Never had an issue. But I installed them all using my distro package manager, so no hassle with volumes and links.

Useless post. Please delete.

Or add some description.

What do you mean? I have only heard that phrase meaning not in a container or VM. But I am not a native speaker.

Install a reverse proxy like caddy, but on your server bare metal not container.

Also, expose port 443 not 80, and put a SSL certficate.

Can at least ping <my domain> from server and from home?

Check my wiki where I tried to detail all the steps

https://wiki.gardiol.org/doku.php?id=services%3Aimmich

I have a 3,2,1 backup strategy with restic+backrest. One full backup local on an external disk. Second backup in the house on a disk mounted to an OpenWRT router in the garden, third backup remote on my vps. Backup is daily at night.

My external access is via a static public IP on a VPS I rent using a double layer of NGINX reverse proxy. Vps is connected to home via wireguard, so nobody has to complain that they require a wireguard VPN on their phones… WAF is critical here.

A rootless container is good for security.

A lifetime old basic rule is never run anything as root, not even your podman :)

I only ever use rootless podman jn my system and I fond it pretty easy to actually run: zero effort whatsoever.

Why you say it’s complicated?

Yes I always create one unprivileged user (not even in the sudoers or wheel group ofc) for every service I containerize. And create a dedicated network for the service too.

It only takes a few lines in a normal docker compose yaml.

Also I use docker compose on podman, yes docker compose not podman compose.

Edit2: refer to this post of mine on how installed immich on rootless podman https://wiki.gardiol.org/doku.php?id=services%3Aimmich as you can see, the most complex part is… Useradd & mkdir LOL

Edit: also podman play nice with iptables and nft (which should be always preferred nowadays) instead docker can mess your system good, and don’t work with nft tables, unless quirks quirks…