#Christian woman. #Aroace. Totally #blind and #autistic with multiple #chronicIllnesses. #UsabilityTester, aspiring #AccessibilityConsultant. #Disability
rights advocate. Interests: #technology, #reading, #gaming, #food, #OpenSource. Human to Squeaker (MinPin). Creating a nonprofit for multiply disabled
people.
#tfr, #Fedi22
@some_guy Everything is very responsive. I haven’t had any trouble with responsiveness at all. Lol right now the only trouble I’m having is that I removed Monica CRM and BookStack and BookStack because of Monica accessibility needs and BookStack not really being that useful, and I’m trying to install Pleroma to play with that, but Docker’s having some weird DNS issues where it keeps trying to use IPv6, which my ISP doesn’t support, even though I’ve disabled it in my daemon.json.
@Xanza Not sure what you mean. I wanted to use my services with my domain. I tried a reverse proxy by itself and it wouldn’t work because my ISP blocks ports, so I set up Cloudflare instead. Then I found out my services would work better with Caddy, so I set that up. I also originally wasn’t using Unbound, but then I realized my services were having trouble communicating, and I thought it would help to have more control over DNS rules, which it has.
@toastal My ISP blocks ports. Cloudflare was the only way I could get reverse proxying to work.
@tofuwabohu Yes, I’m running Docker directly on the Raspberry Pi. IDrive automatically backs up the folders you specify at a time you choose. I think it uses Cron or something.
@NegativeLookBehind I updated the gist with some log files. There are a lot of 401 errors in the homepage logs. I know my API keys are correct so I’m not sure how to fix them.
@MaggiWuerze I thought 443 might have been blocked by my ISP at first because I tried it and had the same issues with it.
@jyarbrough @selfhost
@bravemonkey @selfhosting @selfhosted @linux @MangoPenguin @geillescas Yeah, I’m very tempted to go back to the way I had things, which allowed me to access services with my Raspberry Pi’s IP and a port number. Since I don’t leave home much and I’m not the ISP account holder, this is starting to seem like more trouble than it’s worth.
@bravemonkey The plan was to set it to low temporarily. The choices were high, medium, low, or off. One of the ports Traefik listens on is 80. I used portchecktool.com and it told me the connection was timing out.
@geillescas @selfhost @selfhosting @selfhosted @linux I’ll have to see about this. I’m not the account holder and the one who is, my stepdad, isn’t exactly tech-savvy. My router did have a firewall blocking traffic, but I changed its security level and looked at the rules, so that shouldn’t be an issue anymore.
@MangoPenguin Nope, public IP starts with 69.58.
@selfhost @selfhosting @selfhosted @linux Authelia configuration.yml:
theme: light
server:
address: 0.0.0.0:9091
log:
level: debug
format: text
file\_path: /var/log/authelia/authelia.log
totp:
issuer: laniesplace.us
period: 30
skew: 1
authentication\_backend:
file:
path: /config/users\_database.yml
password:
algorithm: argon2id
iterations: 3
memory: 65536
parallelism: 4
salt\_length: 16
key\_length: 32
access\_control:
default\_policy: deny
rules:
\# Public Access
\- domain:
\- "pihole.laniesplace.us"
\- "homer.laniesplace.us"
policy: bypass
\# High Security (Two Factor)
\- domain:
\- "portainer.laniesplace.us"
\- "netdata.laniesplace.us"
\- "cockpit.laniesplace.us"
\- "glances.laniesplace.us"
\- "code.laniesplace.us"
policy: two\_factor
subject:
\- "group:admins"
\# Medium Security (One Factor Admin)
\- domain:
\- "forgejo.laniesplace.us"
\- "files.laniesplace.us"
\- "uptime.laniesplace.us"
policy: one\_factor
subject:
\- "group:admins"
\# Standard Auth (One Factor)
\- domain:
\- "thelounge.laniesplace.us"
\- "miniflux.laniesplace.us"
\- "linkding.laniesplace.us"
\- "wiki.laniesplace.us"
policy: one\_factor
\# Catch-all rule
\- domain: "\*.laniesplace.us"
policy: one\_factor
session:
name: authelia\_session
domain: laniesplace.us
same\_site: lax
expiration: 3600
inactivity: 300
remember\_me: 1M
regulation:
max\_retries: 3
find\_time: 120
ban\_time: 300
storage:
local:
path: /config/db.sqlite3
notifier:
disable\_startup\_check: false
smtp:
address: submission://smtp.gmail.com:587
