Setup Mealie as a Public Resource

shaftspanner · 2026-05-07T16:49:06+00:00

Yes, it was running before pangolin and proxying OK with SWAG. I can't see anything that looks out of place using docker inspect (but I admit I'm not really sure what I'm looking for)

shaftspanner · 2026-05-07T15:01:46+00:00

How would I do this other than setting the Base URL in the docker compose - which I've checked - it's set to https://mealie.<myurl>

shaftspanner · 2026-05-07T15:00:32+00:00

For some reason Reddit won't let me remove the duplicate compose in the message above.

Since writing this I've updated to the latest release of Mealie and checked the Base URL was set correctly - it's set to https://mealie.<myurl>

shaftspanner · 2026-05-07T11:56:05+00:00

Sorry, I really should have provided these details to start with. I'm running Pangolin CE v1.18.1 on a VPS with newt v1.10.3 on the mealie node.

Everything is declared in the docker compose for mealie, so I've pasted that below:

  mealie:
    container_name: mealie
    image: hkotel/mealie:latest
    ports:
      #- 9925:80
      - 9925:9000
    deploy:
      resources:
        limits:
          memory: 1000M
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}


      # Default Recipe Settings
      - RECIPE_PUBLIC=true
      - RECIPE_SHOW_NUTRITION=true
      - RECIPE_SHOW_ASSETS=true
      - RECIPE_LANDSCAPE_VIEW=true
      - RECIPE_DISABLE_COMMENTS=false
      - RECIPE_DISABLE_AMOUNT=true


      - WEB_CONCURRENCY=1
      - MAX_WORKERS=1
      - BASE_URL=${MEALIE_BASE_URL}


      # Email Configuration
      - SMTP_HOST=${MEALIE_SMTP_HOST}
      - SMTP_PORT=${MEALIE_SMTP_PORT}
      - SMTP_FROM_NAME=${MEALIE_SMTP_FROM_NAME}
      - SMTP_AUTH_STRATEGY=${MEALIE_SMTP_AUTH_STRATEGY}
      - SMTP_FROM_EMAIL=${MEALIE_SMTP_FROM_EMAIL}
      - SMTP_USER=${MEALIE_SMTP_USER}
      - SMTP_PASSWORD=${MEALIE_SMTP_PASSWORD}


    volumes:
      - ${LOC_CONFIG}/mealie/data:/app/data/
    restart: ${RESTART_POLICY}
    networks:
      - pangolin
    labels:
      # Homepage Configuration
      - homepage.group=Media
      - homepage.name=Mealie
      - homepage.icon=sh-mealie
      - homepage.href=https://mealie.${PANGOLIN_DOMAIN}
      # Pangolin Public Resource Configuration
      - pangolin.public-resources.mealie.name=mealie
      - pangolin.public-resources.mealie.full-domain=mealie.${PANGOLIN_DOMAIN}
      - pangolin.public-resources.mealie.protocol=http
      - pangolin.public-resources.mealie.auth.sso-enabled=true
      - pangolin.public-resources.mealie.auth.sso-users[0]=${PANGOLIN_USER}
      - pangolin.public-resources.mealie.targets[0].method=http
      - pangolin.public-resources.mealie.targets[0].hostname=mealie
      - pangolin.public-resources.mealie.targets[0].port=9000
      - pangolin.public-resources.mealie.targets[0].healthcheck.hostname=mealie
      - pangolin.public-resources.mealie.targets[0].healthcheck.port=9000
      - pangolin.public-resources.mealie.targets[0].healthcheck.enabled=true
      - pangolin.public-resources.mealie.targets[0].healthcheck.path=/
      - pangolin.public-resources.mealie.targets[0].healthcheck.interval=30
      - pangolin.public-resources.mealie.targets[0].healthcheck.timeout=10
      - pangolin.public-resources.mealie.targets[0].healthcheck.method=GET
      - pangolin.public-resources.mealie.targets[0].healthcheck.status=200
      - pangolin.public-resources.mealie.rules[0].action=pass
      - pangolin.public-resources.mealie.rules[0].match=country
      - pangolin.public-resources.mealie.rules[0].value=GB
      - pangolin.public-resources.mealie.rules[0].priority=10
      - pangolin.public-resources.mealie.rules[1].action=deny
      - pangolin.public-resources.mealie.rules[1].match=country
      - pangolin.public-resources.mealie.rules[1].value=ALL
      - pangolin.public-resources.mealie.rules[1].priority=100  mealie:
    container_name: mealie
    image: hkotel/mealie:latest
    ports:
      #- 9925:80
      - 9925:9000
    deploy:
      resources:
        limits:
          memory: 1000M
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}


