Nexterm - Open Source, Self Hosted Server Management Made Simple!

Here is a consolidated, clear Markdown summary with key points and takeaways from the transcript.

NextTerm and Related Remote Access Setup — Key Points and Takeaways

1) NextTerm Overview

• NextTerm is a browser-based remote access tool supporting SSH, RDP, and VNC in one interface.
• Likely built on Apache Guacamole infrastructure; leverages modern web UI and multi-protocol access.
• Tech stack: Node.js 18, Yarn, Docker (Docker is optional for deployment).

2) What NextTerm Offers

• Unified web UI for multiple remote protocols (SSH, RDP, VNC).
• Clean UI with drag-and-drop organization and profiles for credentials.
• Create/manage multiple connections from one dashboard; organize into folders.
• Right-click actions on connections: connect, SFTP, run scripts, edit/duplicate/delete, add tags.
• Run remote commands (e.g., sudo apt update/upgrade) directly from the browser.
• Good initial documentation on GitHub; active community support.

3) Security Considerations (Guidance)

• Security depends on how NextTerm is exposed:
  • Directly exposing to IP may be less secure.
  • Use a reverse proxy and domain-based URL for controlled exposure and encryption.
  • Implement strong authentication, access controls, and network protections as part of deployment.

4) Pros and Cons

• Pros:
  • Easy setup and browser-based multi-protocol access.
  • Single pane for SSH/RDP/VNC with good organization features.
  • Modern UI; useful for remote work or managing many servers.
• Cons/Considerations:
  • Security posture hinges on deployment choices (reverse proxy, auth, TLS, etc.).
  • Some users reported earlier bugs; current state appears more mature with ongoing improvements.

5) Practical Takeaways and Next Steps

• If you manage multiple servers and need browser-based access across SSH, RDP, and VNC, NextTerm is worth evaluating.
• Plan production deployment with security in mind (reverse proxy, domain, proper auth).
• Explore GitHub/docs to tailor profiles, identities, and network settings to your environment.

6) Quick Action Checklist (Condensed)

• Set up a reverse proxy + tunnel (via VPS) to avoid exposing your home IP.
• In NextTerm, configure external identity providers (OpenID Connect) and enable 2FA.
• Use a domain name for web access; configure correct redirect URIs for the IdP.
• Connect repositories/snippets sources if you work with reusable scripts or commands.
• Enable monitoring (e.g., status checks every 30s) and configure per-server monitoring.
• Configure backups (frequency and retention).
• Review and adjust UI preferences (themes, font size, accessibility) as needed.
• Implement and test the security surface: reverse proxy, TLS, access controls.
• Try AI features with caution (validate outputs before applying changes).

---

Additional Context from the Demos

Demo Highlights (UI and Workflow)

• In-browser RDP and VNC connections; tabbed sessions; easy to switch between sessions.
• Full-screen capable; auto-scaling for different screen sizes.
• Terminal sessions in browser; sudo/updates executable via web interface.
• Multi-tab session stability can have occasional disconnects; ongoing refinements.

Fresh Ubuntu 24.04 Server Setup (Walkthrough)

• Install a basic server and essential tools: nano, git, wget, curl, openssh-server.
• Create a non-root user (e.g., Brian) and grant sudo and docker groups as appropriate.
• SSH into the remote environment; ensure each container/system has its own SSH access as needed.

Docker and NextTerm Deployment (Key Commands)

• Docker install: one-liner (example shown: curl https.docker.com | sh)
• Create a non-root user and grant privileges:
  • adduser Brian
  • sudo usermod -aG sudo Brian
  • sudo usermod -aG docker Brian
• SSH login: ssh Brian@your-server-ip
• Project directory setup:
  • mkdir -p docker/nextterm
  • cd docker/nextterm
• Docker Compose setup (compose.yaml):
  • Prefer bridge networking; avoid unnecessary host networking unless required.
  • Expose host ports (e.g., 8080, 8082) for the NextTerm UI.
  • Map volumes with relative paths (e.g., ./nextterm/app-data) for persistence.
  • Generate a 64-character

---

More information

NextTerm is a web-based remote access and server management platform that supports:

• SSH
• Telnet
• RDP
• VNC
• File management
• Monitoring
• Snippets
• Audit logs
• Identity provider integration (OIDC)
• Optional AI assistant

It is built on:

• Node.js 18
• Docker
• Likely built on top of Apache Guacamole

It provides multi-user, multi-organization support with centralized browser-based remote access.

