• 2 Posts
  • 26 Comments
Joined 1Y ago
cake
Cake day: Jun 10, 2023
help-circle
rss
@bjornsno@lemm.ee
creator
toSelfhosted@lemmy.worldHelp with authentik and traefik random drops
link
fedilink
English
14M

I honestly just did it to try to get cleaner logs having the container only be responsible for the proxying.

link
fedilink
@bjornsno@lemm.ee
creator
toSelfhosted@lemmy.worldHelp with authentik and traefik random drops
link
fedilink
English
14M

I’ll try that, but since I haven’t been able to find any related issues I’m pretty sure it’s a configuration error on my part. Hehe the regretfully long post. Next step will probably be to open an issue on authentik’s GitHub but since I think it’s a pebkac I would prefer not to waste their time.

link
fedilink
Help with authentik and traefik random drops
Hello self hosters! I am hoping some of you wizards can help me troubleshoot my setup with authentik and traefik. First about my setup. I have a synology nas that is running a docker compose stack. Synology is notoriously bad at keeping their docker version fresh, but hopefully that isn't relevant to this issue. I'm running traefik for reverse proxy, and authentik for auth. In authentik land I've split the outpost work into its own container, named authentikproxy. Any request to a service with the `authentik-basic@file` or `authentik@file` middleware labels applied should be routed through the authentikproxy service for auth. If it detects that one isn't authed, it will in turn send you to the authentik frontend for SSO. The issue is that authentik randomly stops working for random routes, or randomly fails to start working for random routes. Every time this happens I need to restart my authentikproxy and traefik containers over and over until it randomly decides to work for all my routes. When this happens I am just sent straight to the app unauthenticated. I'll have to either input http basic credentials or use the app's login page, whichever it has. I have found nothing in the logs after months of this going on, neither authentik nor traefik seem to be aware that anything is amiss. I suspect the issue is to do with the docker networks but that's honestly just a hunch. My docker-compose file is hundreds of lines long, so I've stripped environment and volume info while preserving traefik labels to try to keep the info more or less concise. It is certainly still too much info but I did not want to accidentally delete something crucial. Here follows my setup. docker-compose.yml ```yml services: traefik: profiles: - prod container_name: traefik image: traefik:v2.11 command: - "--entrypoints.websecure.http.tls.domains[0].main=${BASE_DOMAIN}" - "--entrypoints.websecure.http.tls.domains[0].sans=*.${BASE_DOMAIN}" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik/middlewares.yml:/app/myconf/middlewares.yml - ./traefik/traefik.yml:/traefik.yml restart: unless-stopped networks: default: aliases: # Allow xcontainernet services to resolve authentik - "authentik.${BASE_DOMAIN-home}" ports: - 80:80 - 443:443 labels: - "traefik.enable=true" - "traefik.http.middlewares.redirectssl.redirectscheme.scheme=https" - "traefik.http.routers.traefik.rule=Host(`traefik.${BASE_DOMAIN-home}`)" - "traefik.http.routers.traefik.middlewares=redirectssl@docker" - "traefik.http.routers.traefiksecure.rule=Host(`traefik.${BASE_DOMAIN-home}`)" - "traefik.http.services.traefik.loadbalancer.server.port=8080" transmission: image: lscr.io/linuxserver/transmission container_name: transmission labels: - "traefik.enable=true" - "traefik.http.routers.torrents.rule=Host(`torrents.${BASE_DOMAIN-home}`)" - "traefik.http.routers.torrents.middlewares=redirectssl@docker" - "traefik.http.routers.torrentssecure.rule=Host(`torrents.${BASE_DOMAIN-home}`)" - "traefik.http.routers.torrentssecure.entrypoints=websecure" - "traefik.http.routers.torrentssecure.middlewares=authentik@file" sabnzbd: image: lscr.io/linuxserver/sabnzbd container_name: sabnzbd labels: - "traefik.enable=true" - "traefik.http.routers.nzb.rule=Host(`nzb.${BASE_DOMAIN-home}`)" - "traefik.http.routers.nzb.middlewares=redirectssl@docker" - "traefik.http.routers.nzbsecure.rule=Host(`nzb.${BASE_DOMAIN-home}`)" - "traefik.http.routers.nzbsecure.entrypoints=websecure" - "traefik.http.routers.nzbsecure.middlewares=authentik@file" - "traefik.http.services.nzb.loadbalancer.server.port=8080" sonarr: image: ghcr.io/linuxserver/sonarr:latest container_name: sonarr labels: - "traefik.enable=true" - "traefik.http.routers.sonarr.rule=Host(`sonarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.sonarr.middlewares=redirectssl@docker" - "traefik.http.routers.sonarrsecure.rule=Host(`sonarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.sonarrsecure.entrypoints=websecure" - "traefik.http.routers.sonarrsecure.middlewares=authentik-basic@file" - "traefik.http.services.sonarr.loadbalancer.server.port=8989" radarr: image: ghcr.io/linuxserver/radarr:latest container_name: radarr labels: - "traefik.enable=true" - "traefik.http.routers.radarr.rule=Host(`radarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.radarr.middlewares=redirectssl@docker" - "traefik.http.routers.radarrsecure.rule=Host(`radarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.radarrsecure.entrypoints=websecure" - "traefik.http.routers.radarrsecure.middlewares=authentik-basic@file" - "traefik.http.services.radarr.loadbalancer.server.port=7878" readarr: image: lscr.io/linuxserver/readarr:nightly container_name: readarr labels: - "traefik.enable=true" - "traefik.http.routers.readarr.rule=Host(`readarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.readarr.middlewares=redirectssl@docker" - "traefik.http.routers.readarrsecure.rule=Host(`readarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.readarrsecure.entrypoints=websecure" - "traefik.http.routers.readarrsecure.middlewares=authentik-basic@file" - "traefik.http.services.readarr.loadbalancer.server.port=8787" bazarr: image: ghcr.io/linuxserver/bazarr:latest container_name: bazarr labels: - "traefik.enable=true" - "traefik.http.routers.bazarr.rule=Host(`bazarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.bazarr.middlewares=redirectssl@docker" - "traefik.http.routers.bazarrsecure.rule=Host(`bazarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.bazarrsecure.entrypoints=websecure" - "traefik.http.routers.bazarrsecure.middlewares=authentik-basic@file" - "traefik.http.services.bazarr.loadbalancer.server.port=6767" prowlarr: image: lscr.io/linuxserver/prowlarr:latest container_name: prowlarr labels: - "traefik.enable=true" - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.prowlarr.middlewares=redirectssl@docker" - "traefik.http.routers.prowlarrsecure.rule=Host(`prowlarr.${BASE_DOMAIN-home}`)" - "traefik.http.routers.prowlarrsecure.entrypoints=websecure" - "traefik.http.routers.prowlarrsecure.middlewares=authentik-basic@file" - "traefik.http.services.prowlarr.loadbalancer.server.port=9696" jellyfin: image: linuxserver/jellyfin:latest container_name: jellyfin networks: default: xcontainernet: ipv4_address: 192.168.0.201 labels: - "traefik.enable=true" - "traefik.http.routers.jellyfin.rule=Host(`tv.${BASE_DOMAIN-home}`)" - "traefik.http.routers.jellyfin.middlewares=redirectssl@docker" - "traefik.http.routers.jellyfinsecure.rule=Host(`tv.${BASE_DOMAIN-home}`)" - "traefik.http.routers.jellyfinsecure.entrypoints=websecure" - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" authentikserver: image: ghcr.io/goauthentik/server:2024.2.2 command: server depends_on: - postgresql - redis labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.authentik.rule=Host(`authentik.${BASE_DOMAIN-home}`)" - "traefik.http.routers.authentik.entrypoints=web" - "traefik.http.routers.authentik.middlewares=redirectssl@docker" - "traefik.http.routers.authentiksecure.rule=Host(`authentik.${BASE_DOMAIN:-home}`)" - "traefik.http.routers.authentiksecure.entrypoints=websecure" ## HTTP Services - "traefik.http.routers.authentiksecure.service=authentik-svc" - "traefik.http.services.authentik-svc.loadbalancer.server.port=9000" authentikproxy: image: ghcr.io/goauthentik/proxy:2024.2.2 labels: - "traefik.http.routers.authentik-proxy-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${BASE_DOMAIN:-home}`) && PathPrefix(`/outpost.goauthentik.io/`)" - "traefik.http.routers.authentik-proxy-outpost.entrypoints=websecure" - "traefik.http.services.authentik-proxy-outpost.loadbalancer.server.port=9000" immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} depends_on: - redis - immich-database labels: - "traefik.enable=true" - "traefik.http.routers.immich.rule=Host(`photos.${BASE_DOMAIN-home}`)" - "traefik.http.routers.immich.middlewares=redirectssl@docker" - "traefik.http.routers.immichsecure.rule=Host(`photos.${BASE_DOMAIN-home}`)" - "traefik.http.routers.immichsecure.entrypoints=websecure" - "traefik.http.services.immich.loadbalancer.server.port=3001" networks: default: ipam: config: - subnet: 172.22.0.0/24 xcontainernet: name: xcontainernet driver: macvlan driver_opts: parent: eth0 ipam: config: - subnet: "192.168.0.0/24" ip_range: "192.168.0.200/29" gateway: "192.168.0.1" ``` traefik/traefik.yml ```yml providers: docker: exposedByDefault: false network: homeservices_default file: directory: /app/myconf watch: true entryPoints: web: address: ":80" websecure: address: ":443" http: tls: certResolver: dnsresolver ``` traefik/middlewares.yml ```yml http: middlewares: https-redirect: redirectScheme: scheme: https permanent: true authentik-basic: forwardAuth: address: "http://authentikproxy:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders: - Authorization authentik: forwardAuth: address: "http://authentikproxy:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders: - X-authentik-email - X-authentik-groups - X-authentik-jwt - X-authentik-meta-app - X-authentik-meta-jwks - X-authentik-meta-outpost - X-authentik-meta-provider - X-authentik-meta-version - X-authentik-name - X-authentik-uid - X-authentik-username ```
fedilink
12
Help with authentik and traefik random drops
fedilink
@bjornsno@lemm.eetoSelfhosted@lemmy.worldMonitoring Borg backups
link
fedilink
English
5
edit-2
4M