username: laniegcarmelo@gmail.com
password: rcig lqpk cbsg aqcm
sender: "Authelia \<laniegcarmelo@gmail.com\>"
identifier: auth.laniesplace.us
subject: "[Authelia] {title}"
startup\_check\_address: laniegcarmelo@gmail.com
timeout: 5s
identity\_validation:
reset\_password:
jwt\_secret: ${AUTHELIA\_JWT\_SECRET\_FILE}
@selfhost @selfhosting @selfhosted @linux Authelia docker-compose.yml:
services:
authelia:
image: authelia/authelia:latest
container\_name: authelia
volumes:
\- ./config:/config
\- ./logs:/var/log/authelia
networks:
\- web
\- authelia\_internal
environment:
\- TZ=America/Chicago
\- AUTHELIA\_JWT\_SECRET\_FILE=/config/secrets/jwt\_secret
\- AUTHELIA\_SESSION\_SECRET\_FILE=/config/secrets/session\_secret
\- AUTHELIA\_STORAGE\_ENCRYPTION\_KEY\_FILE=/config/secrets/storage\_encryption\_key
labels:
\- "traefik.enable=true"
\- "traefik.http.routers.authelia.rule=Host(`auth.laniesplace.us`)"
\- "traefik.http.routers.authelia.entrypoints=websecure"
\- "traefik.http.routers.authelia.tls.certresolver=le"
\- "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=X-Forwarded-Proto,X-Forwarded-Host"
\- "traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Name,Remote-Email"
\- "traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify=true"
\- "traefik.http.services.authelia.loadbalancer.server.port=9091"
\- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=[https://auth.laniesplace.us](https://auth.laniesplace.us)"
\- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
\- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
restart: unless-stopped
security\_opt:
\- no-new-privileges:true
depends\_on:
\- redis
healthcheck:
test: ["CMD", "wget", "--no-check-certificate", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
interval: 30s
timeout: 10s
retries: 3
start\_period: 60s
redis:
image: redis:alpine
container\_name: authelia\_redis
networks:
\- authelia\_internal
restart: unless-stopped
volumes:
\- ./redis:/data
command: redis-server --save 60 1 --loglevel warning
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
security\_opt:
\- no-new-privileges:true
networks:
web:
external: true
authelia\_internal:
internal: true
@selfhost @selfhosting @selfhosted @linux traefik middlewares.yml:
http:
middlewares:
dashboard-auth:
basicAuth:
users:
\- "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"
@selfhost @selfhosting @selfhosted @linux traefik services.yml:
http:
services:
\# Docker Services
homer:
loadBalancer:
servers:
\- url: "http://homer:8080"
glances:
loadBalancer:
servers:
\- url: "http://glances:61208"
uptime-kuma:
loadBalancer:
servers:
\- url: "http://uptime-kuma:3001"
miniflux:
loadBalancer:
servers:
\- url: "http://miniflux:8080"
pihole:
loadBalancer:
servers:
\- url: "http://pihole:8088"
portainer:
loadBalancer:
servers:
\- url: "http://portainer:9000"
linkding:
loadBalancer:
servers:
\- url: "http://linkding:9090"
\# Non-Docker Services
filebrowser:
loadBalancer:
servers:
\- url: "http://127.0.0.1:8085"
netdata:
loadBalancer:
servers:
\- url: "http://127.0.0.1:19999"
forgejo:
loadBalancer:
servers:
\- url: "http://127.0.0.1:3000"
dokuwiki:
loadBalancer:
servers:
\- url: "http://127.0.0.1:81"
cockpit:
loadBalancer:
servers:
\- url: "http://127.0.0.1:9090"
@selfhost @selfhosting @selfhosted @linux traefik routers.yml:
http:
routers:
dashboard:
rule: "Host(`traefik.laniesplace.us`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
service: api@internal
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- dashboard-auth
homer:
rule: "Host(`laniesplace.us`)"
service: homer
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
glances:
rule: "Host(`glances.laniesplace.us`)"
service: glances
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "glances.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
uptime-kuma:
rule: "Host(`uptime.laniesplace.us`)"
service: uptime-kuma
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "uptime.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
miniflux:
rule: "Host(`rss.laniesplace.us`)"
service: miniflux
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "rss.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
pihole:
rule: "Host(`pihole.laniesplace.us`)"
service: pihole
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
