I have an Ubutnu VM (created on 12.0 which I still use now on 24.10.2.2) to host NGINX and Prosody. The other day I decided to try WireGuard and installed my first app “wg-easy” to familiarize myself with it before attempting to install it on the VM. But because of the easy install, volumes, and low RAM usage, I’m contemplating migrating my whole VM to docker instead.
This seemed impossible at first but after some thought I think all I need to do is copy /etc/letsencrypt/ from the VM to a dataset, use the official certbot image and bind mount this directory to its container and also NGINX and Prosody. As for NGINX I’m guessing I also need to replace localhost with a docker internal IP, e.g. proxy_pass localhost:5280 to 172.16.1.2:5280.
Is that a reasonable procedure? I don’t know the best practices when it comes to containers, I’m using a VM because it’s the “easy way”. But now I realize that I should not treat my VM as a pet (configuring users, SSH, rsync, updates etc.), with docker I simply SSH into Truenas. However… my biggest concern is security/isolation. The VM has a separate IP (192.168.1.3) and from the router I port forward 80,443,5222,3478 to it; whereas with docker I instead specify the IP of my NAS (192.168.1.2). So if a vulnerability where to be found, (AFAIK) an attacker will have root access to my NAS instead of user access on my VM. I also read that neither Truenas nor containers have a firewall. The VM has policy DROP along with some simple rules to allow only minimum IN/OUT packets (e.g. iptables -A OUTPUT -p tcp -m multiport --sports 80,443,5222,3478 -j ACCEPT). Docker documentation states to use iptables -I DOCKER-USER, but I’d rather not mess with the CLI and stick to what’s supported.
How should I properly approach this? Any help/advice is appreciated!