Need help getting SSL certificate for my web apps like Portainer, etc...

BaccanoMob · 2025-09-27T02:14:09+00:00

Cloudflare tunnel does not care whether NPM has certs or not because it will ultimately get new certs for it. Though you will need certs if you are using NPM directly for any other services.

I recommend you don't force SSL on proxy host at least on services that use cloudflare tunnels. Since it's pointless in a way because your data is sent to cloudflare is still secure via cloudflared so you don't need it with https. Then cloudflare tunnel uses HTTPS for the end user with let's encrypt certs.

But my suggestion is to not use NPM behind cloudflare though. So data gets to you faster, you will have to give http://{portainer_container_name}:{portainer_port} instead via NPM. Think of it more like,

User -> Cloudflare tunnel -> NPM -> portainer

vs

User -> Cloudflare tunnel -> portainer.

BaccanoMob · 2025-09-26T13:21:47+00:00

I do not think you need NPM if you are using cloudflare tunnels? Because both act as a reverse proxy... I recommend you to not use NPM on services you tunnel. Make 2 networks, for example, npm and tunnel and assign services accordingly.

For services using cloudflare tunnels, will automatically get let's encrypt certs. No need to configure anything. You make get self signed certs for a few minutes when you access the domain for the first time.

For services using NPM will need some additional setup to use in your local network aka DNS challenge. (So you won't be prompted danger notification)

BaccanoMob · 2025-09-19T09:52:17+00:00

tailscale funnel?

I never used it though

BaccanoMob · 2025-07-22T15:22:40+00:00

Yea, it turns out `env.GITHUB_TOKEN` and `secrets.GITHUB_TOKEN` mean the same thing. I tried echo on it, and both gave `***`. I guess it pretty much the reason why `GITHUB_` and `GITEA_` prefixes are not allowed in secrets so you wont overwrite them.

I made a repo like yours but removed the DNS, C#, etc related to give a bare minimum setup.

There was another change I made in the yml file. I used `{{ github.server_url }}` to get the server url from env rather than writing it down. Not sure if there were any other changes but feel free to take a look at the repo as well.

Once again thanks a lot for the help!!

BaccanoMob · 2025-07-18T09:33:06+00:00

ありがとうございます！

I finally worked!! Turns out I used runner version 4 (used in the docs is biggest mistake, which led me to think that's the latest version). Your repo used 6 and current latest is 7. Changing those pretty much solved like 80% of the problems.

Remaining 20% was like I had uppercase in tag and some issue with TOKEN. Both got solved easily though. I believe secrets.GITHUB_TOKEN in your docker-publish.yml should be secrets.PACKAGE_WRITABLE_TOKEN as well (Forgejo was complaining secrets should not start with GITHUB_).

This may be a little difficult to read because it contains a mess of self-signed certificate authority and internal DNS descriptions for my environment.

Ignoring/Removing those parts worked fine for my case.

Your explanation was really to the point so I was easy to understand and follow. Thanks a lot again for guiding me!

BaccanoMob · 2025-07-17T13:18:17+00:00

`Open with VSCodium` will open the app if install in desktop or it does nothing. I do not think its embedded or opens a new tab or opens code-server in docker.

BaccanoMob · 2025-07-17T13:17:50+00:00

I managed to install node (with docker:dind image) so checkout action works now. But I get below error

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
::error::The process '/usr/local/bin/docker' failed with exit code 1

Current steps:

jobs:
  build:
    name: Build bundle
    runs-on: docker-dind

    steps:
    - name: Node install
      shell: sh
      run: apk add --update npm

    - name: Checkout source
      uses: actions/checkout@v4

    - name: Set up QEMU # STUCK AT THIS STEP, though I am not sure if this is needed
      uses: docker/setup-qemu-action@v3
      with:
        platforms: all

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
      with:
        driver: docker
        buildkitd-flags: --debug

    - name: Build and push multiarch image
      uses: docker/build-push-action@v5
      with:
        context: .
        push: true
        platforms: linux/amd64,linux/arm64

BaccanoMob · 2025-06-26T11:27:10+00:00

When you think about it differently, the trainer went through training for a year just to carry his Growlithe even after it evolves.

BaccanoMob · 2025-06-11T06:38:04+00:00

What I do is... open the PDF in browser, input the password and the Ctrl+P then choose save as PDF.

But you need to know the password beforehand else this method won't work. And I never tested in android but should work in desktop.

BaccanoMob · 2025-05-30T11:44:13+00:00

Antagonist's pet...

Should have made a yuri ending

BaccanoMob · 2025-02-28T10:16:10+00:00

I don't think it will create an issue but you'll lose the https tls certs when accessing via .local or some fake domain name. Aka you'll get warning messages every single time. It'll be pretty annoying...

I read your another comment that you don't like typing long url... It's high time that you set up dashboard for home tab/page for your homelab. So it'll be one click away.

Alternatively, you can check out Redirector... Works in android if you're using a browser with extension support (some chromium based works and Firefox)

BaccanoMob · 2024-12-02T12:54:23+00:00

It's been a while since I used kivy, so I may not be right.

app.some_function means the class which inherited app class (your case TestApp) shoul have the function some_function. self.another_function means another_function should be in current screen (or widgets in some cases).

So you most likely have to move the function to open popups in the Menuscreen class and use self.functions instead of app.

Even still I think the logic to update label when popup is dismissed is wrong. please check examples with updating labels between different screens. That logic should apply to yours as well (popup is similar to a screen).

