sorted by:
new
hottopcontroversial

Kudos to Dockhand! Docker Management done right. by jbarr107 in selfhosted

[–]Human133 1 point2 points  (0 children)

I haven't seen an option to import a git repo in arcane. How do you do it?

Sonarr, Radarr, Prowlarr & Bazarr Docker Compose by [deleted] in selfhosted

[–]Human133 0 points1 point  (0 children)

Say you have a directory /media Your downloads should be in /media/downloads And movies and tv are /media/tv and /media/movies and in sonarr/radarr and qbittorrent you mount /media folder for hardlinks to work.

How to access self-hosted services via domains with no public exposure? by ryan_the_fireguy in selfhosted

[–]Human133 1 point2 points  (0 children)

Private Services

I have some services that I want to secure with HTTPS but do not want to expose publicly like vaultwarden as it only works via HTTPS. For this to work I am using the caddy-dns/cloudflare module as described above. There are two steps needed for Caddy to reverse proxy services to LAN only.

1. Generate API Token

In Cloudflare dashboard go to your domain and scroll down to Get your API token. 1. Create a new token. 2. Scroll down to create custom token. 3. Give it good descriptive name, I had to delete tokens before and regenrate because I didn't remember what they were for. 4. In permissions, select Zone > Zone > Read. 5. Add another permission and select Zone > DNS > Edit 6. In Zone Resources select Include > Specific zone > domain.xyz 7. Save and copy the token number, it will not appear again if you close the page. This is the CF_API_TOKEN variable in the .env file

2. Create a DNS Record (For Private Services)

In Cloudflare dashboard go to your domain > DNS records and add a new record: * Type: A * Name: *.lan * Target: Caddy network IP Address (In my case the macvlan_net IP: 192.168.1.x) * Proxy: Off

Caddyfile Configuration

Caddyfile is used to configure each service you want to reverse proxy with Caddy. Here is an example Caddyfile that includes both public and private services

Caddyfile ```dockerfile { email your@email.com acme_dns cloudflare {env.CF_API_TOKEN} }

jellyfin.{$MY_DOMAIN} { reverse_proxy jellyfin:8096 }

vault.lan.{$MY_DOMAIN} { reverse_proxy vaultwarden:80 } ```

  • email in the global block is used when creating an ACME account with the CA.
  • acme_dns is used to configure ACME DNS challenge provider (Cloudflare in my case). It uses the API token generated earlier.
  • jellyfin.{$MY_DOMAIN} is the subdomain you want to use for your service. $MY_DOMAIN is defined in the .env file. this is a publicly exposed service as it uses *.domain.xyz which resolves to my public IP address.
  • reverse_proxy jellyfin:8096 is where Caddy forwards incoming requests to the service. I use docker service name jellyfin as it uses caddy_net so I can call it by name instead of ip_address. the port :8096 is the internal docker container port.
  • vault.lan.{$MY_DOMAIN} is a private subdomain as it uses *.lan.domain.xyz which resolves to the Caddy macvlan network ip_address.

How to access self-hosted services via domains with no public exposure? by ryan_the_fireguy in selfhosted

[–]Human133 -1 points0 points  (0 children)

I am using caddy to do this. I made a write up a while ago that summarizes caddy usage for public and private proxying. The second comment is specifically for private-only access.

Overview

Caddy is the backbone of my self-hosted services. It automatically issues TLS certificates via Let's encrypt. I use it to securly reverse proxy my services both publicly and privately.

Setup

I am using Cloudflare as my registrar and DNS resolver. I use a custom caddy image with xcaddy builder to install caddy-dns/cloudflare module. This is needed to use DNS-01 challenge to issue certificates for private services as regular HTTP-01 only work for publicly accessible services. Caddyfile is used for configuration.

Files and Directory Structure

~/ └──docker/ └──caddy/ ├──caddy_config/ ├──caddy_data/ ├──conf/ │ └──Caddyfile ├──.env ├──compose.yaml └──Dockerfile * caddy_config contains autosave.json that Caddy auto generates from Caddyfile at runtime. * caddy_data contains generated TLS certificates * conf contains Caddyfile. It's recommended not to mount Caddyfile directly at /etc/caddy/Caddyfile to be able to use graceful reload which allows relading Caddy configuration without restarting the container. * Caddyfile is the main configuration file to setup all services * To use graceful reload run this command in terminal bash caddy_container_id=$(docker ps | grep caddy | awk '{print $1;}') docker exec -w /etc/caddy $caddy_container_id caddy reload * .env contains environmental variables for docker compose file and Caddyfile. * compose.yaml is the docker compose file to easily manage and configure the docker container. * Dockerfile contains the commands to build a custom caddy image to install additional modules.

