Hi # SelfHosted community

submitted a year ago by

Hi #SelfHosted community. I've figured out a lot of my setup. I now have a new domain, laniesplace.us, just for #HomeServer stuff. It's set up through Porkbun with Dynu for #DDNS. I've now got #Traefik, #TailscaleVPN, #Linkding, #Forgejo, #Dokuwiki, Code-Server, #Portainer, #Netdata, #Watchtower, #Cockpit, #Pihole, #MiniFlux, #TheLounge, #Filebrowser, #UptimeKuma, and the #Homer dashboard service installed. I'm now trying to set up #Authelia so I can have single sign-on to my services. For some, it's working now, but I can't seem to get Linkding to work no matter what I do. This is on a #RaspberryPi 500 with 8 GB RAM and a 512 GB SD card, running #Stormux, which is based on #ArchlinuxARM. Can anyone help? I'll reply to this post with all my relevant config files in separate posts. What's happening is this: Linkding is supposed to be available at bookmarks.laniesplace.us. When I go there, I see a 401 unauthorized error and a link to sign into Authelia. Once I sign in, though, it redirects back to the page with the 401 error. I've been trying to figure this out for hours with no luck. Files will be in replies to this post.
#SelfHosting #Linux #HomeLab #RPi #RaspberryPi500 #RPi500
@selfhost @selfhosting @selfhosted @linux

-11

Hot Top New Old

ocean@lemmy.selfhostcat.com

a year ago

Why did you hashtag everything and comment every yaml 0_o

harsh3466@lemmy.ml

a year ago

I believe this is a Mastodon post that's also federating to lemmy

ocean@lemmy.selfhostcat.com

a year ago

Ah that makes more sense

Facebones@reddthat.com

a year ago

Nothing makes me realize I left my glasses at home quite like this post. 🤣

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux Authelia configuration.yml:

```
theme: light

server:
address: 0.0.0.0:9091

log:
level: debug
format: text
file_path: /var/log/authelia/authelia.log

totp:
issuer: laniesplace.us
period: 30
skew: 1

authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 3
memory: 65536
parallelism: 4
salt_length: 16
key_length: 32

access_control:
default_policy: deny
rules:
# Public Access
- domain:
- "pihole.laniesplace.us"
- "homer.laniesplace.us"
policy: bypass

# High Security (Two Factor)
- domain:
- "portainer.laniesplace.us"
- "netdata.laniesplace.us"
- "cockpit.laniesplace.us"
- "glances.laniesplace.us"
- "code.laniesplace.us"
policy: two_factor
subject:
- "group:admins"

# Medium Security (One Factor Admin)
- domain:
- "forgejo.laniesplace.us"
- "files.laniesplace.us"
- "uptime.laniesplace.us"
policy: one_factor
subject:
- "group:admins"

# Standard Auth (One Factor)
- domain:
- "thelounge.laniesplace.us"
- "miniflux.laniesplace.us"
- "linkding.laniesplace.us"
- "wiki.laniesplace.us"
policy: one_factor

# Catch-all rule
- domain: "*.laniesplace.us"
policy: one_factor

session:
name: authelia_session
domain: laniesplace.us
same_site: lax
expiration: 3600
inactivity: 300
remember_me: 1M

regulation:
max_retries: 3
find_time: 120
ban_time: 300

storage:
local:
path: /config/db.sqlite3

notifier:
disable_startup_check: false
smtp:
address: submission://smtp.gmail.com:587
username: laniegcarmelo@gmail.com
password: rcig lqpk cbsg aqcm
sender: "Authelia <laniegcarmelo@gmail.com>"
identifier: auth.laniesplace.us
subject: "[Authelia] {title}"
startup_check_address: laniegcarmelo@gmail.com
timeout: 5s

identity_validation:
reset_password:
jwt_secret: ${AUTHELIA_JWT_SECRET_FILE}
```

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux traefik.yml:

```
global:
checkNewVersion: true
sendAnonymousUsage: false

log:
level: DEBUG
filePath: /etc/traefik/logs/traefik.log

accessLog:
filePath: /etc/traefik/logs/access.log

entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
http:
tls:
certResolver: le

api:
dashboard: true
insecure: false

providers:
file:
directory: /etc/traefik/dynamic
watch: true
docker:
endpoint: unix:///var/run/docker.sock
watch: true
exposedByDefault: false
network: web

certificatesResolvers:
le:
acme:
email: laniegcarmelo@gmail.com
storage: /etc/traefik/acme.json
tlsChallenge: {}
```

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux traefik docker-compose.yml:
networks:
web:
external: true

services:
traefik:
image: traefik:v3.2.5
container_name: traefik
security_opt:
- no-new-privileges:true
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/acme.json
- ./dynamic:/etc/traefik/dynamic:ro
- ./logs:/etc/traefik/logs
networks:
- web
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`traefik.laniesplace.us`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls.certresolver=le"
- "traefik.http.routers.dashboard.middlewares=dashboard-auth"