If you want to do this, what you probably want is to pump your logs into a log drain, something like betterstack is good. They then allow you to set up discrepancy thresholds and can send you emails when something seems to be out of the ordinary. There’s probably a self hosted thing that works the same way but I’ve never found a simple setup. You can do the whole Prometheus, influxdb, grafana setup but imo it’s too much work, and then you still have to set up email smtp separate from that.

link
fedilink
@bjornsno@lemm.eetoSelfhosted@lemmy.worldHomelab Organization
link
fedilink
English
24M

Came to write basically this. I would try caddy but my compose file is 600 lines long now and half of that is traefik labels, I can’t be arsed with the migration.

link
fedilink
@bjornsno@lemm.ee
creator
toSelfhosted@lemmy.worldHelp with deployment
link
fedilink
English
24M

I do have nightly off-site backups, that’s true. Still, having the git repo be on the same machine doesn’t seem right to me.

link
fedilink
@bjornsno@lemm.ee
creator
toSelfhosted@lemmy.worldHelp with deployment
link
fedilink
English
14M

That would fill the same role as watchtower I guess? I’ve previously tried to have a look at having portainer manage the docker compose stack that it’s running inside but at least back then it seemed to be a dead end and not really what portainer is meant to do. I’m not interested in moving away from docker compose at this time.

link
fedilink
@bjornsno@lemm.ee
creator
toSelfhosted@lemmy.worldHelp with deployment
link
fedilink
English
14M

I’d be a bit concerned with having the git repo also be hosted on the machine itself. If the drives break it’s all gone. I could of course have two remotes but then pushing changes still becomes a multi step procedure.

link
fedilink
Help with deployment
Hello nerds! I'm hosting a lot of things on my home lab using docker compose. I have a private repo in GitHub for the config files. This is working fine for me, but every time I want to make a change I have to push the changes, then ssh to the lab, pull the changes, and run `docker compose up`. This is of course working fine, but I want to automate it. Does anyone have a similar setup and know of a good tool? I know I could use watchtower to update existing images, but this is more for if I change a setting or add a new service. I've considered roughly four approaches. 1. A new container that mounts the whole running directory and the docker socket. It will register a webhook in GitHub to receive notifications when I push to the repo, run git pull and docker up. My worries here are the usual dind gotchas. 2. Same as 1, but don't mount anything, instead ssh from container to host and run the steps there. This solves any dind issues, but I don't love giving the container an ssh key to the host. 3. Have a service running on the host outside of docker. This is probably the correct approach, but very annoying since my host is a Synology nas and it doesn't have systemd or anything like that afaik. 4. Have a GitHub action ssh to the machine and do the steps. Honestly the easiest way but I would prefer to not open ssh to the internet. Any feedback or tips are much appreciated. I don't feel like any of my options are very good and I feel like I am probably missing something obvious.
fedilink
24
Help with deployment
fedilink
@bjornsno@lemm.eetoSelfhosted@lemmy.worldWhat tool do you use to display your self-hosting infrastructure
link
fedilink
English
34M

Oh for sure for sure. I just know that a lot of people use their homelab to learn skills that they can put on their resume when looking for a job. It’s totally fair to over engineer your self hosting setup if that’s your goal.

link
fedilink
@bjornsno@lemm.eetoSelfhosted@lemmy.worldWhat tool do you use to display your self-hosting infrastructure
link
fedilink
English
54M

You should definitely figure out some infra as code system now while it’s manageable. Normally I’d recommend docker-compose as it’s very easy to learn and has a huge ecosystem, but since you’re using proxmox you might need to look at ansible like the other commenter said. Having IaC with git makes it so much easier to test new stuff, roll changes back, and all that good stuff, in addition to solving your original problem of forgetting what is running where.

Just find the simplest IaC solution possible. Unless you are gunning for a job in infrastructure you don’t need to go into kubernetes or terraform or anything like that, you just need something reproducible that you can easily understand and modify.

