[ post: restructuring my vserver architecture with podman and portainer ]

Back in late November, I wrote a blog article about what the website was currently being hosted on. It was a solution that was fast and easy to install, and even easier to maintain. The software was called Pterodactyl Panel and is actually a panel optimized for hosting game servers and renting them out, with a complete payment system implemented in case you want to make money with it.

It would have stayed like that if it hadn’t been for something that conflicted with the architecture: I couldn’t install Nginx Proxy Manager because the panel was already bound to ports 80 and 443, and I couldn’t find a way to change that without a lot of effort.

One of my friends said that it was time to switch to a real, production-like architecture: installing Podman and Portainer (although my friend isn’t a big fan of Portainer—he prefers to have everything in the console).

Resetting the server

For Pterodactyl, I had set up my server with Ubuntu, an OS I wasn’t that familiar with. I mainly use Arch (btw). Pterodactyl wasn’t available for Arch, so I had to switch to Ubuntu. Podman and Portainer, however, were available for Arch Linux, so of course I set up Arch with them.

Portainer and Podman were trivial to install, and they also have very good step-by-step instruction pages. I was quite new to a system like this. Of course, I had used Docker before, and according to my friend, Podman was quite similar. But soon, we encountered the first challenge.

nftables

As a firewall, I chose nftables. It’s apparently a very good and lightweight firewall that is also performant on smaller systems. The only problem: I had never done a deep dive into it. That became an issue because without proper port forwarding, the server was basically invisible. No ports were open except SSH, and luckily I had configured it so only I could access SSH.

I tried adding a rule to enable ports 80 and 443 in the forwarding chain, but it still didn’t work. It was late at night, and I was tired, so I went to bed. The next day, my friend asked one of his friends to take a look, since he was quite proficient with nftables and Podman.

It took a while until we found the problem. The rules themselves were correct; the order was wrong. nftables processes rules from top to bottom, and the first rule that matches a connection is applied. This resulted in a rejecting rule to be applied before the accepting rule. Any later matching rules are ignored. After about an hour, that small issue was identified and fixed.

Something else still didn’t work: communication between containers. This was easily solved by creating a network, which I creatively named ProxyNet, and putting all deployed containers into it. After that, they could reach each other much more easily.

Nginx Proxy Manager

Following advice from one of my friends, I hid some of the administration panels so that I could only access them via SSH port forwarding. This is a process of mapping the localhost of the VServer to the localhost of my working device by establishing an SSH connection, which only I can access thanks to my PGP keys.

I still created some proxy hosts for those management panels in NPM, so if I open them again, they are easy for me to access.

What I also learned is that Podman provides its own DNS service. Instead of using the local IP of each container, which I also learned is not static, I could simply link, for example, https://thisisraphael.at to http://website:3000. Yes, my website is also containerized, and I’ll probably write a project article about that, since I implemented my own CI/CD pipeline for it.

It paid off

At first, I was skeptical about whether it would really pay off. I knew Pterodactyl as an easy way to manage several services on a server, and I was familiar with it because I had once been part of a project that used that panel.

But as soon as I switched to Portainer, I knew it was the right decision. I no longer had to create special Docker images for Pterodactyl (called Pterodactyl Eggs); I could simply use standard Docker images. Essentially, almost every service can be containerized. I was no longer limited to a small selection. I could now use all of them.

Portainer itself is also easy to use. Of course, it has more buttons, fields, and features, but when you actually need them, they’re easy enough to find.

I’d recommend Portainer to everyone who prefers GUIs to pure console workflows (sorry, unknown-tech). It doesn’t only work with Podman: you can also manage Kubernetes and Docker, and even mix them across several servers.

Overall, I’m very happy with how everything turned out. I’m still getting used to running a more “real” system, but I’m slowly figuring everything out. With that said, I wish everyone a good start to 2026. Stay healthy, stay curious, and happy coding.