Fedegenerate

joined 1 year ago
[–] Fedegenerate@lemmynsfw.com 5 points 1 day ago* (last edited 1 day ago) (1 children)

On mobile so you'll have to forgive format jank.

It depends how each image handles ports if C1 has the ports set up as 1234:100 and C2 has the ports set up as 1234:500 then:

service:

gluetun:

ports:

 - 1234:100 #c1
 - 1235:500 #c2

[...]

Will solve the conflict

Sometimes an image will allow you to edit it's internal ports with an environment so

service:

gluetun:

ports:

  - 1234:1000 #c1
  -1235:1234 #c2

c1:

environent:

- UI_PORT=1000

[...]

When both contsiners use the same second number, C1: 1234:80, C21235:80, and neither documents suggest how to change that port, I personally haven't found a way to resolve that conflict.

[–] Fedegenerate@lemmynsfw.com 2 points 4 days ago* (last edited 4 days ago)

A mini pc, a raspberry pi 4, 3*usb HDD (2*8tb mirrored and a 1tb for local back up), some Netgear router, a whole lot of spaghetti.

[–] Fedegenerate@lemmynsfw.com 9 points 6 days ago

That's a shame. TTeck pretty much built my Homelab.

[–] Fedegenerate@lemmynsfw.com 1 points 2 weeks ago

My initial inception of this box was to have it request a static IP so I knew "box.ip". Then tape then tape some thing like this:

Box.ip Service1:port Service2:port ....

Onto the case. Then in NPM have it proxy requests to "box.ip:8096" to "tailscale.ip:8096". But alas, I couldn't figure it out. I could get 1 service to work but not multiple.

I couldn't ask someone to write the config for me, but if you're certain it's doable then I'll learn to write a config. Thank you for the offer. I'm guessing for each service I tell nginx to "listen" at "port" instead of only listening to ports 80,443 and 81.

MDNS seems like an interesting solution though, I'm going to read about that now actually, thank you for highlighting that solution to me. If I could get that working that would be ideal. I'll have to check if the expected devices are compatible but that would make everyone's life easier if I could just setup a cronjob on startup.

[–] Fedegenerate@lemmynsfw.com 1 points 2 weeks ago

Thank you for the reading material, it'll be tonight project. I think I'm just going to tell people if they want to join in the family immich/mealie/etc they'll just have to let me into their router. They'll get memorable addresses out of it and adblocking too. I'm pretty sure that setup is comfortably within my skill set. I thought long and hard about opening ports but the security needed is beyond me currently. Down side is cost and I'll be managing a bunch of boxe. But I can add updating them into the monthly maintenance and if/when they come back they can be repurposed into other projects.


I tried /locations but my service would rewrite the URL and break itself. I'd navigate to "box.ip/immich" and immich would change the address to "box.ip/login" and hang.

I'd need to learn how to have npm lock "box.ip/immich" and let immich append "/login". I'll leave my test VM up and just chip away at it. I think I need the "rewrite" flag but I'm getting dangerously close to just learning how to write an nginx config instead of having npm do it for me.

Thanks again for the pointers

[–] Fedegenerate@lemmynsfw.com 1 points 2 weeks ago

Yeah, that's a fair description. I am not comfortable exposing ports currently, I don't think I have the skill to do it securely and my Homelab is definately not secure enough.

Not to get side tracked, and to highlight the horror, my media library is chmod 777 until I figure permissions across LXCs.

 

For legibility I split the post into: my current setup; the problem I'm trying to solve; the constraints for solving the problem; what I've tried and failed to do; and key questions.

When roasting me in the comments, go nuts, I'm not a complete beginner, but I wouldn't rank myself as an intermediate yet. My lab is almost entirely tteck scripts, and what isn't built by tteck are docker containers. My inexperience informs some of my decisions for example: I'm using nginxproxymanager because Nginx documentation is beyond me, I couldn't write a nginx.config and NPM makes reverse proxies accessible to me.