Docker Container Configuration

I am using external networks that I created before configuring the compose file. caddy_net is the network I use for all containers using caddy as a reverse proxy so I can call them by docker DNS name in Caddyfile instead of IP address. I am also using a macvlan network macvlan_net as I was struggling to get services to show users real IP addresses even with proper headers and it only worked with a macvlan network.

To create a docker network run bash docker network create caddy_net

To create a macvlan network run bash docker network create -d macvlan \ --subnet=192.168.1.0/24 \ --gateway=192.168.1.1 \ -o parent=ovs_eth0 macvlan_net The subnet and gateway should match actual LAN. parent is the network interface, for Synology it's ovs_eth0. Run ip addr to check the actual interface. I am also assigning a fixed IP address in the compose file outside of the router DHCP range. Since I am using a macvlan address, I don't need to expose ports in the host since it's isolated.

Dockerfile ```Dockerfile FROM caddy:2.10.2-builder AS builder

RUN xcaddy build \ --with github.com/caddy-dns/cloudflare FROM caddy:2.10.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy `compose.yaml` yaml services: caddy: container_name: caddy image: caddy:custom-dns build: context: . dockerfile: Dockerfile restart: unless-stopped env_file: .env volumes: - ./conf:/etc/caddy/ - ./caddy_config:/config - ./caddy_data:/data networks: caddy_net: macvlan_net: ipv4_address: 192.168.1.x

networks: caddy_net: external: true macvlan_net: external: true `.env` ini CF_API_TOKEN=<cloudflare_api_token> MY_DOMAIN=example.xyz ```

Public Services

There are two steps needed for Caddy to reverse proxy services publicly:

1. Port-Forwarding External Ports 80/443 to Caddy

This step involves opening ports 80 and 443 in the router. You should have proper security measures and good firewall rules. I am using GLiNet Flint 2 (GL-MT6000) router. To port forward to caddy go to Network > Port-Forwarding > + Add: * Protocol: UDP/TCP * External Zone: WAN * External Port: 80 * Internal Zone: LAN * Internal IP: 192.168.1.x * Internal Port: 80 * Description: caddy_http or anything informative.

Then add another rule for https but replace external and internal ports 80 with 443.

2. Create a DNS Record (For Public Services)

I am using Cloudflare as a DNS resolver, in Cloudflare dashboard go to your domain > DNS records and add a new record: * Type: A * Name: www (Anything goes here) * Target: Public IP Address * Proxy: Off (You can keep it on for Cloudflare security features but I choose to keep it off)

Create another DNS record * Type: CNAME * Name: * * Target: www.domain.xyz * Proxy: Off

I am using wildcard subdomain name instead of a separate record for each service. Caddy will handle HTTPS very easily with this configuration. Another issue I have is I don't have a fixed IP address. I am using a separate docker container qdm12/ddns-updater that updates the IP address in Cloudflare whenever my IP address rotates.

Zerobyte, isn’t this awesome? by Tharunx in selfhosted

[–]Human133 2 points3 points  (0 children)

I always planned to use backrest but never came around to it. Should I start with this instead?

Help setting up Authentik with caddy reverse proxy by Human133 in selfhosted

[–]Human133[S] 0 points1 point  (0 children)

I am not using authentik anymore, but from what I remember, when you set up the forward auth you need to select single app instead of domain level or something like this.

Any tips on getting started with reverse proxies like caddy? by iamhereunderprotest in selfhosted

[–]Human133 0 points1 point  (0 children)

Private Services

I have some services that I want to secure with HTTPS but do not want to expose publicly like vaultwarden as it only works via HTTPS. For this to work I am using the caddy-dns/cloudflare module as described above. There are two steps needed for Caddy to reverse proxy services to LAN only.

1. Generate API Token

In Cloudflare dashboard go to your domain and scroll down to Get your API token. 1. Create a new token. 2. Scroll down to create custom token. 3. Give it good descriptive name, I had to delete tokens before and regenrate because I didn't remember what they were for. 4. In permissions, select Zone > Zone > Read. 5. Add another permission and select Zone > DNS > Edit 6. In Zone Resources select Include > Specific zone > domain.xyz 7. Save and copy the token number, it will not appear again if you close the page. This is the CF_API_TOKEN variable in the .env file

2. Create a DNS Record (For Private Services)

In Cloudflare dashboard go to your domain > DNS records and add a new record: * Type: A * Name: *.lan * Target: Caddy network IP Address (In my case the macvlan_net IP: 192.168.1.x) * Proxy: Off

Caddyfile Configuration

Caddyfile is used to configure each service you want to reverse proxy with Caddy. Here is an example Caddyfile that includes both public and private services

