I have a single Podman stack & Podman network - ingress via Caddy with crowdsec that forwards stuff to the various things I’ve got going. All self-contained in the Podman network.

I want to put Caddy in a VM to establish a “DMZ” (separate kernel) as I’ve seen recommended for directly internet-facing infrastructure. But to do that, I’ll break my single Podman network across two “servers”.
Because it is across two “servers”, I need to publish the ports for the services on the non-VM server so that the VM can address them externally - which allows the services to talk to the internet (even if they don’t need it) and allows the services to talk to each other on published ports (before I could have separate networks for each service, so BookOrbit can’t talk to Jellyfin for instance).

How can I have the Caddy in the VM that deals with the WWW forward things to the server running everything but retain that closed Podman network topology?

And ancillary Q, what other things should be in that “DMZ” VM? Auth ODIC? Headscale? Just Caddy?
Edit: Caddy forwards everything to the Auth OIDC which forwards it along if the connection attempt is logged in. Will be adding mTLS to bypass that check eventually. That’s why I’m thinking Auth ODIC should be in the “DMZ” VM too.

And lastly, Podman networking works just like Docker networking, so any topology is transferable if you’ve solved this in Docker!

WRT = with respect to

  • Noggog@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    16 hours ago

    I use pangolin as the front, which checks in with Authentik as the SSO before it lets anyone through to the actual apps. Pangolin itself acts a bit like my reverse proxy so my caddy takes a back seat and isnt used for too much. Pangolin comes with crowdsec as well.

    • glizzyguzzler@piefed.blahaj.zoneOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      13 hours ago

      Pangolin has a lot more going on than I expected, I thought it was just a mesh system. That might be a one-stop shop, thanks for sharing!!