My Current setup

I have a Proxmox based home server running multiple services as LXCs (a servarr, jellyfin, immich, syncthing, paperless, etc. Locally my fiancée and I connect to our services. Using pihole-NginxProxyManager(NPM) @ "service.server" and that's good. Remotely we connect to key services over tailscale using tailscale's magic DNS @ "lxcname:port" and that works... fine. We each have a list of "service: address" and it's tolerable. Finally, my parents have a home server, that I manage, it is Debian based with much the same services running all in Docker (I need to move it to Podman, but I got shit to do). We run each others' off-site backup over tailscale-syncthing and that seems good. But, our media and photos are our own ecosystems.

The Problem

I would like to give someone (Bob) a box (a Pi, a minipc, a whatever). The sole function of this box is to act as a gateway for Bob's devices to connect to key LXCs on my tailnet. Thus Bob can enjoy my legally obtained media and back up their photos.

The constraints

These are in order of importance, I would be giving ground from the bottom up. The top two are non negotiable though.

A VPS has low to zero WAF. Otherwise I would have followed the well trodden ground.

Failsafe. If the box dies bob can't access jellyfin until I can be arsed to fix it. Otherwise, they experience no other inconvenience.

No requirement to install tailscale on Bob's devices. Some devices aren't compatible with tailscale: Amazon fire stick. A different bob does't want to install a VPN on their phone. Some devices I don't trust to be up to date and secure, I don't want them on my tailnet... I have no idea if the one degree of separation is any more secure, but it gives me the willies.

I'm pretty sure I can solve this using pihole-nginx-tailscale with my skillset. But then I have to get into bob's router, and maybe bob might not like that. If I could just give them a preconfigured box that would be ideal. They would have pretty addresses though.

I don't currently have a domain, I do plan to get one. I just don't currently have one.

My attempts and failures to solve the problem.

I've built a little VM to act as a box (box), it requests a static IP. On it I installed Mint (production would probably be DietPi or Debian) Tailscale,Docker (bare metal) and NPM as a container. In NPM I set a proxy host 192.168.box.IP to forward to 100.jellyfin.tailscale.IP:8096. I tested it by going to box.IP and jellyfin works. Next up Jellyseerr... I can't make another proxy host with the same domain name for obvious reasons.

I tried "box.IP:8096" as a domain name and NPM rejected it. I tried "box.IP/jellyfin" and NPM rejected that too (I'll try Locations in a bit). I tried both "service.box.IP" and "box.IP.service" and I'd obviously need to set up DNS for that. Look, I'm an idiot, I make no apologies. I know I can solve it by getting into their router, setting Pihole as their DNS, and going that route.

Next I tried Locations. The required hostname and port I set up as jellyfin.lxc.tailnet.IP:8096 and I set /jellyseerr to go to jellyseerr.lxc.tailnet.IP and immich set up the same way. Then I tested the services. Jellyfin works. Jellyseerr connects then immediately rewrites the URL from "box.IP/jellyseerr" to "box.IP/login" and then hangs. Immich does much the same thing. In desperation I asked chatGPT... the less said about that the better. Just know I've been at this a while.

Here's where I'm at: I have two Google terms left to learn about in an attempt to solve this. The first is "IP tables" the second is "tailscale subnet routers" and I have effort left to learn about one of them.

During this process I learned I could solve this problem thusly: give Bob a box. On this box is a number of virtual machines(vm). Each vm is dedicated to a single service, and what the fuck is that for a solution?! It would satisfy my all of my constraints though, its just ugly.

Key questions

Is my problem solvable by just giving someone a Pi with the setup pre-installed? If not I'll go the pihole-npm-tailnet and be happy. Bob'll connect to "service.box" and it'll proxy to "service.lxc.tailnet.IP".

Assuming I can give them a box. Is nginx the way forward? Should I be learning /Locations configs to stop jellyseerr's rewrite request. Forcing it to go to "box.IP/jellyseerr/login". Or, is there some other Google term I should be learning about.

