this post was submitted on 10 Jul 2023
32 points (97.1% liked)

Selfhosted

40219 readers
1305 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I want to allow certain trusted users the ability to take down my lemmy instance or reboot it or x, y, z actions in case things go wrong or there is a security incident.

Ideally I would want to have some sort of admin interface that's secure and tested and allow these users to have some sort of login and from there have the ability to execute certain actions that could correspond to a "break glass in case of emergency" scenario.

I've been pointed at https://www.portainer.io/ but they seem to have a steep price for the limited use-case that I would be giving it.

I know about some admin interfaces like webmin, but I don't know which one allow you to create very restricted users or just give users the ability to execute some limited pre-defined commands.

Thank you <3

you are viewing a single comment's thread
view the rest of the comments
[–] marsara9@lemmy.world 1 points 1 year ago (2 children)

Slightly off topic, but are there not security concerns about opening up a portainer instance to the internet? I run portainer for all of my intranet hosted containers but I have reservations about running either the agent or portainer itself on something external to my lan. It seems like an easy attack vector but maybe I'm just overly worried?

[–] Voroxpete@sh.itjust.works 2 points 1 year ago (1 children)

Probably better to provide access to Portainer via a VPN if that's the route they want to go (Tailscale would be perfect for this scenario).

[–] marsara9@lemmy.world 1 points 1 year ago

Ya, I've got a few public services out there and I would love for a better way to manage them. But the fewer ports I open the better. I think there's also portainer edge agent that's more secure for prod environments, but I've yet to look into it much.

I have reservations about running either the agent or portainer itself on something external to my lan.

I don't feel like it's safe enough personally either, so I just have portainer edge-agent nodes connected to the primary on my intranet through through vpn tunnels. I really, really would prefer not to ever open ports on my local firewall, but being able to monitor and control remote docker hosts is also pretty convenient, so my solution has been decent for me.