This repository is designed to provide lightweight, secure, and maintainable container-based services using Podman and systemd. The goal is a server environment that requires minimal manual intervention while maintaining high reliability, security, and observability.
- All container images are pinned to specific versions or digests.
- Updates are managed via GitOps tools (Quadit) and Renovate, ensuring reproducible deployments.
- No
latesttags or uncontrolled image updates.
- Containers are managed as systemd units (Podlets/Quadlets) for automatic start, restart, and failure recovery.
- Healthchecks are defined to allow systemd to detect service health.
- Logging and monitoring are integrated with systemd-journal and Dozzle, providing simple but effective observability.
- Prefer rootless Podman containers.
- Minimize privileges: drop all unnecessary capabilities and run as non-root users when possible.
- Enforce NoNewPrivileges, SELinux/AppArmor, and container-specific security policies.
- Optional: image scanning (e.g., Trivy) in CI to catch vulnerabilities early.
- CPU and memory limits are applied to prevent a single container from monopolizing host resources.
- Network exposure is minimized: only required ports are published, preferably via a reverse proxy.
- Containers are isolated to prevent lateral movement between services.
- All persistent volumes are backed up using restic with remote storage.
- Restore procedures and integrity checks are part of operational routines.
- Avoid overly complex stacks (no ELK unless strictly needed).
- Use minimal tooling that integrates well with systemd and Podman.
- Focus on reproducibility and self-documenting configuration.
- Logs are centralized in systemd-journal, visualized with Dozzle.
- Metrics and status are optionally exposed via lightweight exporters (systemd-exporter, node-exporter, cAdvisor) for monitoring dashboards.
- Cockpit with Podman plugin can be used as a minimal, user-friendly system overview.
- Always define HealthCmd for services exposing endpoints.
- Explicitly set resource limits in
.containerfiles. - Use fixed image versions or digests.
- Run containers rootless wherever possible.
- Maintain documentation and restore tests for backups.
- Apply consistent security practices across all containers.
By following these principles, this repository ensures robust, secure, and low-maintenance containerized services, suitable for production use with minimal operational overhead.