The primary problem it solves:

Secure, centralized, browser-based remote access and management for Linux and Windows systems without relying solely on SSH.

---

Detailed Step-by-Step Breakdown

1️⃣ Prerequisites

Server Environment Used in Transcript

• Ubuntu 24.04 Server
• Fresh minimal install
• Root login initially
• Docker deployment

Required Tools Installed

apt update && apt upgrade -y
apt install nano git wget curl openssh-server -y

These tools are required for:

• Editing files (nano)
• Git operations (git)
• Downloading files (wget, curl)
• Remote access (openssh-server)

---

2️⃣ Install Docker (Community Edition)

curl https://get.docker.com | sh

This installs:

• Docker CE
• Docker Compose plugin

⚠️ By default, Docker will run as root.

---

3️⃣ Create Non-Root User (Recommended)

adduser brian

Add to required groups:

For Ubuntu/Debian:

usermod -aG sudo brian
usermod -aG docker brian

For RedHat/Fedora/CentOS:

usermod -aG wheel brian
usermod -aG docker brian

Logout and SSH back in as the new user:

ssh [email protected]

---

4️⃣ Create Docker Directory Structure

mkdir -p docker/nextterm
cd docker/nextterm

---

5️⃣ Create Docker Compose File

nano compose.yaml

Use Bridge Network Configuration (Recommended)

Paste base configuration from official documentation and modify as follows:

🔧 Required Modifications

1. Add YAML Header

---
services:

2. Generate 64-character hex encryption key

⚠️ Important: openssl rand -hex 64 gives 128 characters Correct command:

openssl rand -hex 32

Insert into:

environment:
  NEXTTERM_ENCRYPTION_KEY: "your_64_char_hex_here"

3. Change Port Mapping (Optional)

Default:

- "6989:6989"

Modified example:

- "8082:6989"

Left side = host port Right side = container port (DO NOT CHANGE)

4. Restart Policy

Change from:

restart: always

To:

restart: unless-stopped

5. Volume Mapping (Recommended Adjustment)

Change:

- nextterm_data:/app/data

To:

- ./nextterm:/app/data

This keeps data local to the project directory.

Remove unnecessary volume declarations if present.

---

6️⃣ Pull Docker Image

docker compose pull

Wait for all layers to show:

Pull complete

---

7️⃣ Start NextTerm

docker compose up -d && docker compose logs -f

• -d = detached mode
• logs -f = follow startup logs

If no errors appear → installation successful.

Exit logs:

CTRL + C

---

8️⃣ Access Web Interface

Navigate to:

http://<SERVER_IP>:8082

Example:

http://192.168.50.106:8082

You should see Registration Screen.

Create admin user.

---

Post-Install Configuration

---

Adding Connections

Right-click → New

Connection Types:

• SSH
• Telnet
• RDP
• VNC

SSH Configuration Example

• Name: 6bay NAS
• IP: 192.168.50.1
• Port: 22
• Enable monitoring (optional)
• Configure terminal compatibility
• Add credentials or SSH key identity

---

Identity Providers (OIDC)

Supports:

• Authentik
• Keycloak
• Any OpenID Connect provider

Configuration requires:

• Provider URL
• Client ID
• Client Secret
• Redirect URI
• OpenID scopes

Recommendation:

Disable built-in auth after validating external IdP.

---

Monitoring

If enabled per server:

Shows:

• CPU usage
• Memory usage
• Process count
• Load average
• Network interfaces
• Uptime
• Charts & graphs

Monitoring interval configurable (default: 30 seconds).

---

Snippets

Supports repository integration:

• GitHub
• GitLab
• Self-hosted Git

Use for reusable scripts and commands.