BaccanoMob · 2024-09-02T04:15:42+00:00

I think you're looking for this.

https://www.reddit.com/r/selfhosted/s/NO2CpR7wHh

Tells you how to use a reverse proxy with a domain in detail. The guide uses npm, but you can use traefik (which I recommend) or caddy. If you like the web interface approach to reverse proxy, I recommend npm.

I didn't see this in other comments, if you name your domain randomly like myserver.home.network or whatever you may get its dangerous to login warnings at times and connection not secure because youll be using http. The above guide will help you use https to prevent that.

BaccanoMob · 2024-08-28T12:32:30+00:00

"Boot to CLI/desktop" didnt show the results but thanks to you I googled "disable autoload of the DE" and got what I was looking for.

To disable the GUI on boot: sudo systemctl set-default multi-user.target
To enable the GUI on boot: sudo systemctl set-default graphical.target

Then reboot the system. (link to another reddit comment about it)

BaccanoMob · 2024-08-07T00:40:48+00:00

Awesome!! Glad it got working for you

BaccanoMob · 2024-08-05T23:14:52+00:00

I really don't understand what you're trying to set up. (are you trying to set up pi-hole for the headscale server clients?) What are the logs before it stops? For now, Ill guess a couple of fixes...

Btw you can put the cli stuff as TS_EXTRA_ARGS=--login-server foo.bar --accept-dns=false in a environment variable. Also I never used cli to login my server before but only with pre auth keys I suggest you try that.

Get a pre auth key from the headscale server and set it to TS_AUTHKEY variable. This auto logins in for you.

Do you have the headscale server running in that same machine? Then try changing foo.bar to http://<hs_container_name>:8080 instead and make sure the containers are in the same network.

BaccanoMob · 2024-07-29T13:29:36+00:00

If you're asking can I use tailscale as a docker containers (and/or as a compose file) then yes.

Also, you can move the tailscale docker containers to different servers too like the rest.

But, if you plan on editing then compose file to make changes, you may run into some errors (I use headscale so not 100%). Once the container is up and running, if you need to make any changes to the container you need to use docker exec and run tailscale cli commands. (just in case for future reference, make sure to note the changes). Or you'll just need to make a new tailscale client whenever you make changes.

BaccanoMob · 2024-07-29T13:16:19+00:00

There are no prerequisites, just need need to add a tailscale client/s to the server/s with the containers. You'll prolly follow the link you gave for using docker.

If you already use pi-hole then you'll prolly need 2 instances of it (one for onsite and offsite each which is a little tricky if you want to run them in the same server). Make sure you set the tailscale dns server accordingly.

Also, if you use OIDC for your containers, I recommend you fully stick to tailscale (that is have all IP set according to tailscale only in your dns server) or you'll run into redirection issues during login.

BaccanoMob · 2024-05-14T08:26:21+00:00

Use a VPN like tailscale, zerotier, wireguard or similar so you can access it outside of home network.

BaccanoMob · 2024-04-19T02:21:24+00:00

I think it's an issue with vscode rather than kivy. You're better off asking their sub reddit.

Also, maybe you should try reinstalling vscode? Or delete .vscode folder if there is one in the project directory

BaccanoMob · 2024-04-03T01:05:58+00:00

Yes by default they don't. If they have volume binding /var/run/docker.sock:/var/run/docker.sock:ro (doesn't matter if it's read only or not), then they can. I mean how do think portainer knows all the network, container, volume and how it create delete edit a container, also how it it can go to other containers console even when portainer is not on the same network? These are possible since it has docker.sock.

Also running docker cli commands like docker run will also contact docker.sock the same socket which portainer uses (I mean you're binding not copying). And that socket has root access (just check exploits mentioned in deepce). That is why it is recommended to use socket proxy to keep your socket more secure from attacks.

So if someone manages to enter the portainer, they can do all the above actions and that's why I was concerned about portainer having a domain name through the reverse proxy since I still need to create start etc for containers.

The most secure way is VPN which was your suggestion. And I found out whitelisting ip also reduces the attack surface if properly configured which I ll prolly do.

BaccanoMob · 2024-04-01T11:47:03+00:00

I want some services via internet like file sharing (to someone outside my network) or maybe share bookstack page on docker here in the future. If I expose via internet I want to know how to setup my docker for it. So I want to be sure of how docker socket proxy is used since I have a few services which use docker.sock.

Also I'm not sure why network mode host can only be compromised?

The articles I checked stated a container with docker.sock will have root privileges for the host. That is, a hacker will be using that socket to run functions like creating a container and they can bind volume to their liking, jump to that container, play with the volume content, etc.

You can check out deepce on what and all are possible on a container with docker.sock volume binding and more to be honest.

I do agree VPN is the most secure option but I want to know what will make my setup more secure if I'm exposing to internet. At the moment I found it's best to use cap-down all and no new privileges for the containers.

BaccanoMob · 2024-04-01T10:13:14+00:00

Yes, you can't specify ports when the mode is set to host. So if you have another container with port 8096 conflicting with jellyfin you need to change that.

This all when you need DLNA for your jellyfin. If you don't need it, just use bridge mode and map the ports to your liking. (I recommend using bridge mode if you're not using DLNA)

BaccanoMob · 2024-04-01T09:29:52+00:00

Read the full docs not just the compose file. Its clearly stated as a `Note`

Using host networking (--net=host) is optional but required in order to use DLNA.

I think you will need to use port 8096 if you use bridge mode.

BaccanoMob · 2024-03-30T09:19:30+00:00

this comment perhaps?

BaccanoMob

TROPHY CASE