I have a series of containers that use the host network and share messages over MQTT. Works well. One of them launches other containers when specific trigger phrases are said in specific topics. Another one sends trigger phrases based on a schedule.

It’s easy enough to run Authelia in front of all of your subdomains. Suddenly you’re back to one attack vector.

Sounds like the next step in your journey is combing through this list and seeing what’s out there: https://github.com/awesome-selfhosted/awesome-selfhosted

So much great stuff! But most of it has drawbacks, like missing features or less attractive UI. But it’s free and open source so we love it all the same.

Pi runs Raspbian which is just Debian with customisation applied. So of course it can run elsewhere. You don’t know as much as you think you do perhaps 😉

Fun fact: don’t comment out anything, just find the name of the database service, let’s say it’s db, then run docker compose up db to launch it on its own.

There’s a couple of things to weigh up: attack surface, and incentive to attack. You’re not high on either scale so it’s not a high chance of problems.

I host Psono and auth via OIDC provided by Authentik.

I chose Psono because it was the only option that offered OIDC on a free tier. Previously I paid for Passbolt which wasn’t bad, but Psono does the same job for free and is nicer to use.

Why can’t you have your TLS managed at the gateway, then reverse proxy based on subdomain to your various services?