---

File Manager

Available per SSH session.

---

Audit Logs

Tracks:

• User actions
• Session events
• Changes

Filterable by action.

---

AI Assistant (Optional)

• Disabled by default
• Can generate commands
• ~50% reliability (verify output)

---

RDP & VNC Support

RDP Demonstrated

• Browser-based RDP session
• Full-screen support
• Auto scaling
• Responsive performance
• Tabbed interface (better than Apache Guacamole layout)

Possible limitation:

• Session drop during OS updates (RDP service restart)

---

Security Recommendations

❗ Do NOT expose directly via open port forwarding.

Recommended:

• Reverse proxy
• Encrypted tunnel
• VPS-based tunnel system
• Zero open home firewall ports

Possible stack:

• VPS
• Reverse proxy
• Tunnel client on internal machine

---

Key Technical Details

---

Core Stack

• Node.js 18
• Docker CE
• Docker Compose
• Likely built on Apache Guacamole
• Supports bridge or host networking

---

Encryption Key

• Must be exactly 64 hex characters

• Generated via:

  openssl rand -hex 32
  

---

Default Container Port

6989

Host port customizable.

---

Platform Support

Desktop:

• AppImage
• DEB
• RPM
• Windows (.exe / .msi)
• macOS (x64 + ARM)
• Android
• iOS (IPA – not App Store)

---

Pro Tips

---

✔ Use unless-stopped restart policy

Prevents unwanted auto-restart during maintenance.

---

✔ Use local volume mapping (./nextterm)

Keeps all data self-contained for backup.

---

✔ Enable Backups

Set:

• Frequency (e.g., hourly)
• Retention count

---

✔ Enable Monitoring per Host

It must be enabled:

• Globally
• Per server

---

✔ Configure OIDC Early

Use:

• Authentik
• Keycloak

Then disable local authentication.

---

✔ Organize with Folders

Supports drag-and-drop structure.

---

✔ Use Jump Hosts

Supports SSH jump configuration.

---

✔ Save SSH Identities

Prevents credential re-entry.

---

Potential Limitations / Warnings

---

⚠️ RDP Session Interruptions

System updates can kill RDP sessions.

---

⚠️ Right-Click to Add Server Not Obvious

No visible “Add Server” button.

---

⚠️ Monitoring Card Size Not Adjustable

UI customization limited.

---

⚠️ Encryption Key Length Confusion

openssl rand -hex 64 ≠ 64 characters Use -hex 32.

---

⚠️ Do Not Expose Directly to Internet

Use reverse proxy + tunnel.

---

Recommended Follow-Up Resources

• NextTerm GitHub repository
• Docker documentation
• OpenSSL documentation
• OpenID Connect documentation
• Authentik documentation
• Keycloak documentation
• Apache Guacamole documentation

---

Overall Technical Assessment

NextTerm is:

✔ Lightweight ✔ Docker-native ✔ Multi-protocol ✔ Multi-user ✔ Monitoring-capable ✔ Identity-provider compatible ✔ Suitable for homelab and small production use

It is approaching production readiness but still may have minor session stability quirks.

---

Here are 5 excellent books available on Amazon that will help you level up the skills most relevant to tasks like secure server infrastructure, Docker & Kubernetes deployment, networking, and security — all of which directly support what you’re doing with NextTerm, containerization, and secure remote access:

1. The Ultimate Docker Container Book A highly-rated, practical guide covering Docker essentials — building, testing, shipping, and running containers. It’s great for sysadmins and DevOps practitioners who want real-world Docker skills in production.

2. Kubernetes in Action One of the most well-regarded Kubernetes books around. It teaches Kubernetes fundamentals, cluster setup, deployment patterns, scaling, and best practices — ideal once you’re ready to orchestrate containers beyond basic Docker.

3. Kubernetes and Docker - An Enterprise Guide A practical, enterprise-focused guide to containerization that introduces Docker and Kubernetes from the ground up and helps you integrate these technologies in real environments — a great bridge between beginner and advanced workflows.