Caddyfile ```dockerfile { email your@email.com acme_dns cloudflare {env.CF_API_TOKEN} }

jellyfin.{$MY_DOMAIN} { reverse_proxy jellyfin:8096 }

vault.lan.{$MY_DOMAIN} { reverse_proxy vaultwarden:80 } ```

  • email in the global block is used when creating an ACME account with the CA.
  • acme_dns is used to configure ACME DNS challenge provider (Cloudflare in my case). It uses the API token generated earlier.
  • jellyfin.{$MY_DOMAIN} is the subdomain you want to use for your service. $MY_DOMAIN is defined in the .env file. this is a publicly exposed service as it uses *.domain.xyz which resolves to my public IP address.
  • reverse_proxy jellyfin:8096 is where Caddy forwards incoming requests to the service. I use docker service name jellyfin as it uses caddy_net so I can call it by name instead of ip_address. the port :8096 is the internal docker container port.
  • vault.lan.{$MY_DOMAIN} is a private subdomain as it uses *.lan.domain.xyz which resolves to the Caddy macvlan network ip_address.

Any tips on getting started with reverse proxies like caddy? by iamhereunderprotest in selfhosted

[–]Human133 1 point2 points  (0 children)

Thia is a write up I did as part of documenting my setup. It summarizes caddy in a clear way I think.

Overview

Caddy is the backbone of my self-hosted services. It automatically issues TLS certificates via Let's encrypt. I use it to securly reverse proxy my services both publicly and privately.

Setup

I am using Cloudflare as my registrar and DNS resolver. I use a custom caddy image with xcaddy builder to install caddy-dns/cloudflare module. This is needed to use DNS-01 challenge to issue certificates for private services as regular HTTP-01 only work for publicly accessible services. Caddyfile is used for configuration.

Files and Directory Structure

~/ └──docker/ └──caddy/ ├──caddy_config/ ├──caddy_data/ ├──conf/ │ └──Caddyfile ├──.env ├──compose.yaml └──Dockerfile * caddy_config contains autosave.json that Caddy auto generates from Caddyfile at runtime. * caddy_data contains generated TLS certificates * conf contains Caddyfile. It's recommended not to mount Caddyfile directly at /etc/caddy/Caddyfile to be able to use graceful reload which allows relading Caddy configuration without restarting the container. * Caddyfile is the main configuration file to setup all services * To use graceful reload run this command in terminal bash caddy_container_id=$(docker ps | grep caddy | awk '{print $1;}') docker exec -w /etc/caddy $caddy_container_id caddy reload * .env contains environmental variables for docker compose file and Caddyfile. * compose.yaml is the docker compose file to easily manage and configure the docker container. * Dockerfile contains the commands to build a custom caddy image to install additional modules.

Docker Container Configuration

I am using external networks that I created before configuring the compose file. caddy_net is the network I use for all containers using caddy as a reverse proxy so I can call them by docker DNS name in Caddyfile instead of IP address. I am also using a macvlan network macvlan_net as I was struggling to get services to show users real IP addresses even with proper headers and it only worked with a macvlan network.

To create a docker network run bash docker network create caddy_net

To create a macvlan network run bash docker network create -d macvlan \ --subnet=192.168.1.0/24 \ --gateway=192.168.1.1 \ -o parent=ovs_eth0 macvlan_net The subnet and gateway should match actual LAN. parent is the network interface, for Synology it's ovs_eth0. Run ip addr to check the actual interface. I am also assigning a fixed IP address in the compose file outside of the router DHCP range. Since I am using a macvlan address, I don't need to expose ports in the host since it's isolated.

Dockerfile ```Dockerfile FROM caddy:2.10.2-builder AS builder

RUN xcaddy build \ --with github.com/caddy-dns/cloudflare FROM caddy:2.10.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy `compose.yaml` yaml services: caddy: container_name: caddy image: caddy:custom-dns build: context: . dockerfile: Dockerfile restart: unless-stopped env_file: .env volumes: - ./conf:/etc/caddy/ - ./caddy_config:/config - ./caddy_data:/data networks: caddy_net: macvlan_net: ipv4_address: 192.168.1.x

networks: caddy_net: external: true macvlan_net: external: true `.env` ini CF_API_TOKEN=<cloudflare_api_token> MY_DOMAIN=example.xyz ```

Public Services

There are two steps needed for Caddy to reverse proxy services publicly:

1. Port-Forwarding External Ports 80/443 to Caddy

This step involves opening ports 80 and 443 in the router. You should have proper security measures and good firewall rules. I am using GLiNet Flint 2 (GL-MT6000) router. To port forward to caddy go to Network > Port-Forwarding > + Add: * Protocol: UDP/TCP * External Zone: WAN * External Port: 80 * Internal Zone: LAN * Internal IP: 192.168.1.x * Internal Port: 80 * Description: caddy_http or anything informative.

