All the times I just put docker-compose.yml to one user (my user) directory and call it a day.
But what about a service with multiple admins or with more horizontally split up load?
It’s better to manage your infrastructure with Ansible.
I’ve been slowly moving all my containers from compose to pure Ansible instead. Makes it easier to also manage creating config files, setting permissions, cycling containers after updating files etc.
I still have a few things in compose though and I use Ansible to copy updates to the target server. Secrets are encrypted with Ansible vault.
Well I’m also not entirely sure what you’re looking for. But here’s my guess 😅
None of this stuff should run under the account of a human user. Without docker/compose, I would suggest that you create one account for each service, deploy them to different directories with different permissions. With docker compose, just deploy them all together and run it all under a single service account. Probably name it “docker”. When an admin needs to access, you sudo su - docker and then do stuff.
Multiple admins should be able to manage podman just fine.
I host forgejo internally and use that to sync changes. .env and data directories are in .gitignore (they get backed up via a separate process)
All the files are part of my docker group so anyone in it can read everything. Restarting services is handled by systemd unit files (so sudo systemctl stop/start/restart) any user that needs to manipulate containers would have the appropriate sudo access.
It’s only me they does all this though, I set it up this way for funsies.
