𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍

How long did you give it? It indexes the library. I had to rebuild my library once, and while I don’t have a huge collection - mainly just rips of my DVD collection, about 450 films, and it takes over an hour to index everything. Until it’s done, not everything shows up.

I have a spelling checker enabled for most non-compiled files. Sometimes it really annoying, but sometimes it catches stuff like this, so I leave it on.

Is your server a dedicated server, or a VPS? Because if it’s a VPS, you’re probably already running in a VM.

Adding a VM might provide more security, especially if you aren’t an expert in LXC security configuration. It will add overhead. Running Docker inside Docker provides nothing but more overhead and unnecessary complexity to your setup.

Also, because it isn’t clear to me from your post: LXC and Docker are two ways of doing the same thing, using the same Kernel capabilities. Docker was, in fact, written in top of LXC. The only real difference is the container format. Saying “running Docker on LXC” is like saying “running Docker on Docker,” or “running Docker on Podman,” or “running LXC on Docker”. All you’re doing is nesting container implementations. As opposed to VMs, which do not just use Linux namespace capabilities, and which emulate an entirely different computer.

LXC, Podman, and Docker use the underlying OS kernel and resources. VMs create new, virtual hardware (necessarily sharing the same hardware architecture, but nothing else from the host) and run their own kernels.

Saying “Docker VM” is therefore confusing. Containers - LXC, Podman, or Docker - don’t create VMs. They partition and segregate off resources from the host, but they do not provide a virtual machine. You can not run OpenBSD in a Docker container on Linux; you can run OpenBSD in a VM on Linux.

I mean, the basic config file for Caddy is 1 line, and gives you Let’s Encrypt by default. The entire config file for a reverse proxy can be as few as 3 lines:

my.servername.net {
   reverse_proxy 127.0.0.1:1234
}

It’s a single executable, and a single 3-line file. Caddy is an incredible piece of software.

Nope! No security concerns!

But, seriously, if one machine in the Wireguard network is compromised, attacks can be launched on any other machine in that Wireguard subnet. At that point, whether you’re running Wireguard or not is irrelevant.

For your specific setup, the weak point is the VPS. Everything is good, but if someone successfully beaks into an account on your VPS with access to the Wireguard device (and almost nobody goes through the effort of constraining network devices by account, and of course there’s always root) they can launch attacks on any machine in the WG subnet.

It’s a little better if you’re running containers and they’re secure, but even then there are security considerations with containers. Still, that’s about the best you’re going to get: anything listening to any external internet port is running in a container with no resource runtime, and those ideally each only have limited access to the ports in the WG subnet that they need. Eg, something like:

In your diagram, your VPS is just a gateway. If the only way to log into the VPS is over WG; and if the reverse proxy is running in a locked-down container; then this is about a secure as you can make it and still allow public access.

Or: if the only way your VPS is at all accessible is over WG – all clients have to be connected to it via VPN – then it’s reasonably secure as long as no client is compromised. Then your remote devices become the weak points.

Nyes?

GL-iNet devices run DD-WRT, with an added (probably not open source) web interface. However, if you ssh into any of their routers, it’s BusyBox and DD-WRT. And if you click go into the admin web page and click System->Advanced you end up with a link that takes you to luci, the raw DD-WRT web UI for the device. The company’s UI is just a simpler, more pretty UI on top of DD-WRT.