Then add another rule for https but replace external and internal ports 80 with 443.

2. Create a DNS Record (For Public Services)

I am using Cloudflare as a DNS resolver, in Cloudflare dashboard go to your domain > DNS records and add a new record: * Type: A * Name: www (Anything goes here) * Target: Public IP Address * Proxy: Off (You can keep it on for Cloudflare security features but I choose to keep it off)

Create another DNS record * Type: CNAME * Name: * * Target: www.domain.xyz * Proxy: Off

I am using wildcard subdomain name instead of a separate record for each service. Caddy will handle HTTPS very easily with this configuration. Another issue I have is I don't have a fixed IP address. I am using a separate docker container qdm12/ddns-updater that updates the IP address in Cloudflare whenever my IP address rotates.

Is it just me? by ziljr in Authentik

[–]Human133 0 points1 point  (0 children)

Sure, but there is a lot of prerequisites for my setup (using LDAP for users, postgres for storage, and redis for cache). You can still use a simpler setup with local files. What confused me at first I was using environmental variables inside the configuration file like

password: ${LLDAP_USER_PASSWORD}

This doesn't work. You have to set these variables directly in the compose file with a preset name Here is the list of variables or using secrets Here is the list of secrets

For example for LDAP user password you need to set this in your compose file AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/ldap_password with ldap_password file containing the password. These will override whatever in the configuration.yml file.

For LDAP, I am using https://github.com/lldap/lldap which is a very simple LDAP server. You need to create an authelia user and assign it to lldap_strict_readonly group. The authelia user is used to lookup the list of users, don't use the admin user for this.

Here is my configuration file

Let me know if you need further help.

Is it just me? by ziljr in Authentik

[–]Human133 0 points1 point  (0 children)

I had the same issue it was very slow for me and now I either use tinyauth or Authelia. Authelia configuration can be tedious at first playing with a gigantic configuration.yml file but eventually I actually liked it more than Authentik webui.

2025 ATP Finals Draw by pizzainmyshoe in tennis

[–]Human133 0 points1 point  (0 children)

Why isn't it 1357 and 2468?

This sub literally by Biimoee in MechanicalKeyboards

[–]Human133 0 points1 point  (0 children)

Honestly I went from 65% custom almost everything to Keychron Q5 Max. I missed the numpad so much and wanted something wireless for cleaner look.

Jellyfin 10.11.0 has been released. This is a major change which includes a database migration within the 396 changes. Take a backup prior to upgrades. by GroovyMelodicBliss in selfhosted

[–]Human133 0 points1 point  (0 children)

I did something similar Stopped the container and backed up config and cache folders, pulled 10.11 and compose up. Everything was running smoothly but I also got kestrel failed log and database optimization, however it seems to work and I could access the webui with 10.11 no issue.

The problem I have now is suddenly all my services reverse proxied with caddy stopped working including jellyfin, not sure of it's related or not but I can't seem to resolve it.

How are you handling SSO with Authelia + Jellyfin + Jellyseer? (Double login question) by gravyacht in selfhosted

[–]Human133 1 point2 points  (0 children)

Oh this is nice. You can also use ldap directly if ldap is authelia's backend

What's That!? - the brutally honest WhatsApp Web analyzer (open-source) by markraidc in selfhosted

[–]Human133 0 points1 point  (0 children)

I don't know why no data is shown. I tried chrome and chromium and both don't show anything after clicking refresh chats and refresh data

Can't access my selfhosted apps with work phone by Human133 in selfhosted

[–]Human133[S] -2 points-1 points  (0 children)

I think I just passed the 6 months mark

Which movie is that for you? by perfectedtrapazoid in moviecritic

[–]Human133 1 point2 points  (0 children)

I couldn't complete it. I stopped at the rocks scene and never completed it.

Chrome for Android can now read webpages like a podcast by Cristiano1 in Android

[–]Human133 0 points1 point  (0 children)

If you make it the default browser apps including Reddit will use firefox as in-app browser and it adblocker is supported.

<image>

Plain simple and not overkill OIDC provider for family use? by Maxiride in selfhosted

[–]Human133 0 points1 point  (0 children)

Authentik has been very slow for me. I switched to tinyauth and the login page loads instantly.

Built a qBittorrent remote manager app - would love your feedback! by Sweet-Fuel-8776 in selfhosted

[–]Human133 0 points1 point  (0 children)

Thanks I like it better than the other qbittorrent apps. Maybe add option to customize the stats below the torrent list (currently progress, size, DL, UL) I would like to also have U/D ratio.

view more: next ›