It’s great to see another open source OIDC provider (with more features). I’ve set up Pocket ID which is awesome because of it’s simplicity and it’s great.

I found the guide/examples on their website a bit irritating at first (that’s on me) but it works well once understood and configured.

Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).

The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.

It’s mostly to allow the reverse proxy on localhost to connect to the container/service, while blocking all other hosts/IPs.

This is especially important when using docker as it messes with iptables and can circumvent firewall like e.g. ufw.

You’re right that it doesn’t increase security on case of a compromised container. It’s just about outside connections.

Some I haven’t yet found in this thread:

• rootless podman
• container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
• systemd services with many of its sandboxing features (PrivateTmp, …)

I do the same, but with Wireguard instead of OpenVPN. The performance is much better in my experience and it sucks less battery life.

Trying to actually restore is the best way to ensure the backup works. But it’s annoying so I never do it.

I usually trust restic to do it’s job. Validating that files are there and are readable can be done with restic mount, and you’ve mentioned restic check.

The best way to ensure your data is safe is to do a second backup with another tool. And keep your keys safe and accessible. A remote backup has no use of the keys burned down.