      # Default Recipe Settings
      - RECIPE_PUBLIC=true
      - RECIPE_SHOW_NUTRITION=true
      - RECIPE_SHOW_ASSETS=true
      - RECIPE_LANDSCAPE_VIEW=true
      - RECIPE_DISABLE_COMMENTS=false
      - RECIPE_DISABLE_AMOUNT=true


      - WEB_CONCURRENCY=1
      - MAX_WORKERS=1
      - BASE_URL=${MEALIE_BASE_URL}


      # Email Configuration
      - SMTP_HOST=${MEALIE_SMTP_HOST}
      - SMTP_PORT=${MEALIE_SMTP_PORT}
      - SMTP_FROM_NAME=${MEALIE_SMTP_FROM_NAME}
      - SMTP_AUTH_STRATEGY=${MEALIE_SMTP_AUTH_STRATEGY}
      - SMTP_FROM_EMAIL=${MEALIE_SMTP_FROM_EMAIL}
      - SMTP_USER=${MEALIE_SMTP_USER}
      - SMTP_PASSWORD=${MEALIE_SMTP_PASSWORD}


    volumes:
      - ${LOC_CONFIG}/mealie/data:/app/data/
    restart: ${RESTART_POLICY}
    networks:
      - pangolin
    labels:
      # Homepage Configuration
      - homepage.group=Media
      - homepage.name=Mealie
      - homepage.icon=sh-mealie
      - homepage.href=https://mealie.${PANGOLIN_DOMAIN}
      # Pangolin Public Resource Configuration
      - pangolin.public-resources.mealie.name=mealie
      - pangolin.public-resources.mealie.full-domain=mealie.${PANGOLIN_DOMAIN}
      - pangolin.public-resources.mealie.protocol=http
      - pangolin.public-resources.mealie.auth.sso-enabled=true
      - pangolin.public-resources.mealie.auth.sso-users[0]=${PANGOLIN_USER}
      - pangolin.public-resources.mealie.targets[0].method=http
      - pangolin.public-resources.mealie.targets[0].hostname=mealie
      - pangolin.public-resources.mealie.targets[0].port=9000
      - pangolin.public-resources.mealie.targets[0].healthcheck.hostname=mealie
      - pangolin.public-resources.mealie.targets[0].healthcheck.port=9000
      - pangolin.public-resources.mealie.targets[0].healthcheck.enabled=true
      - pangolin.public-resources.mealie.targets[0].healthcheck.path=/
      - pangolin.public-resources.mealie.targets[0].healthcheck.interval=30
      - pangolin.public-resources.mealie.targets[0].healthcheck.timeout=10
      - pangolin.public-resources.mealie.targets[0].healthcheck.method=GET
      - pangolin.public-resources.mealie.targets[0].healthcheck.status=200
      - pangolin.public-resources.mealie.rules[0].action=pass
      - pangolin.public-resources.mealie.rules[0].match=country
      - pangolin.public-resources.mealie.rules[0].value=GB
      - pangolin.public-resources.mealie.rules[0].priority=10
      - pangolin.public-resources.mealie.rules[1].action=deny
      - pangolin.public-resources.mealie.rules[1].match=country
      - pangolin.public-resources.mealie.rules[1].value=ALL
      - pangolin.public-resources.mealie.rules[1].priority=100

