What is this?

A proof-of-concept for running a reverse proxy (in this case, HAProxy) in a rootful Podman container, using systemd units generated via Podman.

The HAProxy image used is this one.

Requirements

• Podman
• Just
• A containers user with enough subuids and subgids for UserNS=auto (see the beginning of man podman-run)

TODO

• Ports 80 and 443 (maybe via socket activation?)
• Run HAProxy as user in container
• Auth
• TLS

Notes

• All networks that are supposed to be isolated from each other need to have Option=isolate=true
• All services may still access each other via the reverse proxy, just like outside services can

Adding a new service requires the following steps:

1. Create the new network unit, pod unit, and required containers
2. Add the reverse proxy pod to the new network (by changing the config and restarting it, or by connecting it manually via podman network connect) so it can access the new service and proxy it
3. Adjust the reverse proxy config (by adding and manually reloading, or just restarting the reverse proxy systemd unit)