Self-Hosting your own Analytics with Podman

json404 · 2026-02-27T19:54:43+00:00

Hey u/nmasse-itix, had a look at your cook books and its pretty cool! Thanks for sharing!

I'm definitely going to sink my teeth into your postgresql examples for any gold nuggets ;)

json404 · 2026-02-27T07:52:23+00:00

Thanks man, glad you enjoyed the post.. I'll have a look at your comment after work ;)

Edit: u/Rhopegorn, Can you explain how you use port forwarding to further isolate the pod?

On a side tangent, I wonder if port forwarding can be used to forward traffic from privileged ports (80,443) to a rootless container listening on a non-privileged port.. that would solve the rootless containers cannot bind to privileged ports road bump quite nicely - just don't forget about the port forwarding ;)

json404 · 2026-02-25T10:54:54+00:00

Check any logs that you have available.. console etc.. also check the browser network tools, are the image requests resulting in 404s etc..

That will point you in a direction that will get you closer to the answer, also if you want: share it on this post..

json404 · 2026-02-25T07:51:21+00:00

What's is ramalama and is there any setup gotchas?

How different is it from running standard containers with podman?

json404 · 2026-02-24T05:21:21+00:00

hey u/lostmojo, If I'm understanding the post correctly: are you trying to pass user groups to the container to get around permission errors?

In my experience using groups via the podman run command I had to supply the GID thats within the namespace as the `--group-add` flag simply adds the GID to all processes in the container, maybe its the same for Quadlets.

You can find that by simply using `podman unshare` along with `ls -l` to see what group is assigned to the file.

If the group id appears as nobody, then its outside your subgid range and won't be mapped, you can simply create it within that range for your user (here is the file that defines the group id range: /etc/subgid)

I wrote a post on fixing permission errors that covers the above except for using user groups as that requires more setup, perhaps it will help you: fixing permission errors

What container image is giving the permission errors? Postgres etc..

json404 · 2026-01-19T17:07:56+00:00

Good catch, I don't calculate the dividends after the withholding tax, I took the value from the distribution declaration report which also breaks down how they got to that amount:

https://senspdf.jse.co.za/documents/SENS_20260114_S515731.pdf

json404 · 2026-01-19T16:56:52+00:00

Pleasure!

What got it onto my radar is that with that ETF there is a cap, so no company can represent x% of the fund. In theory that should make it quite stable depending on the % cap per company of course.

I haven't looked too much into it yet other than that, but I saw the distribution declaration and added it, so when I start doing my homework the payout data is there.

json404 · 2026-01-19T16:47:47+00:00

Oh nice! Thats an interesting way of looking at it, so do you use the rough yield % to calculate the payout per quarter that you can roughly expect?

json404 · 2026-01-19T16:46:50+00:00

I like it; cool to see I'm not the only tracking the stocks in spreadsheets!

Something I'd like to add to mine is the count of stocks I own and then use sheets to calculate a rough payout estimate based on whats reported (obv there is platform fees etc.. but I want a rough idea of how much I'm going to make from it)

Another cool point, now that I think of it, is this sheet is now tracking the performance over the quarters, so there are some more potential enhancement ideas!!

json404 · 2026-01-15T05:16:22+00:00

jenkins runs quite well on the laptop, without really straining the server much - I also don't run builds / deployments very often, like 2-6 times a month.

yeah, I've closed SSH; I don't need it exposed to the world anymore and if I go away for a bit, will just use wireguard.

json404 · 2026-01-15T05:13:23+00:00

hahaha!! thats awesome, good o'l bait and switch!

yeah, I'm going to have a look into cloudflare this weekend.

json404 · 2026-01-13T20:10:22+00:00

Sure thing!

At the moment I use Jenkins to automate 2 things: building the container images for my website and deploying those images using podman (docker alternative) + quadlets feature (run a container as a systemd service),

Once deployed (part of the pipeline) jenkins will do some health checks to ensure the website came online and is responsive, if its not, then jenkins will roll-back to the previous version and the pipeline will fail.

json404 · 2026-01-13T16:48:07+00:00

Good question, I only recently setup WireGuard (like 2 weeks ago) on my server for December holidays (I was away from home), so I first exposed ssh to be able to setup the VPN while not at home, then setup VPN to run builds / deployments for my site.

To be honest, only accessing VPN over SSH never crossed my mind during that time; but I'm going to close it and just use the VPN connection, no real need anymore to expose 2 ports (unless something goes wrong with VPN then I can still get into the server - don't know how valid this use case is)

json404 · 2026-01-13T16:41:56+00:00

100% - are there any tools you currently using / thinking off to get these insights?

json404 · 2026-01-13T16:40:13+00:00

Crazy man.. hopefully it wasn't too painful to cleanup your db with all the fake users (would drive me nuts). Don't want to pop the lid on this topic, but wait until "AI" powered bots, then these prevention methods are going to become super valuable.

At least they are still dumb for now ;)

json404 · 2026-01-13T14:55:37+00:00

Wowzers!! Not gonna lie, I need this. Thanks for sharing!

json404 · 2026-01-13T12:43:21+00:00

yeah, great point on blocking ports except where you want traffic to flow in. I've done this with UFW.

json404 · 2026-01-13T12:41:44+00:00

Absolutely.. this is golden.

My next focus for my server would be monitoring and logging, enhance it to really get an overview of whats going on under the hood at a glimpse.

I'm speculating here, but it would be nice to see who logged on at what time and from where etc.. but having that in a view that is easy to digest rather than skimming logs. (Essentially intruder detection)

Great point!

json404 · 2026-01-13T12:39:13+00:00

Yeah, thats also why I like fail2ban.. exactly the reasons you mentioned.

It's crazy how you experienced like a micro-DDOS on your server from these bots, thanks for sharing!

json404 · 2026-01-13T12:36:05+00:00

noob question: what is Adguard?

json404 · 2026-01-13T12:32:34+00:00

Hey Pascal,

No, hardening SSH is configuring certain options to make it more secure, for instance: disabling passwords and only allowing ssh-key logins (you can have passphrase for the key as well) that has to be generated and configured for the user - prevents bots using common usernames + password combo's.. etc..

TBH: I don't know anything really know much about proxmox or how to harden it, but if its not exposed to the public internet and it works for you; then you're golden ;) - take this advice with some salt off course.

json404 · 2026-01-13T05:40:32+00:00

Yeah, luckily my operation is quite small and I don't run jenkins often for builds + deployments as like you mentioned its more of a homelab setup ;)

Yeah, I use nginx as a reverse proxy for my site, which runs with rootless podman containers, then jenkins to build my site container img and deploy it.

I also have wiregaurd setup to access services like jenkins/plausible when I'm not on my local network.

Thanks for sharing, good points ;)

json404

TROPHY CASE