dgdft
Please tell me more, which firewall would you recommend that plays nice with Docker?
Firewalld
No NAT?
Another user in this thread suggested DMZing, so combine your advice with theirs and boom. It’s not uncommon, and it’s fine if you firewall the box yourself. Most people don’t knowingly choose to use a firewall that they don’t intend to work, like you would.
why would you copy paste a docker compose without reading it?
There’s more than one way to use docker. Spinning up an official mysql image using the official docker run OR docker compose calls suggested by the docs would start up a server wide open to the entire internet if DMZ’d.
Just to throw out an easy option: if the music is well-labeled on Youtube, you can get pretty close to that full suite with just yt-dlp by using --embed-thumbnail as a stand-in for album art, dumping your files with an “Artist - track - album” naming structure using the --output-template flag — then using an awk or python script as a second pass to add the artist/track/album names to each file as tags.
E: and in case it isn’t self-evident, you don’t have to give yt-dlp a URL for each track; it’ll work fine with a playlist URL.
Yt-dlp is the gold standard for that.
https://github.com/yt-dlp/yt-dlp
Tag cleanup and album art are their own beast that you’ll wanna tackle post-download, but beets is another gold standard tool that can help with that layer.
Gnome. The maintainers have a hard-earned rep for contemptuous attitudes towards community and end-user feedback.
You shouldn’t suggest UFW at all then. There are other firewall options that can be used just fine with docker.
It does have real potential to cause issues, e.g. if OP were to put their server in DMZ mode on their router and later copy some docker setup instructions that don’t explicitly bind to localhost.
This is dangerous advice because docker is well-known for undoing UFW’s iptable rules. It’s mitigated by binding to localhost, but still way too easy for people to shoot themselves in the foot by using the two together.
In that case… welcome to the club.
You might get more than you bargained for: Shuttleworth has one helluva grip after all these years.
No need to cargo-cult security practices here, chief. You’re not gonna get pwned by publishing your hardware specs. If you’re planning to build some kinda webapp for yourself, that’s a different story - but you have to fuck up hard to get hacked while hosting raw HTML.
Use an SSH key, disable password auth, make sure you’re firewalled (i.e. test with nmap), and call it a day.
Asserting that the state has no legitimate interest in using limited violence (i.e. tear gas) to execute lawful search and arrest warrants against heavily-armed, recalcitrant pedophiles is truly one of the takes of all time.
The Bundy standoff, the SLA, and the Waco Siege are categorically different from the firebombing of Philly or the Tulsa Massacre to anyone with a brain.
Is there a buried lede here? What’s noteworthy about an RC of a minor version release?
