this post was submitted on 27 Jun 2024
21 points (95.7% liked)

Selfhosted

39964 readers
413 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi! I'm starting out with self-hosting. I was setting up Grafana for system monitoring of my mini-PC. However, I ran into issue of keeping credentials secure in my Docker Compose file. I ended up using Docker Swarm since it was the path of least resistance. I've managed to set up Grafana/Prometheus/Node stack and it's working well.

However, before continuing with Docker Swarm, I want to check if this is a good idea or will I potentially dig myself into a corner? Some of the options I've found while searching:

  • Continue with Docker Swarm and look into automation of stack/swarm in future

    • Ansible playbook has plugins for Docker Swarm.
  • Self-hosted vault: I want to avoid hosting my own secret/password manager at the moment.

  • Kubernetes (k8s / k3s) - I don't wanna 😭

    • More seriously, I'm actually learning this for work but don't see the point of implementing it at home. The extra overhead doesn't seem worth it for a single node cluster.
  • ~~Live dangerously - Store crdentials in plaintext. Also use admin as password for everything~~

Edit: Most of the services I'm planning on hosting will likely be a single replica service.

you are viewing a single comment's thread
view the rest of the comments
[–] i_am_not_a_robot@discuss.tchncs.de 12 points 4 months ago

Docker Swarm encryption doesn't work for your use case. The documentation says that the secret is stored encrypted but can be decrypted by the swarm manager nodes and nodes running services that use the service, which both apply to your single node. If you're not having to unlock Docker Compose on startup, that means that the encrypted value and the decryption key live next to each other on the same computer and anyone who has access to the encrypted secrets can also decrypt them.