Elvith Ma'for

You state that you did use the install script, but also that you want to run it with docker. Did you follow the instructions in their docker repository? It’s quite easy to get it running - they included a complete docker-compose, a Caddyfile and all you need.

https://github.com/searxng/searxng-docker

Edit, I’m dumb, I misread.

Came to suggest this. I ran into the same problem when I tried to host Jellyfin at home. Also I was fed up with all those certificate warnings, depending on which device I used. Since I was already using pihole in my home network, I just went and looked at all the DNS plugins for certbot to learn which provider allows for easy DNS challenges. Then I researched a bit and stumbled upon a provider that was running a sale - so I got a domain for less than 5 bucks/year.

I set the public A record to 127.0.0.1 and configured certbot to use their API. This domain is now used internally in my network exclusively and I just added some DNS entries for several subdomains in pihole, so that it works for every device at home (e.g. jellyfin.example.com / dockerhost.example.com / proxmox.example.com / …).

When I’m away, I shouldn’t be able to resolve the domain, and even if DNS were hijacked, the TLS certificate will protect me from connecting to $randomServices. Also my router is less restricted, which means that I can just use it’s VPN server to connect directly to my home network, if I need to access my server or need to troubleshoot things when away.

I’m currently experimenting if I can convert my stack to rootless podman.

I found in my notes, that

A user-mode networking tool for unprivileged network namespaces must be installed on the machine in order for Podman to run in a rootless environment.

Podman supports two rootless networking tools: pasta (provided by passt) and slirp4netns.

Could this be your problem?

Taken from https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md

If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that’s only really meaningful, if it’s not a software firewall on that same server…)

Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.

…But will it run DOOM?

I really like them but they do have two downsides for “more advanced” users (or at least for me) - it is a home device as after all.

1. No support for VLAN or VLAN tagging - you can set up you WiFi and a guest WiFi. You can also map the guest network to an Ethernet port. But that’s about it.
2. There is no way to change the DNS suffix (*. fritz.box) to another value - I do own a domain that I use for the local services on my home server, etc. which then allows for Let’s Encrypt certificates, but I cannot use it “out of the box”.

If you’re an advanced user, there’s plenty of ways around that, though. I just wished that these two thing were to exist in the firmware to have less work with my home infrastructure.