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux traefik routers.yml:

```
http:
routers:
dashboard:
rule: "Host(`traefik.laniesplace.us`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
service: api@internal
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- dashboard-auth

homer:
rule: "Host(`laniesplace.us`)"
service: homer
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

glances:
rule: "Host(`glances.laniesplace.us`)"
service: glances
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "glances.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

uptime-kuma:
rule: "Host(`uptime.laniesplace.us`)"
service: uptime-kuma
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "uptime.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

miniflux:
rule: "Host(`rss.laniesplace.us`)"
service: miniflux
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "rss.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

pihole:
rule: "Host(`pihole.laniesplace.us`)"
service: pihole
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
- pihole-redirect
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "pihole.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

portainer:
rule: "Host(`portainer.laniesplace.us`)"
service: portainer
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "portainer.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

linkding:
rule: "Host(`bookmarks.laniesplace.us`)"
service: linkding
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "bookmarks.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
Remote-User: "{{ .Request.Headers.Remote-User }}"

filebrowser:
rule: "Host(`files.laniesplace.us`)"
service: filebrowser
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "files.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

netdata:
rule: "Host(`netdata.laniesplace.us`)"
service: netdata
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "netdata.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

forgejo:
rule: "Host(`git.laniesplace.us`)"
service: forgejo
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "git.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

dokuwiki:
rule: "Host(`wiki.laniesplace.us`)"
service: dokuwiki
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "wiki.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"

cockpit:
rule: "Host(`cockpit.laniesplace.us`)"
service: cockpit
entryPoints:
- websecure
tls:
certResolver: le
middlewares:
- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "cockpit.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
```

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux traefik services.yml:

```
http:
services:
# Docker Services
homer:
loadBalancer:
servers:
- url: "http://homer:8080"

glances:
loadBalancer:
servers:
- url: "http://glances:61208"

uptime-kuma:
loadBalancer:
servers:
- url: "http://uptime-kuma:3001"

miniflux:
loadBalancer:
servers:
- url: "http://miniflux:8080"

pihole:
loadBalancer:
servers:
- url: "http://pihole:8088"

portainer:
loadBalancer:
servers:
- url: "http://portainer:9000"

linkding:
loadBalancer:
servers:
- url: "http://linkding:9090"

# Non-Docker Services
filebrowser:
loadBalancer:
servers:
- url: "http://127.0.0.1:8085"

netdata:
loadBalancer:
servers:
- url: "http://127.0.0.1:19999"

forgejo:
loadBalancer:
servers:
- url: "http://127.0.0.1:3000"

dokuwiki:
loadBalancer:
servers:
- url: "http://127.0.0.1:81"

cockpit:
loadBalancer:
servers:
- url: "http://127.0.0.1:9090"
```

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux traefik middlewares.yml:

```
http:
middlewares:
dashboard-auth:
basicAuth:
users:
- "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"
```

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux Authelia docker-compose.yml:

```
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
volumes:
- ./config:/config
- ./logs:/var/log/authelia
networks:
- web
- authelia_internal
environment:
- TZ=America/Chicago
- AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt_secret
- AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session_secret
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/config/secrets/storage_encryption_key
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.laniesplace.us`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=le"
- "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=X-Forwarded-Proto,X-Forwarded-Host"
- "traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Name,Remote-Email"
- "traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify=true"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=auth.laniesplace.us"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- redis
healthcheck:
test: ["CMD", "wget", "--no-check-certificate", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 60s

redis:
image: redis:alpine
container_name: authelia_redis
networks:
- authelia_internal
restart: unless-stopped
volumes:
- ./redis:/data
command: redis-server --save 60 1 --loglevel warning
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
security_opt:
- no-new-privileges:true

networks:
web:
external: true
authelia_internal:
internal: true
```

Lanie Carmelo@caneandable.social

OP a year ago

@selfhost @selfhosting @selfhosted @linux Web services docker-compose.yml, includes Linkding:

```
services:
linkding:
image: sissbruecker/linkding:latest-plus
container_name: linkding
environment:
LD_ENABLE_AUTH_PROXY: "true"
LD_AUTH_PROXY_HEADER: "Remote-User"
LD_AUTH_PROXY_AUTO_LOGIN: "true"
LD_AUTH_PROXY_LOGOUT_URL: "auth.laniesplace.us/logout"
volumes:
- linkding_data:/etc/linkding/data
healthcheck:
test: ["CMD", "node", "-e", "const http = require('http'); const options = {host: 'localhost', port: 9090, path: '/', timeout: 2000}; const request = http.request(options, (res) => { process.exit([200, 302].includes(res.statusCode) ? 0 : 1)}); request.on('error', () => process.exit(1)); request.end()"]
interval: 30s
timeout: 10s
retries: 3
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.linkding.rule=Host(`bookmarks.laniesplace.us`)"
- "traefik.http.routers.linkding.entrypoints=websecure"
- "traefik.http.routers.linkding.tls.certresolver=le"
- "traefik.http.services.linkding.loadbalancer.server.port=9090"
- "traefik.http.routers.linkding.middlewares=authelia@docker"

volumes:
linkding_data:

networks:
web:
external: true

```

Hi # SelfHosted community

Insert image

Voting Options

React with an emoji

Hi # SelfHosted community

12 Comments