If what you need to accomplish can be achieved via shell commands, it would be hard to beat OliveTin for this use case.
this post was submitted on 10 Jul 2023
32 points (97.1% liked)
Selfhosted
39962 readers
463 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Thank you! I'll look into it!
Edit: actually that sound exactly like what I had in mind!!
I'd go the SSH + sudo way.
Sudo can be quite finely tuned to only allow specific commands. If you want to lock the SSH session further, look into rbash.
Thank you! I'll have a look!
This was my first thought.
I do this for a living and it’s literally built into Linux.
Set their permissions carefully, ensure that the permission set does what you want (and not a bunch of stuff you don’t want), and keep on keeping on.
I was like, “Portainer costs money? When did that happen. I thought it was open source.” Granted it has been awhile since I used it.
You want to check out the Community Edition. Here’s their Github.
Cockpit is quite mature and sponsored by Red Hat. Your users can log in with their normal account on the system which you can lockdown however you want.
Thank you! I'll look into it!
I’ve been pointed at https://www.portainer.io/ but they seem to have a steep price for the limited use-case that I would be giving it.
Portainer is totally Free, also, you can get a free Business Edition licence for 3 nodes https://www.portainer.io/take-3
Slightly off topic, but are there not security concerns about opening up a portainer instance to the internet? I run portainer for all of my intranet hosted containers but I have reservations about running either the agent or portainer itself on something external to my lan. It seems like an easy attack vector but maybe I'm just overly worried?
Probably better to provide access to Portainer via a VPN if that's the route they want to go (Tailscale would be perfect for this scenario).
Ya, I've got a few public services out there and I would love for a better way to manage them. But the fewer ports I open the better. I think there's also portainer edge agent that's more secure for prod environments, but I've yet to look into it much.
I have reservations about running either the agent or portainer itself on something external to my lan.
I don't feel like it's safe enough personally either, so I just have portainer edge-agent nodes connected to the primary on my intranet through through vpn tunnels. I really, really would prefer not to ever open ports on my local firewall, but being able to monitor and control remote docker hosts is also pretty convenient, so my solution has been decent for me.
Can you use SSH?
Possibly, but it would have to be so severely locked down that it makes more sense to have a web interface with a few buttons that do some very basic actions, including making my phone ring or stuff like that.
That seems almost exactly what the sudoers file is meant for.
If several actions have to happen at once (call the phone first), or need parameters, or need a kill switch, that is what a script with the SETUID bit does.
I mean.. don't you just make them a user and just give them 777 permissions to the directories you'd allow?
view more: next ›