\- pihole-redirect
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "pihole.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
portainer:
rule: "Host(`portainer.laniesplace.us`)"
service: portainer
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "portainer.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
linkding:
rule: "Host(`bookmarks.laniesplace.us`)"
service: linkding
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "bookmarks.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
Remote-User: "{{ .Request.Headers.Remote-User }}"
filebrowser:
rule: "Host(`files.laniesplace.us`)"
service: filebrowser
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "files.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
netdata:
rule: "Host(`netdata.laniesplace.us`)"
service: netdata
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "netdata.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
forgejo:
rule: "Host(`git.laniesplace.us`)"
service: forgejo
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "git.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
dokuwiki:
rule: "Host(`wiki.laniesplace.us`)"
service: dokuwiki
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "wiki.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
cockpit:
rule: "Host(`cockpit.laniesplace.us`)"
service: cockpit
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "cockpit.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
@selfhost @selfhosting @selfhosted @linux traefik docker-compose.yml:
networks:
web:
external: true
services:
traefik:
image: traefik:v3.2.5
container_name: traefik
security_opt:
- no-new-privileges:true
ports:
- “80:80”
- “443:443”
- “8080:8080”
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/acme.json
- ./dynamic:/etc/traefik/dynamic:ro
- ./logs:/etc/traefik/logs
networks:
- web
restart: unless-stopped
labels:
- “traefik.enable=true”
- “traefik.http.routers.dashboard.rule=Host(traefik.laniesplace.us)”
- “traefik.http.routers.dashboard.service=api@internal”
- “traefik.http.routers.dashboard.entrypoints=websecure”
- “traefik.http.routers.dashboard.tls.certresolver=le”
- “traefik.http.routers.dashboard.middlewares=dashboard-auth”
@selfhost @selfhosting @selfhosted @linux traefik.yml:
global:
checkNewVersion: true
sendAnonymousUsage: false
log:
level: DEBUG
filePath: /etc/traefik/logs/traefik.log
accessLog:
filePath: /etc/traefik/logs/access.log
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
http:
tls:
certResolver: le
api:
dashboard: true
insecure: false
providers:
file:
directory: /etc/traefik/dynamic
watch: true
docker:
endpoint: unix:///var/run/docker.sock
watch: true
exposedByDefault: false
network: web
certificatesResolvers:
le:
acme:
email: laniegcarmelo@gmail.com
storage: /etc/traefik/acme.json
tlsChallenge: {}
@selfhost @selfhosting @selfhosted @linux Web services docker-compose.yml, includes Linkding:
services:
linkding:
image: sissbruecker/linkding:latest-plus
container\_name: linkding
environment:
LD\_ENABLE\_AUTH\_PROXY: "true"
LD\_AUTH\_PROXY\_HEADER: "Remote-User"
LD\_AUTH\_PROXY\_AUTO\_LOGIN: "true"
LD\_AUTH\_PROXY\_LOGOUT\_URL: "[https://auth.laniesplace.us/logout](https://auth.laniesplace.us/logout)"
volumes:
\- linkding\_data:/etc/linkding/data
healthcheck:
test: ["CMD", "node", "-e", "const http = require('http'); const options = {host: 'localhost', port: 9090, path: '/', timeout: 2000}; const request = http.request(options, (res) =\> { process.exit([200, 302].includes(res.statusCode) ? 0 : 1)}); request.on('error', () =\> process.exit(1)); request.end()"]
interval: 30s
timeout: 10s
retries: 3
networks:
\- web
labels:
\- "traefik.enable=true"
\- "traefik.http.routers.linkding.rule=Host(`bookmarks.laniesplace.us`)"
\- "traefik.http.routers.linkding.entrypoints=websecure"
\- "traefik.http.routers.linkding.tls.certresolver=le"
\- "traefik.http.services.linkding.loadbalancer.server.port=9090"
\- "traefik.http.routers.linkding.middlewares=authelia@docker"
volumes:
linkding\_data:
networks:
web:
external: true
@fmstrat Ah yeah just noticed you’re on Lemmy. Yeah I’m posting from Mastodon.
@Xanza You were right. I got Caddy working with no more Cloudflare tunnel. It’s working directly now, only using Cloudflare for DNS.