4. Securing Docker: The Attack and Defense Way Security-focused containerization guide that covers common threats to Docker ecosystems and how to mitigate them — perfect for understanding how to harden containers themselves and the hosts they run on.

5. Networking and Kubernetes A focused look at Kubernetes networking — extremely helpful if you want to go deeper into container networking, service meshes, or secure connectivity across clusters and services.

---

Next Steps:

Below is a production-hardened, reproducible deployment path for NextTerm that covers:

• Hardened single-host Docker deployment (good baseline)
• Secure remote access via VPS + WireGuard tunnel + reverse proxy (TLS) (no home port-forwarding)
• OIDC SSO (e.g., Authentik / Keycloak) and local auth shutdown
• Multi-tenant / multi-org patterns
• Docker Swarm and Kubernetes deployment templates
• A security audit checklist you can run through each time

Assumption: Standard/Typical Setup (not specified in transcript)

• You control a Linux server where NextTerm runs (Ubuntu 24.04).
• You own a domain (e.g., nextterm.example.com).
• You can rent a small VPS (1 vCPU / 1GB RAM is fine).
• You want no inbound ports opened on your home network.

---

Detailed Step-by-Step Breakdown

1) Hardened single-host Docker deployment (baseline)

1.1 OS + user + firewall basics

sudo apt update && sudo apt upgrade -y
sudo apt install -y ufw fail2ban jq curl ca-certificates gnupg
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp   # SSH to server (lock to your IP if possible)
sudo ufw enable

(Optional but recommended) Restrict SSH:

• Disable password auth, use keys:

  • /etc/ssh/sshd_config:

    • PasswordAuthentication no
    • PermitRootLogin no

  • sudo systemctl restart ssh

1.2 Docker install (CE)

curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker "$USER"
newgrp docker

1.3 Create NextTerm compose with hardened defaults

mkdir -p ~/docker/nextterm
cd ~/docker/nextterm

Generate encryption key (64 hex chars):

openssl rand -hex 32

Create compose.yaml:

---
services:
  nextterm:
    image: ghcr.io/nextterm/nextterm:latest
    container_name: nextterm
    restart: unless-stopped

    # Bind only to localhost if you put a reverse proxy on the same box.
    # If reverse proxy is on another box, bind to the LAN IP instead.
    ports:
      - "127.0.0.1:8082:6989"

    environment:
      # Must be 64 hex characters
      NEXTTERM_ENCRYPTION_KEY: "REPLACE_WITH_64_HEX"

      # Optional: set app base URL if supported by your version (check docs)
      # NEXTTERM_BASE_URL: "https://nextterm.example.com"

    volumes:
      - ./nextterm:/app/data

    # Minimal hardening (verify compatibility with your NextTerm image)
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

Bring up:

docker compose pull
docker compose up -d
docker compose logs -f

At this point NextTerm is reachable only locally at:

• http://127.0.0.1:8082

You’ll expose it safely via reverse proxy + TLS (below).

---

2) Secure remote access with VPS + WireGuard tunnel + TLS reverse proxy

Goal: No port forwarding at home. Only your VPS is public.

Topology

• Home/LAN: NextTerm server runs privately.
• VPS: Public IP terminates TLS and forwards to NextTerm over WireGuard.

2.1 WireGuard on VPS (public)

sudo apt update && sudo apt install -y wireguard
umask 077
wg genkey | tee ~/wg-server.key | wg pubkey > ~/wg-server.pub

Create /etc/wireguard/wg0.conf on VPS:

[Interface]
Address = 10.50.0.1/24
ListenPort = 51820
PrivateKey = <VPS_PRIVATE_KEY>

# Enable forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Peer: Home NextTerm server
[Peer]
PublicKey = <HOME_PUBLIC_KEY>
AllowedIPs = 10.50.0.2/32

Start:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg show

Open UDP 51820 on VPS firewall/security group.

