop in the chain, but that’s about it.

    If you want to be more on guard about reacting to attacks, or just bad traffic, you probably want something like Crowdsec. You’ll at least be able to detect and ban IPs probing your services. If that’s too much work, leverage OoenWRT reporting and some scripting to ban bad actors that probe your firewall and open ports. That’s a good first step.

    If you’re concerned about the containers, consider using something more secure than dockerd. Podman rootless with a dedicated service user is a good start. Then maybe look at something more complex: Kata, gvisor, lxc…etc. The goal being sandboxing the containers more to prevent jailbreaks.



  • This is the correct answer, but you need a few things to clarify:

    1. The issue isn’t the Docker system service. Don’t make that depend on Tailscale
    2. Add a healthcheck and restart policy to the container to make it fail when conditions aren’t met, and restart until they are successful
    3. Build in some time tolerance at the service level inside the container to prevent it from flailing if your Tailscale healthchecks don’t pass after they initially start. Don’t rely solely on container health checks to ensure it works properly as that might not always be possible.