I keep all my services in one docker-compose yml, and run it from a normal user account added to the docker group.
I am really conscious of what I expose to the internet though, since I already almost had a security incident.
I used to run non-standard ssh port to my machine with password authentication enabled.
Turns out I didn’t know the sonarr/radarr containers came with default users, and a bruteforce attack managed to login to one of them (or something like that anyway,it’s been awhile). Fortunately they have a default home of /sbin/nologin so crisis averted there, but it definitely was a big lesson for me.
Years later, the current setup is only plex, tautulli, and ombi open to the internet, and to reach everything else I use tailscale. And of course,only key-based authentication.
Oh and for updates, I run apt upgrade once in a while on the box (Ubuntu server 18.04 LTS) and for the containers, I use watchtower.
What I do is, I have all the public-accessible services listed in the guest account (plex, tautulli, ubooquity etc) ,
and the private ones in the admin account (sonarr ,radarr, etc)
I keep all my services in one docker-compose yml, and run it from a normal user account added to the docker group.
I am really conscious of what I expose to the internet though, since I already almost had a security incident.
I used to run non-standard ssh port to my machine with password authentication enabled.
Turns out I didn’t know the sonarr/radarr containers came with default users, and a bruteforce attack managed to login to one of them (or something like that anyway,it’s been awhile). Fortunately they have a default home of /sbin/nologin so crisis averted there, but it definitely was a big lesson for me.
Years later, the current setup is only plex, tautulli, and ombi open to the internet, and to reach everything else I use tailscale. And of course,only key-based authentication.
Oh and for updates, I run apt upgrade once in a while on the box (Ubuntu server 18.04 LTS) and for the containers, I use watchtower.