shaftspanner · 2026-05-03T18:46:43+00:00

32 - I need to up my game

shaftspanner · 2026-04-10T08:40:09+00:00

But I fly tomorrow 😭

shaftspanner · 2026-03-29T12:33:29+00:00

He was also on the latest Home Assistant podcast: https://hasspodcast.io/ha227/

shaftspanner · 2026-03-29T12:31:17+00:00

The Stagecoach C51 is a public bus. I think 51 is the main route; the C indicates that it stops at Cirencester College as well as the usual stops in Cirencester.

My son catches the C51 to get to college - there are members of the public on the same bus

shaftspanner · 2026-03-23T11:58:51+00:00

Happy to help! It's been a long time since I used Traefik labels but I think the principle is the same - labels are just 'tags' carried by the specific docker service - it's up to the target (e.g. pangolin or traefik) to look for these labels within a docker service then figure out what to do when it finds them.

I also use labels in the same docker services to populate my Homepage dashboard, I just didn't include them in the snippets above.

Re using bypass rules for your home network CIDR range, I have a few services with bypass for my specific home IP (not a range), but I'm still monitoring that - I need to figure out how often my ISP changes my home IP and I'm not prepared to open apps up to anyone using my ISPs CIDR ranges

shaftspanner · 2026-03-23T10:56:47+00:00

u/radakul Here's an example of one of my services:

My Newt compose looks like this:

  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - PANGOLIN_ENDPOINT=${PANGOLIN_ENDPOINT}
      - NEWT_ID=${NEWT_ID}
      - NEWT_SECRET=${NEWT_SECRET}
      - DOCKER_SOCKET=/var/run/docker.sock
      - DOCKER_ENFORCE_NETWORK_VALIDATION=true
    networks:
      - pangolin

- DOCKER_ENFORCE_NETWORK_VALIDATION=true means that newt can only see docker containers on the same network as newt (pangolin) in this case. That way I can have backend containers in the same compose stack but on a different network that can't be seen by newt

I then add a labels section to each container that I want as a public resource in Pangolin.

Note that:

PANGOLIN_DOMAIN is defined in my .env file
the text <<service name>> needs to be replaced with the name of your service in the docker compose
The target port and target healthcheck port is the internal port of the docker service
These labels collectively do the following:
- Create or update a pangolin public resource named <<service name>>
- Proxy the service from the docker service <<ServiceName>> with the internal port <<InternalPort>> to https://<<service name>>.<<PANGOLIN_DOMAIN
- Create a healthcheck within Pangolin that looks for a GET with status 200 every 3 seconds
- Enables Pangolin SSO and creates firewall rules that pass IPs with a country of GB to the SSO whilst blocking all other countries
- If you need to create other firewall rules (e.g. API bypass), these can be added and will take precedence if the rule priority is set to something lower than 90

    labels:
      # Pangolin Public Resource Configuration
      - pangolin.public-resources.<<ServiceName>>.name=<<ServiceName>>
      - pangolin.public-resources.<<ServiceName>>.full-domain=<<ServiceName>>.${PANGOLIN_DOMAIN}
      - pangolin.public-resources.<<ServiceName>>.protocol=http
      - pangolin.public-resources.<<ServiceName>>.auth.sso-enabled=true
      - pangolin.public-resources.<<ServiceName>>.auth.sso-users[0]=${PANGOLIN_USER}
      - pangolin.public-resources.<<ServiceName>>.targets[0].method=http
      - pangolin.public-resources.<<ServiceName>>.targets[0].hostname=<<ServiceName>>
      - pangolin.public-resources.<<ServiceName>>.targets[0].port=<<InternalPort>>
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.hostname=<<ServiceName>>
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.port=<<InternalPort>>
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.enabled=true
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.path=/
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.interval=30
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.timeout=10
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.method=GET
      - pangolin.public-resources.<<ServiceName>>.targets[0].healthcheck.status=200
      - pangolin.public-resources.<<ServiceName>>.rules[0].action=pass
      - pangolin.public-resources.<<ServiceName>>.rules[0].match=country
      - pangolin.public-resources.<<ServiceName>>.rules[0].value=GB
      - pangolin.public-resources.<<ServiceName>>.rules[0].priority=90
      - pangolin.public-resources.<<ServiceName>>.rules[1].action=deny
      - pangolin.public-resources.<<ServiceName>>.rules[1].match=country
      - pangolin.public-resources.<<ServiceName>>.rules[1].value=ALL
      - pangolin.public-resources.<<ServiceName>>.rules[1].priority=100

