I had a problem similar to this and did not like the containers being binded to gluetun (problematic on docker daemon restarts, gluetun container being recreated, etc)

My solution was changing the gateway of each container to be routed through the tun. So first by having them both on the same internal network, then changing the entrypoint of the container I want tunneled to include the gateway change.

For example my entrypoint would be:

… && route del default && route add default gateway $GATEWAY_IP eth0

The container may be missing packages related to route so it may be necessary to modify the Dockerfile to install extra packages.

The reason the gateway must be set at the entrypoint is because docker overrides the gateway to correspond with the networking defined during container creation. And the entrypoint is the last thing executed before the container starts for realsies.

However gluetun also needs to work as a gateway which is done by modifying it’s iptables post-up rules file (at /iptables/post-rules.txt). I appended at the beginning of the file the following rules:

iptables -A FORWARD -i eth0 -o tun0 -s 172.84.0.0/24 -d 0.0.0.0/0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

What this does is accept any traffic from the net I have my gluetun and other container in, then forwards outgoing traffic to eth0 from tun0, and vice versa for incoming.

Sorry for wall of text this is not very straight forward :(

Librewolf (privacy focused firefox fork) syncing the user folders with Syncthing maybe?

Oof was looking to start selfhosting this but it has no client Linux support and has a subscription 😬😬

Made me learn about Archiveteam, thanks :D

Just installed arch with chroot on my old rooted phone a week ago.

Seeing this is great because it means there’s no need for complicated workarounds or even root access! Plus the distro runs natively and not with difficulties like with chroot :D

Not any in particular but mTLS is essentially just a reverse proxy (like nginx) asking a client for a certificate to be able to access the service behind it.

There are quite a few guides out there, so choose one for your reverse proxy of choice!

Tailscale is simpler but when you’re accessing from devices behind VPNs like I do mTLS is a lifesaver.

I use DAVx⁵ for caldav (supports mTLS)

I find mTLS cool too :P

In terms of being a pain it’s not that bad with nginx in my opinion. I can just build my own certificate for each service I expose or you use a common one, giving read only access to the key for my nginx containers and in two lines in the .conf it’s sorted.

mTLS with a reverse proxy!

I have a project on Forgejo and I’ve needed to set up a runner for compilation but I’ve been very confused so far on how everything works.

All I’ve been able to do is make a runner and connect it to my Forgejo instance, but I didn’t really know what to do from there.