I switched from Docker to Podman, because Podman is more secure (if rootless) but it was just hard to autostart containars. You have to start one by one because they don't have a central service like docker. And watchtower and nextcloud AIO don't work on Podman. So I switched back to docker.
I'm running a Raspberry Pi 4 with 4gb of ram and 32gb of storage:
- pihole
- nginx proxy manager
- vaultwarden
- ntfy server
- mollysocket
- fmd server
- wireguard server
- cloudflare ddns
- my website
- watchtower
All that and load average is 0.05%, ram usage is at 450MB and disk usage at 6.4GB.
Arch Linux with 2 kernels ;)
Then atleast fake it until you make it!
Quit what? Life? I can't, I'm addicted to living :(
Can please someone turns this Linux meme to GNU/Linux meme?
Personaly I would trust Nitrokey, but I don't have to.
No problem ;)
That was really hard to do. I created a note for myself and I will also publish it on my website. You can also decrypt the sd using fido2 hardware key (I have a nitrokey). If you don't need that just skip steps that are for fido2.
The note:
Download the image.
Format SD card to new DOS table:
- Boot: 512M 0c W95 FAT32 (LBA)
- Root: 83 Linux
As root:
xz -d 2023-12-11-raspios-bookworm-arm64-lite.img.xz
losetup -fP 2023-12-11-raspios-bookworm-arm64-lite.img
dd if=/dev/loop0p1 of=/dev/mmcblk0p1 bs=1M
cryptsetup luksFormat --type=luks2 --cipher=xchacha20,aes-adiantum-plain64 /dev/mmcblk0p2
systemd-cryptenroll --fido2-device=auto /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 root
dd if=/dev/loop0p2 of=/dev/mapper/root bs=1M
e2fsck -f /dev/mapper/root
resize2fs -f /dev/mapper/root
mount /dev/mapper/root /mnt
mount /dev/mmcblk0p1 /mnt/boot/firmware
arch-chroot /mnt
In chroot:
apt update && apt full-upgrade -y && apt autoremove -y && apt install cryptsetup-initramfs fido2-tools jq debhelper git vim -y
git clone https://github.com/bertogg/fido2luks && cd fido2luks
fakeroot debian/rules binary && sudo apt install ../fido2luks*.deb
cd .. && rm -rf fido2luks*
Edit /etc/crypttab
:
root /dev/mmcblk0p2 none luks,keyscript=/lib/fido2luks/keyscript.sh
Edit /etc/fstab
:
/dev/mmcblk0p1 /boot/firmware vfat defaults 0 2
/dev/mapper/root / ext4 defaults,noatime 0 1
Change root
to /dev/mapper/root
and add cryptdevice=/dev/mmcblk0p2:root
to /boot/firmware/cmdline.txt
.
PATH="$PATH:/sbin"
update-initramfs -u
Exit chroot and finish!
umount -R /mnt
I'm already building the website ;)
Yes but you have to do that for each service if I understand correctly.