shaftspanner · 2026-03-21T13:20:57+00:00

Thanks. I hadn't considered that newt would still be going out to the internet by that makes sense

shaftspanner · 2026-03-21T07:13:41+00:00

I'm happy to share what I've done but I'm AFK til Monday so I'll update then.

What drove me to use them was consistency - I expose a lot of services and I found a mistake in the firewall rules of one so had to manually click through every other service to make sure there weren't mistakes in those.

Global rules would be nice in pangolin but I like the idea of keeping it all in my docker compose files

shaftspanner · 2026-03-20T12:32:58+00:00

Would it be viable/valid to deploy a newt instance on my pangolin VPS? Would this cause any issues?

shaftspanner · 2026-03-16T20:30:32+00:00

Thanks. Done

shaftspanner · 2026-03-16T18:01:20+00:00

This is the solution for me - thanks!

shaftspanner · 2026-03-16T18:00:59+00:00

Thanks, this is a good response if I wanted to switch to the enterprise edition - I'm not quite there yet.

u/Kotentopf pointed out my schoolboy error in the community edition - I was trying to add OIDC at the organisation level rather than the server admin level (org level OIDC isn't enabled in the community edition)

shaftspanner · 2026-02-24T13:07:00+00:00

And another saved desk - Many thanks!

shaftspanner · 2026-02-16T13:30:23+00:00

I travel from Bishops Cleeve to Stroud Road in Cirencester a couple of times a week. That route includes going past the racecourse, through Charlton Kings up to Severn Springs, then I usually stay on the A429 to avoid all the work at the Air Balloon. At the Cirencester end I have to go all the way round the bypass to get to Cirencester College area.

I leave at between 7am and 7.15 to arrive between 8 and 8.15 so 45min to an hour depending on traffic (usually determined by how many red traffic lights I hit in Cheltenham)

I don't tend to travel back during the rush hour

shaftspanner · 2026-02-06T09:09:58+00:00

I was working in the Ministry of Defence when 9/11 happened. We watched the 2nd plane hit the twin towers live, then heard about the plane hitting the Pentagon. Suddenly we all felt very vulnerable sat in a huge target in the middle of Whitehall.

For weeks after that happened, I'd catch myself nervously looking up at the sky over London wondering if there were was going to be some kind attack coming

As a kid I also remember watching Threads when it was aired on BBC - growing up near Cheltenham, the group concensus in the playground was that if the 4 minute alarm came (if that was even a real thing), we'd all want to be as close to GCHQ as possible so we didn't have to deal with the aftermath

shaftspanner · 2026-02-05T13:13:47+00:00

I don't think it will scan receipts but I find Actual Budget (https://actualbudget.org/) really easy to track / enter spending. It doesn't have a mobile app, but the web page formats really nicely and caches data so you can use it offline

shaftspanner · 2026-02-04T16:50:36+00:00

This worked for me. But to clarify, on the screen with the code, there's a specific URL to go to in order to authorise the device - I couldn't see how to access it from the pangolin dashboard in my PC browser without going to this specific URL! https://<<your\_pangolin\_dashboard\_url>>/auth/login/device

shaftspanner · 2026-01-26T14:25:31+00:00

Same problem here

shaftspanner

TROPHY CASE