I must admit that my evil self impatiently waits for a crowdstrike-like event, but with a kernel-level anti-cheat instead. On the more serious side, it baffles me how much the vast majority of people don’t care about privacy or security problematics. They literally don’t give a f**k.

HAproxy is good at what it does but it’s only good at proxying and simple rules.

It’s possible to write very complex rules/ACLs with HAproxy… stick-tables, ACLs with regexes on whatever HTTP header, source or destination ACLs, map files, geoblocking, lua scripting, load-balancing from round-robin to host header load balancing, dynamic backend servers provisionning through DNS… Not that you can’t do it with Nginx (it started as a reverse-proxy before becoming a jack of all trades), nor that nginx isn’t a great tool (it is!), but HAProxy can do very complex things too. It also follows the good ol’ UNIX philosophy of “one program to do one thing and do it well” and thus doesn’t try to be a webserver, hence why you need a webserver behind it to serve anything from static files to PHP/Python/whatever.

You’re welcome! scratch and distroless are indeed basically the same thing, scratch being the ‘official’ docker minimal image while distroless is from google - as I’m more a Kubernetes user (at home and at work) than a Docker user, I tend to think about distroless first :) - my apologies if my comment was a bit confusing on this matter.

By the way, have fun experimenting with docker (or podman), it’s interesting, widely used both in selfhosting and professional environments, and it’s a great learning experience - and a good way to pass time during these long winter evenings :)

A bit late but you might want to have a look at docker multi-stage build documentation which does exactly what you did (start from a base image then copying stuff from it to your own image), something like that:

FROM someimage:sometag AS build
[do stuff]
FROM minimalimage:someothertag
COPY --from=build /some/file /some/other/file
[and so on]
USER somebody
CMD ["/path/somecommand"]

Which will simplify building new images against newer “build” image newer tags easier.

btw, you were quite creative on this one! You also might want to have a look at the distroless image, the goal being to only have the bare minimum to run your application in the image: your executable and its runtime dependencies.

good old x201 here (i5-720m iirc), 8GB ram, sata ssd. Debian stable. No DE, just stumpWM. Not watching 4k youtube videos but runs fairly well for a 13 years old machine.