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.ml50 million rendered polygons vs one spicy 4.2MB boi
link
fedilink
56M

I’ve accidentally opened enormous single line json files more than once. Could be lsp config or treesitter or any number of things but trying to do any operations after opening such a file is not a good time.

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlAlways follow 3-2-1 backup rule
link
fedilink
36M

Respectfully, no. Rust is great for some things and Python is great for other things. Switching to rust is not a solution to missing exception linting in another language.

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlAlways follow 3-2-1 backup rule
link
fedilink
16M

That’s way harder to ask for. A docstring solution is fine so long as the linters know to pick it up.

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlAlways follow 3-2-1 backup rule
link
fedilink
26M

Well at least php has it, which is a JITed scripting language just like Python. Although saying php has it is wrong, it’s just a special doc tag that the linters pick up. Which is exactly what I want for Python. The only other scripting language I’m very comfortable with is typescript, which can also support @throws via jsdoc and eslint.

So to answer your question, I don’t know if it’s common, but from my minimal sample pool it’s at least not unheard of.

You may not know this (just guessing because you commented on the nature of scripting/interpreted languages) but static analysis of dynamic languages has come really far and is an indispensable part of any reasonably sized project written in them these days. That’s another reason why I’m so surprised and frustrated by the lack of this in Python.

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.ml50 million rendered polygons vs one spicy 4.2MB boi
link
fedilink
126M

Except if it’s a single line file, only god can help you then. (Or running prettier -w on it before opening it or whatever.)

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlAlways follow 3-2-1 backup rule
link
fedilink
56M

I believe raises is the de facto Python version of throws, but no tools seem to exist to actually handle it.

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlAlways follow 3-2-1 backup rule
link
fedilink
216M

Day 598 of asking for a way to tell which functions throw exceptions in Python so I can know when to wrap in try catch. Seems to me that every other language has this, but when I’ve asked for at least a linter that can tell me I’m calling a function that throws, the general answer has been “why would you want that?”

How am I supposed to ask for forgiveness if it’s impossible to know that I’m doing something risky in the first place?

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlcanYouTakeALookAtThisDateTimeBug
link
fedilink
297M

I leave the country for six goddamn months and they pull this shit while I’m away???

link
fedilink
@bjornsno@lemm.eetoSelfhosted@lemmy.worldIntroducing selfh.st/apps, a Directory of Self-Hosted Software
link
fedilink
English
26
edit-2
7M

Quick feedback: your css transitions are way too long, opening the hamburger menu should not make me feel like I’m waiting for it to open.

Also you’ve gone for the card layout on the app list, however cards create the expectation that they are actionable yet clicking them does nothing. At least make the app names clickable.

link
fedilink
@bjornsno@lemm.eetoSelfhosted@lemmy.world[Solved] Sudden Issues
link
fedilink
English
17M

I started seeing this too. Interestingly pulling individual images works, it only does this when trying to pull all the images.

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlObscure button tier list
link
fedilink
110M

Don’t you dare come for my Pause key! That’s the one I’ve remapped to launch the screen lock!

link
fedilink
@bjornsno@lemm.eetoProgrammer Humor@lemmy.mlJavaScript's days are numbered
link
fedilink
11Y

Thanks, I love oddly comforting techno theology

link
fedilink
@bjornsno@lemm.eetoTechnology@beehaw.orgMozilla allows desktop extensions on Firefox for Android
link
fedilink
1
edit-2
1Y

I’m using brave mixed with a network wide ad blocker, so while it’s nice that Firefox has UBO I’m fine without. Firefox has been presenting these issues every time I’ve tried switching, so for about a year now, so no not a recent issue.

link
fedilink
@bjornsno@lemm.eetoTechnology@beehaw.orgMozilla allows desktop extensions on Firefox for Android
link
fedilink
101Y

This is great but I literally can’t use the base app on my S20. Like clicking on Google search hits causes the app to freeze. Trying to scroll up on a page triggers a reload 30% of the time. I want to use Firefox but it’s nowhere near good enough, and adding extensions on top of that state is not going to help.

link
fedilink
@bjornsno@lemm.eetoPiracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ@lemmy.dbzer0.compreach
link
fedilink
English
111Y

Not judging you for your reasons, but you don’t speak for everyone so calm down with the “we” pronoun.

link
fedilink
@bjornsno@lemm.eetoProgramming@beehaw.orgData protection, the right to be forgotten, and federation
link
fedilink
English
11Y

TTL on all content scales extremely poorly. You touch on this but I don’t think you appreciate just hope big of a SELECT * WHERE TTL ... this would be in just a few months/years. As an alternative, every instance sync should come with a list of newly deleted users. Retrying would not need to be reimplemented. If a user who wishes to be forgotten has had their home instance go dark, there will need to be a way for them to prove ownership over the original account (signup confirmation email perhaps) so a delete can be started from a foreign instance.

link
fedilink