In part 1 I wrote about why I built this. In part 2, I wrote about some design decisions. In this part I’ll explain why I wanted Docker as the platform.
Docker Was a Product Decision
Docker isn’t just packaging—it’s User Experience (UX).
The goal was:
“You can deploy this in under a minute.”
With Docker, that becomes:
docker run -p 4278:4278 kmsigma/utm-qrcodes:latestNo SDKs. No installs. No system pollution.
Running as Non‑Root
After reading way too much about it, I decided to take the advice of internet people and decided that root = bad. Following that, some other decisions were made about the container resulting in a list of requirements::
- Runs as a dedicated, non‑root user
- Has a read‑only filesystem
- Uses
tmpfsonly where necessary - Drops privilege escalation entirely
For something designed with the idea that I don’t like sharing things, these feel like reasonable defaults.
Why TLS Isn’t Inside the Container
After working with Docker for a bit, I’ve come down to the same mantra time and time again: TLS belongs at the edge. If it’s at the edge, then I don’t have to worry about the (recognizably small) load of certificate management in the app.
This makes the container:
- Reverse‑proxy agnostic
- Easier to update
- More portable across environments
If you choose to deploy it, you can keep it local or you can put it behind a reverse proxy like Traefik, Caddy, Cloudflare, or whatever. Forcing you into an ecosystem choice here felt “icky.”
Compose‑Friendly by Design
I’ve really started to rely heavily on docker compose – more than I initially thought when I first downloaded Docker Desktop. The compose format isn’t overly difficult to understand and seemed to lend itself to this project. That gives my docker-compose.yml:
- Sane defaults
- Forces explicit port remapping
- Leaves things unimportant to the app, outside the app
The way I see it, this means the project has a big win…
The Big Win: Ownership
Unlike most apps out there this app: cannot phone home, doesn’t retain any of your data, and doesn’t require an explicit trust to an outside party (normally it would be me). If you run it: you own it because you are the one hosting it.
I feel like that’s becoming increasingly rare—and makes it increasingly valuable to people who want to maintain some boundaries.