Asssuming I can give them a box, and nginx alone is not useful to me. Is it subnet routers I should be learning about? They seem like a promising solution, but I'll need to learn how the addressing works... Or how any of it works... IP tables seem like another solution on the face of it. But both I don't know where to send bob without doing local DNS/CNAME shenanigans

Finally assuming I'm completely in the weeds and hopelessly lost... What is it I should I be learning about? A VPS I guess... There's a reason everyone is going that route., Documentation on this "box" concept isn't readily findable for a reason I imagine.

[–] Fedegenerate@lemmynsfw.com 2 points 3 weeks ago (1 children)

Oh, routing, I remember watching an "off site back up" video where they set up IP tables, or IP forwarding, or some such, so when their parents tried to access jellyfin locally it was routed over tailscale. Maybe I'm misremembering though, I'm not confident enough to start thinking about it seriously, so I logged it as "that's possible" and moved on.

That way I just have to keep one instance of jellyfin/immich/etc up to date. It's all a bit beyond my ken currently but it's the way I'm trying to head. At least until I learn a better way.

Ideally, I give someone a pi all set up. They plug it in go to service.domain.xyz and it routes to me. Or even IP:Port would be fine, I'll write them down and stick it to their fridge.

My parents and I run each others' off-site back up (tailscale-syncthing), but their photo and media services are independent from mine. I just back up their important data, and they return the favour, but we can't access or share anything.

Guides like yours are great for showing what's possible. I often find myself not knowing what I don't know so don't really know where to start learning what I need to learn.

[–] Fedegenerate@lemmynsfw.com 3 points 3 weeks ago (3 children)

What a write up, thank you for documenting this.

I understand a lot of people in this hobby do it professionally too, so a lot is assumed to be common knowledge us outsiders just don't have.

While my system of using tailscale's magic dns to use lxc:port works fine for my fiancée and I, expanding this a family wide system would prove challenging.

So this guide is next step. I could send my fiancée to <home.domain.xyz> and it'll take her to homarr, or <jellyseerr.domain.xyz>

The ultimate dream would be to give family members a pi zero and a <home.domain.xyz> and then run a family jellyfin/immich.

[–] Fedegenerate@lemmynsfw.com 3 points 2 months ago (1 children)

I remember Watchtower helpfully stopping Pihole before pulling the new image when I only had the one instance running... All while I was out at work with the fiancée on her day off. So many teaching moments in so little time.

[–] Fedegenerate@lemmynsfw.com 1 points 2 months ago

Posts on public forums get replies from the public.

[–] Fedegenerate@lemmynsfw.com 1 points 3 months ago (1 children)

A good general suggestion. The WAF I follow are 'reasonable' expense, reasonable form factor, and a physical investment. I floated the idea of a VPS and that's when I learned of the third criteria. It is what it is.

I just started on this 8tb HDD so it isn't very full right now, I could raise the ratio limits. But, I worry about filling the HDD and part of me worries about 100s of torrents on an n100 doing other things. So I'm keeping the habit from my pi4+1TB days of deleting media behind us and keeping the torrent count low.

I justify it as self managing though: popular Isos are on then off my harddrive fairly quickly, but the ones that need me will sit and wait until they hit the ratio of 3 however long that is. I would like to do "3 + (get that last seeder to 100%)" but I don't know how/if it's possible to automate through prowlarr.

[–] Fedegenerate@lemmynsfw.com 1 points 3 months ago* (last edited 3 months ago) (9 children)

I should probably keep sharing Linux Isos longer than I do, but data hording has a low WAF. Instead I have prowlarr set the ratio to 3 (one for me, one for a leecher, and one to add to the pool) to keep the data churning.

 

I set up an *arr stack and made it work, and now I'm trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I'm in mind to fix my firewall rules and my question is this: Given there's a more sensible ufw rule set what is it, I have looked online I couldn't find any answers? Either "limit 8080", "limit 9696", "limit ..." etc. or "open". Or " allow 192.168.0.0/16" would I have to allow my docker's subnet as well?

To head off any "why didn't you ?" it's because I'm dumb. Cheers in advance.

view more: next ›