bjornsno

joined 1 year ago
[–] bjornsno@lemm.ee 9 points 1 week ago (1 children)

Synology supports docker containers. Just run jellyfin.

[–] bjornsno@lemm.ee 14 points 2 months ago (4 children)

Have you tried kitty? It's seriously nice if you can live with the occasional "oh no I sshed to a server that doesn't have the correct terminfo files and now none of the normal terminal navigation features work"

[–] bjornsno@lemm.ee 4 points 2 months ago

This doesn't really install it, though, you can't update or permanently edit and config, set up users, or anything like that. I would guess OP wants something more like booting the ISO in a VM, allocating a thumb drive to that VM, and then installing a full system to it with a boot loader.

[–] bjornsno@lemm.ee 7 points 3 months ago

This is slightly off topic but adding lanes does not alleviate traffic in the long term at all. The effect diminishes quickly and vanishes after just five years.

[–] bjornsno@lemm.ee 47 points 4 months ago (14 children)

Come on, this one is funny but why pretend it was ever made by a right wing person in earnest? Everything about it screams classic mocking meme.

[–] bjornsno@lemm.ee 1 points 4 months ago (1 children)

Again The issue on the repo. The developers recommend just using the app feature of the browsers to get similar functionality without the security concerns.

[–] bjornsno@lemm.ee 1 points 4 months ago

I honestly just did it to try to get cleaner logs having the container only be responsible for the proxying.

[–] bjornsno@lemm.ee 1 points 4 months ago (3 children)

If you look at the repo, the very first line in the readme links to an issue that briefly explains why you should care.

Unmaintained software comes in two categories:

  1. The software is done. It does exactly what it was meant to do and it was written in a language and in such a way as to be pretty future proof. Examples are some basic code libraries or command line utilities.
  2. The software had to be updated all the time to keep up with changing environments and security problems, so the dev got sick of it and dropped it. Or a better solution came along so the developer felt free to finally drop the burden.

Nativefier falls in the second category and the second clause. Don't use it.

[–] bjornsno@lemm.ee 1 points 4 months ago

I'll try that, but since I haven't been able to find any related issues I'm pretty sure it's a configuration error on my part. Hehe the regretfully long post. Next step will probably be to open an issue on authentik's GitHub but since I think it's a pebkac I would prefer not to waste their time.

 

Hello self hosters! I am hoping some of you wizards can help me troubleshoot my setup with authentik and traefik.

First about my setup. I have a synology nas that is running a docker compose stack. Synology is notoriously bad at keeping their docker version fresh, but hopefully that isn't relevant to this issue. I'm running traefik for reverse proxy, and authentik for auth. In authentik land I've split the outpost work into its own container, named authentikproxy. Any request to a service with the authentik-basic@file or authentik@file middleware labels applied should be routed through the authentikproxy service for auth. If it detects that one isn't authed, it will in turn send you to the authentik frontend for SSO.

The issue is that authentik randomly stops working for random routes, or randomly fails to start working for random routes. Every time this happens I need to restart my authentikproxy and traefik containers over and over until it randomly decides to work for all my routes. When this happens I am just sent straight to the app unauthenticated. I'll have to either input http basic credentials or use the app's login page, whichever it has. I have found nothing in the logs after months of this going on, neither authentik nor traefik seem to be aware that anything is amiss.

I suspect the issue is to do with the docker networks but that's honestly just a hunch.

My docker-compose file is hundreds of lines long, so I've stripped environment and volume info while preserving traefik labels to try to keep the info more or less concise. It is certainly still too much info but I did not want to accidentally delete something crucial. Here follows my setup.

docker-compose.yml

services:
  traefik:
    profiles:
      - prod
    container_name: traefik
    image: traefik:v2.11
    command:
      - "--entrypoints.websecure.http.tls.domains[0].main=${BASE_DOMAIN}"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.${BASE_DOMAIN}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/middlewares.yml:/app/myconf/middlewares.yml
      - ./traefik/traefik.yml:/traefik.yml
    restart: unless-stopped
    networks:
      default:
        aliases:
          # Allow xcontainernet services to resolve authentik
          - "authentik.${BASE_DOMAIN-home}"
    ports:
      - 80:80
      - 443:443
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.redirectssl.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.rule=Host(`traefik.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.traefik.middlewares=redirectssl@docker"
      - "traefik.http.routers.traefiksecure.rule=Host(`traefik.${BASE_DOMAIN-home}`)"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"

  transmission:
    image: lscr.io/linuxserver/transmission
    container_name: transmission
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.torrents.rule=Host(`torrents.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.torrents.middlewares=redirectssl@docker"
      - "traefik.http.routers.torrentssecure.rule=Host(`torrents.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.torrentssecure.entrypoints=websecure"
      - "traefik.http.routers.torrentssecure.middlewares=authentik@file"

  sabnzbd:
    image: lscr.io/linuxserver/sabnzbd
    container_name: sabnzbd
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nzb.rule=Host(`nzb.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.nzb.middlewares=redirectssl@docker"
      - "traefik.http.routers.nzbsecure.rule=Host(`nzb.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.nzbsecure.entrypoints=websecure"
      - "traefik.http.routers.nzbsecure.middlewares=authentik@file"
      - "traefik.http.services.nzb.loadbalancer.server.port=8080"