2.2 WireGuard on Home NextTerm server (client)

sudo apt update && sudo apt install -y wireguard
umask 077
wg genkey | tee ~/wg-client.key | wg pubkey > ~/wg-client.pub

Create /etc/wireguard/wg0.conf on home server:

[Interface]
Address = 10.50.0.2/24
PrivateKey = <HOME_PRIVATE_KEY>

[Peer]
PublicKey = <VPS_PUBLIC_KEY>
Endpoint = <VPS_PUBLIC_IP>:51820
AllowedIPs = 10.50.0.1/32
PersistentKeepalive = 25

Start:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
ping -c 3 10.50.0.1

Now VPS can reach home server on 10.50.0.2.

2.3 Reverse proxy on VPS with TLS (Caddy recommended)

Install Caddy on VPS:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update && sudo apt install -y caddy

Caddyfile /etc/caddy/Caddyfile:

nextterm.example.com {
  encode zstd gzip
  reverse_proxy 10.50.0.2:8082

  # Security headers
  header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    Referrer-Policy "no-referrer"
    Permissions-Policy "geolocation=(), microphone=(), camera=()"
  }
}

Reload:

sudo caddy reload --config /etc/caddy/Caddyfile

DNS:

• Point nextterm.example.com → VPS public IP.

Now NextTerm is reachable securely at:

• https://nextterm.example.com

No home ports opened. Only the VPS has 80/443 + 51820/udp.

---

3) SSO via OIDC (Authentik/Keycloak) + disable local auth

Pattern

• Put NextTerm behind OIDC SSO
• Optionally restrict NextTerm itself to OIDC-only users

Steps (generic OIDC):

1. In Authentik/Keycloak, create OIDC client:

   • Redirect URI: https://nextterm.example.com/* (exact path depends on NextTerm’s requirement)

2. Copy values:

   • Issuer URL
   • Client ID
   • Client Secret

3. In NextTerm:

   • Settings → Identity Providers → Add Identity Provider

   • Fill:

     • URL / Issuer
     • Client ID
     • Client Secret
     • Redirect URI
     • Scopes (typical): openid profile email

Hardening:

• After verifying SSO works:

  • Disable/lock down built-in auth if NextTerm supports it
  • Enforce 2FA at the IdP (recommended)

---

4) Multi-tenant / multi-organization patterns

You have two common models:

Model A: One NextTerm instance, multiple orgs (simplest)

• Use NextTerm’s Organizations feature
• Use IdP groups/claims to map users to roles/orgs
• Pros: single deployment, single update path
• Cons: shared blast radius if misconfigured RBAC

Model B: One instance per tenant (strong isolation)

• Run separate stacks:

  • nextterm-clientA.example.com
  • nextterm-clientB.example.com

• Separate encryption keys and data volumes

• Pros: tenant isolation, easier compliance

• Cons: more ops overhead

Recommended for clients: Model B unless you deeply trust RBAC boundaries.

---

5) Backups and disaster recovery

Because you mapped:

• ./nextterm:/app/data

Back up that directory.

Simple daily backup (home server)

Create /usr/local/bin/backup-nextterm.sh:

#!/usr/bin/env bash
set -euo pipefail
SRC="/home/$USER/docker/nextterm/nextterm"
DST="/home/$USER/backups/nextterm"
mkdir -p "$DST"
tar -czf "$DST/nextterm_$(date +%F).tar.gz" -C "$SRC" .
find "$DST" -type f -name "nextterm_*.tar.gz" -mtime +14 -delete

Make executable:

chmod +x /usr/local/bin/backup-nextterm.sh

Cron (daily at 03:15):

(crontab -l 2>/dev/null; echo "15 3 * * * /usr/local/bin/backup-nextterm.sh") | crontab -

Offsite:

• rsync backups to VPS storage or object storage.

---

Key Technical Details

• NextTerm service port inside container: 6989

• Host port: choose (example: 8082) but keep container port as 6989

• Encryption key requirement: 64 hex chars

  • Use openssl rand -hex 32

• Recommended port bind:

  • 127.0.0.1:8082:6989 (only local) + reverse proxy in front

• Recommended access:

  • VPS reverse proxy + WireGuard tunnel

---

Pro Tips

• Bind NextTerm only to localhost and always put it behind TLS.

