broke my bed now it's dead

Setup a service on our internal infrastructure on Alpine Linux

Posted on

Now we have a basic internal infrastructure with:

But everything is on the same machine. While it could be okay, I will host the services I want on other machines.

I will run them on the same Proxmox cluster, but the possibilities are endless (as long you can get WireGuard running).

Get started

Install Alpine. Setup ssh and repositories.


We will set up WireGuard, but not a server, a regular peer that will connect to the WireGuard server.

Create a new peer on the WireGuard server, and get the config file ready.


Install WireGuard:

apk add wireguard-tools

To load the WireGuard module on startup, edit


and simply add


and reboot.


Put the WireGuard config to



Copy the init.d script for WireGuard like we did for the original server.

And ask it to start on boot.

Reboot and make sure everything works, you should see WireGuard logs when the machine is starting.

And the DNS should be working! Try to ping an internal DNS name.

Sometimes the DNS will go back to the system's default (probably your DHCP server's), so force the DNS as seen in the post about CoreDNS.

DNS entry

In the main server, edit CoreDNS to add a new DNS entry for the newly added peer.

Save and restart CoreDNS.


Add the dynamic MOTD if you feel like it. I did.

Reverse proxy

Before installing and starting services, let's add a reverse proxy for security + some sweet TLS certs.

I'll be using caddy. You will need to enable the community repo first.

apk add caddy

Let's get a hello world:

# global
        # step-ca ACME server

docker.philt3r docker.philt3r:80 {
    respond "Hello, world!"

I start the service on ports 80 and 443 to get the initial TLS certificate, I will remove access on port 80 afterward.

Don't start caddy yet.

TLS certificates

On our new server, we need to trust the root ca. Download the root ca, and ask the system to trust it:

apk add ca-certificates ca-certificates-bundle
wget --no-check-certificate -O /usr/local/share/ca-certificates/philt3r.crt

Now we can start caddy and enable it on boot:

rc-service caddy start
rc-update add caddy

You should get a Hello World on port 443. If you do, you can disable access from port 80 in the Caddyfile and restart caddy.

Install the service

Now we can install the service we want to host, start it, and configure caddy to be a reverse proxy for it.

Repeat the process for the other services you want to host.

Protip: serve the services on and use caddy to restrict access only from the WireGuard peers (since there is the DNS restriction).

Sample Caddyfile:

# global
        # step-ca ACME server

docker.philt3r {


Since I'll be using Docker to host most services, I'll install it:

apk add docker docker-compose
rc-update add docker
rc-service docker start

Then spin up your docker containers and route them with caddy.