  sonarr:
    image: ghcr.io/linuxserver/sonarr:latest
    container_name: sonarr
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.sonarr.rule=Host(`sonarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.sonarr.middlewares=redirectssl@docker"
      - "traefik.http.routers.sonarrsecure.rule=Host(`sonarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.sonarrsecure.entrypoints=websecure"
      - "traefik.http.routers.sonarrsecure.middlewares=authentik-basic@file"
      - "traefik.http.services.sonarr.loadbalancer.server.port=8989"

  radarr:
    image: ghcr.io/linuxserver/radarr:latest
    container_name: radarr
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.radarr.rule=Host(`radarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.radarr.middlewares=redirectssl@docker"
      - "traefik.http.routers.radarrsecure.rule=Host(`radarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.radarrsecure.entrypoints=websecure"
      - "traefik.http.routers.radarrsecure.middlewares=authentik-basic@file"
      - "traefik.http.services.radarr.loadbalancer.server.port=7878"

  readarr:
    image: lscr.io/linuxserver/readarr:nightly
    container_name: readarr
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.readarr.rule=Host(`readarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.readarr.middlewares=redirectssl@docker"
      - "traefik.http.routers.readarrsecure.rule=Host(`readarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.readarrsecure.entrypoints=websecure"
      - "traefik.http.routers.readarrsecure.middlewares=authentik-basic@file"
      - "traefik.http.services.readarr.loadbalancer.server.port=8787"

  bazarr:
    image: ghcr.io/linuxserver/bazarr:latest
    container_name: bazarr
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bazarr.rule=Host(`bazarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.bazarr.middlewares=redirectssl@docker"
      - "traefik.http.routers.bazarrsecure.rule=Host(`bazarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.bazarrsecure.entrypoints=websecure"
      - "traefik.http.routers.bazarrsecure.middlewares=authentik-basic@file"
      - "traefik.http.services.bazarr.loadbalancer.server.port=6767"

  prowlarr:
    image: lscr.io/linuxserver/prowlarr:latest
    container_name: prowlarr
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.prowlarr.middlewares=redirectssl@docker"
      - "traefik.http.routers.prowlarrsecure.rule=Host(`prowlarr.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.prowlarrsecure.entrypoints=websecure"
      - "traefik.http.routers.prowlarrsecure.middlewares=authentik-basic@file"
      - "traefik.http.services.prowlarr.loadbalancer.server.port=9696"

  jellyfin:
    image: linuxserver/jellyfin:latest
    container_name: jellyfin
    networks:
      default:
      xcontainernet:
        ipv4_address: 192.168.0.201
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin.rule=Host(`tv.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.jellyfin.middlewares=redirectssl@docker"
      - "traefik.http.routers.jellyfinsecure.rule=Host(`tv.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.jellyfinsecure.entrypoints=websecure"
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"

  authentikserver:
    image: ghcr.io/goauthentik/server:2024.2.2
    command: server
    depends_on:
      - postgresql
      - redis
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.authentik.rule=Host(`authentik.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.authentik.entrypoints=web"
      - "traefik.http.routers.authentik.middlewares=redirectssl@docker"
      - "traefik.http.routers.authentiksecure.rule=Host(`authentik.${BASE_DOMAIN:-home}`)"
      - "traefik.http.routers.authentiksecure.entrypoints=websecure"
      ## HTTP Services
      - "traefik.http.routers.authentiksecure.service=authentik-svc"
      - "traefik.http.services.authentik-svc.loadbalancer.server.port=9000"

  authentikproxy:
    image: ghcr.io/goauthentik/proxy:2024.2.2
    labels:
      - "traefik.http.routers.authentik-proxy-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${BASE_DOMAIN:-home}`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik-proxy-outpost.entrypoints=websecure"
      - "traefik.http.services.authentik-proxy-outpost.loadbalancer.server.port=9000"

  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    depends_on:
      - redis
      - immich-database
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich.rule=Host(`photos.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.immich.middlewares=redirectssl@docker"
      - "traefik.http.routers.immichsecure.rule=Host(`photos.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.immichsecure.entrypoints=websecure"
      - "traefik.http.services.immich.loadbalancer.server.port=3001"

networks:
  default:
    ipam:
      config:
        - subnet: 172.22.0.0/24
  xcontainernet:
    name: xcontainernet
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: "192.168.0.0/24"
          ip_range: "192.168.0.200/29"
          gateway: "192.168.0.1"

traefik/traefik.yml

providers:
  docker:
    exposedByDefault: false
    network: homeservices_default
  file:
    directory: /app/myconf
    watch: true

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
    http:
      tls:
        certResolver: dnsresolver

traefik/middlewares.yml

http:
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

    authentik-basic:
      forwardAuth:
        address: "http://authentikproxy:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - Authorization

    authentik:
      forwardAuth:
        address: "http://authentikproxy:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-email
          - X-authentik-groups
          - X-authentik-jwt
          - X-authentik-meta-app
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-version
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-username
[–] bjornsno@lemm.ee 2 points 4 months ago