• Use OIDC SSO with enforced MFA at the IdP.

• Put the reverse proxy on the VPS, not at home, and keep home inbound closed.

• Keep a separate NextTerm instance per client if you do client work.

• Keep your compose.yaml pinned to a known good tag instead of :latest once stable:

  • ghcr.io/nextterm/nextterm:<version>

• Add log rotation if logs are chatty:

  • Use Docker logging options (max-size, max-file) if needed.

---

Potential Limitations/Warnings

• Some container hardening flags (cap_drop: ALL, read_only: true) might break features if NextTerm needs to write outside /app/data or requires certain capabilities. Apply incrementally and verify.

• OIDC redirect URI formats vary by app/version. If login loops, correct the redirect URI/scopes first.

• If you proxy across WireGuard, ensure MTU issues don’t break websocket/streaming:

  • If you see flaky sessions, consider setting WireGuard MTU (e.g., 1420) on wg0.

---

Recommended Follow-Up Resources

• NextTerm GitHub / docs (for exact env vars, OIDC redirect format, and image tags)
• WireGuard documentation for site-to-site patterns
• Caddy reverse proxy + TLS docs
• Authentik or Keycloak OIDC client configuration docs
• Docker hardening guides (no-new-privileges, capabilities, read-only FS)

---

Extra: Docker Swarm and Kubernetes templates (ready to adapt)

Docker Swarm (stack file)

nextterm-stack.yml:

version: "3.8"
services:
  nextterm:
    image: ghcr.io/nextterm/nextterm:latest
    ports:
      - target: 6989
        published: 8082
        protocol: tcp
        mode: host
    environment:
      NEXTTERM_ENCRYPTION_KEY: "REPLACE_WITH_64_HEX"
    volumes:
      - nextterm_data:/app/data
    deploy:
      replicas: 1
      restart_policy:
        condition: any

volumes:
  nextterm_data:

Deploy:

docker stack deploy -c nextterm-stack.yml nextterm

Kubernetes (basic deployment + PVC)

nextterm.yaml:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextterm-pvc
spec:
  accessModes: ["ReadWriteOnce"]
  resources:
    requests:
      storage: 5Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nextterm
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextterm
  template:
    metadata:
      labels:
        app: nextterm
    spec:
      containers:
        - name: nextterm
          image: ghcr.io/nextterm/nextterm:latest
          ports:
            - containerPort: 6989
          env:
            - name: NEXTTERM_ENCRYPTION_KEY
              value: "REPLACE_WITH_64_HEX"
          volumeMounts:
            - name: data
              mountPath: /app/data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: nextterm-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: nextterm-svc
spec:
  selector:
    app: nextterm
  ports:
    - name: http
      port: 80
      targetPort: 6989
  type: ClusterIP

Then put an Ingress (nginx/traefik) in front with TLS and OIDC (via oauth2-proxy or IdP integration), or keep the VPS tunnel pattern.

Apply:

kubectl apply -f nextterm.yaml

---

Security Audit Checklist (practical)

Network

• NextTerm not exposed directly (no raw port-forward)
• HTTPS enforced at reverse proxy
• WireGuard keys protected, keepalive set, AllowedIPs minimal
• VPS firewall only allows 80/443 and 51820/udp, SSH restricted

Auth

• OIDC enabled
• MFA enforced in IdP
• Local/built-in auth disabled or admin-only (if supported)
• Admin accounts minimal and monitored

Host

• SSH keys only, root login disabled
• UFW/iptables active
• fail2ban enabled (SSH + optionally reverse proxy logs)

Container

• Data persisted under ./nextterm or PVC
• Restart policy unless-stopped
• no-new-privileges:true
• Capabilities dropped if compatible
• Image pinned to version tag once stable

Backups

• Daily backups of /app/data volume
• Offsite copy exists
• Restore tested (spin up a new VM and restore volume)

Monitoring

• Audit log reviewed periodically
• VPS + home server logs retained/rotated
• Alerts for WireGuard down / reverse proxy errors

---