You asked for my python script but now I can't seem to load that comment to reply directly to it. Anyway, here's the script, I haven't bothered to upload the repo anywhere. I'm sure it isn't perfect but it works fine for me. The action for opening evolution when you click the tray icon is specific to hyprland so will probably need to be modified to suit your needs.

import asyncio
import concurrent.futures
import logging
import signal
import sqlite3
import sys
from pathlib import Path
from subprocess import run

import pkg_resources
from inotify_simple import INotify, flags
from PySimpleGUIQt import SystemTray

menu_def = ["BLANK", ["Exit"]]

empty_icon = pkg_resources.resource_filename(
    "evolution_tray", "resources/inbox-empty.svg"
)
full_icon = pkg_resources.resource_filename(
    "evolution_tray", "resources/inbox-full.svg"
)

inotify = INotify()

tray = SystemTray(filename=empty_icon, menu=menu_def, tooltip="Inbox empty")

logging.getLogger("asyncio").setLevel(logging.WARNING)
handler = logging.StreamHandler(sys.stdout)
logger = logging.getLogger()
logger.setLevel("DEBUG")
logger.addHandler(handler)


def handle_menu_events():
    while True:
        menu_item = tray.read()
        if menu_item == "Exit":
            signal.raise_signal(signal.SIGTERM)
        elif menu_item == "__ACTIVATED__":
            run(["hyprctl", "dispatch", "exec", "evolution"])
            # tray.update(filename=paused_icon)

        logger.info("Opened evolution")


def get_all_databases():
    cache_path = Path.home() / ".cache" / "evolution" / "mail"
    return list(cache_path.glob("**/folders.db"))


def check_unread() -> int:
    unread = 0
    for db in get_all_databases():
        conn = sqlite3.connect(db)
        cursor = conn.cursor()
        try:
            cursor.execute("select count(*) read from INBOX where read == 0")
            unread += cursor.fetchone()[0]
        except:
            pass
        finally:
            conn.close()

    if unread > 0:
        tray.update(filename=full_icon, tooltip=f"{unread} unread emails")
    else:
        tray.update(filename=empty_icon, tooltip="Inbox empty")

    return unread


def watch_inbox():
    while True:
        for database in get_all_databases():
            inotify.add_watch(database, mask=flags.MODIFY)
        while inotify.read():
            logger.info("New mail")
            logger.info(f"{check_unread()} new emails")


async def main():
    executor = concurrent.futures.ThreadPoolExecutor(max_workers=1)
    loop = asyncio.get_running_loop()
    check_unread()

    watch_task = asyncio.wait(
        fs={
            loop.run_in_executor(executor, watch_inbox),
        },
        return_when=asyncio.FIRST_COMPLETED,
    )
    await asyncio.gather(watch_task, loop.create_task(handle_menu_events()))


def entrypoint():
    signal.signal(signal.SIGINT, signal.SIG_DFL)
    signal.signal(signal.SIGTERM, signal.SIG_DFL)

    try:
        asyncio.run(main())
    except Exception as e:
        logger.exception(e)


if __name__ == "__main__":
    entrypoint()
[–] bjornsno@lemm.ee 5 points 4 months ago* (last edited 4 months ago)

If you want to do this, what you probably want is to pump your logs into a log drain, something like betterstack is good. They then allow you to set up discrepancy thresholds and can send you emails when something seems to be out of the ordinary. There's probably a self hosted thing that works the same way but I've never found a simple setup. You can do the whole Prometheus, influxdb, grafana setup but imo it's too much work, and then you still have to set up email smtp separate from that.

[–] bjornsno@lemm.ee 1 points 4 months ago (1 children)

Literally had to write my own Python applet monitoring the DB file for this. Absurd limitation.

 

Hello nerds! I'm hosting a lot of things on my home lab using docker compose. I have a private repo in GitHub for the config files. This is working fine for me, but every time I want to make a change I have to push the changes, then ssh to the lab, pull the changes, and run docker compose up. This is of course working fine, but I want to automate it. Does anyone have a similar setup and know of a good tool? I know I could use watchtower to update existing images, but this is more for if I change a setting or add a new service.

I've considered roughly four approaches.

  1. A new container that mounts the whole running directory and the docker socket. It will register a webhook in GitHub to receive notifications when I push to the repo, run git pull and docker up. My worries here are the usual dind gotchas.

  2. Same as 1, but don't mount anything, instead ssh from container to host and run the steps there. This solves any dind issues, but I don't love giving the container an ssh key to the host.

  3. Have a service running on the host outside of docker. This is probably the correct approach, but very annoying since my host is a Synology nas and it doesn't have systemd or anything like that afaik.

  4. Have a GitHub action ssh to the machine and do the steps. Honestly the easiest way but I would prefer to not open ssh to the internet.

Any feedback or tips are much appreciated. I don't feel like any of my options are very good and I feel like I am probably missing something obvious.

view more: next ›