- Hughlander
- May 11, 2005
-
|
Just a quick update. I ended up installing Traefik 2.1 with forward auth leveraging Google Oauth to protect all my containers. It's all working very well. I know maybe it's not the best to open up 443 to the world, but all the containers that matter are protected by Oauth. The ones that Oauth doesn't work with (like the calibre container that uses Guac) I just whiltelist to local IPs only.
I think that it's a reasonable enough solution. Maybe I'm susceptible to DDOS, but that'd happen if I only had Ombi open anyways.
What I do and works with guac is add http basic auth over https before the reverse proxy in nginx.
|
#
?
Feb 13, 2020 22:33
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
|
#
?
Jun 5, 2024 04:18
|
|
- priznat
- Jul 7, 2009
-
Let's get drunk and kiss each other all night.
|
Yeah I was wondering about doing this, are they pretty good?
Would also need a good indexer. I’m just thinking about getting a nzb hooked into the sonarr/radarr on my unraid setup.
|
|
#
?
Feb 14, 2020 00:15
|
|
- Matt Zerella
- Oct 7, 2002
-
Norris'es are back baby. It's good again. Awoouu (fox Howl)
|
Yeah, the main thing is I need it to pass Mrs McJerkface's ease of use. Basically she needs access to LazyLibrarian and Ombi, so I just open them up with Google Oauth ( also Ombi does a more secure auth itself). If she has to futz around with a vpn it'll be a pain.
Legit shocked anyone's gotten LL working properly.
|
|
#
?
Feb 14, 2020 00:35
|
|
- Rooted Vegetable
- Jun 1, 2002
-
|
Just a quick update. I ended up installing Traefik 2.1 with forward auth leveraging Google Oauth to protect all my containers.
There any guides etc to doing that? I'm still on Traefik 1.x and would like to try out 2.x, especially if I can do exactly that. Sounds awesome.
|
|
#
?
Feb 14, 2020 00:54
|
|
- Super-NintendoUser
- Jan 16, 2004
-
COWABUNGERDER COMPADRES
-
Soiled Meat
|
There any guides etc to doing that? I'm still on Traefik 1.x and would like to try out 2.x, especially if I can do exactly that. Sounds awesome.
I couldn't find a really good guide for V2, but this is a start. It gives you traefik, the oauth container, and then a sample app (just a webpage that gives you some words) that you can auth against. This also protects the Traefik dashboard behind auth too.
code:version: '3'
services:
traefik:
container_name: traefik
env_file:
- ./config/traefik/.godaddy.env
image: "traefik:v2.1"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --api
- --log.level=DEBUG
- --certificatesresolvers.leresolver.acme.email=email@gmail.com
- --certificatesresolvers.leresolver.acme.storage=/leresolver/acme.json
- --certificatesresolvers.leresolver.acme.dnsChallenge=true
- --certificatesresolvers.leresolver.acme.dnsChallenge.provider=godaddy
- --certificatesresolvers.leresolver.acme.dnsChallenge.delayBeforeCheck=0
labels:
- traefik.enable=true
- traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=web
- traefik.http.routers.http-catchall.middlewares=redirect-to-https
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
- traefik.http.routers.traefik-secure.entrypoints=websecure
- traefik.http.routers.traefik-secure.rule=Host(`dashboard.domain.com`)
- traefik.http.routers.traefik-secure.tls.certresolver=leresolver
- traefik.http.routers.traefik-secure.service=api@internal
- traefik.http.routers.traefik-secure.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
oauth:
container_name: oauth
image: thomseddon/traefik-forward-auth
restart: always
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=
- PROVIDERS_GOOGLE_CLIENT_SECRET=
- SECRET=
- COOKIE_DOMAIN=domain.com
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.domain.com
- URL_PATH=/_oauth
- WHITELIST=emails to allow, comma separate
- LOG_LEVEL=debug
- LOG_FORMAT=text
labels:
- traefik.enable=true
- traefik.http.routers.oauth-secure.entrypoints=websecure
- traefik.http.routers.oauth-secure.tls=true
- traefik.http.routers.oauth-secure.rule=Host(`oauth.domain.com`)
- traefik.http.routers.oauth-secure.tls.certresolver=leresolver
- traefik.http.routers.oauth-secure.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
- traefik.http.routers.oauth-secure.service=oauth-secure
## HTTP Services
- traefik.http.services.oauth-secure.loadbalancer.server.port=4181
my-app:
image: containous/whoami:v1.3.0
labels:
- traefik.http.routers.my-app.rule=Host(`myapp.domain.com`)
- traefik.http.routers.my-app.entrypoints=websecure
- traefik.http.routers.my-app.tls.certresolver=leresolver
- traefik.http.routers.my-app.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
|
|
#
?
Feb 14, 2020 01:28
|
|
- Matt Zerella
- Oct 7, 2002
-
Norris'es are back baby. It's good again. Awoouu (fox Howl)
|
I couldn't find a really good guide for V2, but this is a start. It gives you traefik, the oauth container, and then a sample app (just a webpage that gives you some words) that you can auth against. This also protects the Traefik dashboard behind auth too.
code:version: '3'
services:
traefik:
container_name: traefik
env_file:
- ./config/traefik/.godaddy.env
image: "traefik:v2.1"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --api
- --log.level=DEBUG
- --certificatesresolvers.leresolver.acme.email=email@gmail.com
- --certificatesresolvers.leresolver.acme.storage=/leresolver/acme.json
- --certificatesresolvers.leresolver.acme.dnsChallenge=true
- --certificatesresolvers.leresolver.acme.dnsChallenge.provider=godaddy
- --certificatesresolvers.leresolver.acme.dnsChallenge.delayBeforeCheck=0
labels:
- traefik.enable=true
- traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=web
- traefik.http.routers.http-catchall.middlewares=redirect-to-https
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
- traefik.http.routers.traefik-secure.entrypoints=websecure
- traefik.http.routers.traefik-secure.rule=Host(`dashboard.domain.com`)
- traefik.http.routers.traefik-secure.tls.certresolver=leresolver
- traefik.http.routers.traefik-secure.service=api@internal
- traefik.http.routers.traefik-secure.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
oauth:
container_name: oauth
image: thomseddon/traefik-forward-auth
restart: always
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=
- PROVIDERS_GOOGLE_CLIENT_SECRET=
- SECRET=
- COOKIE_DOMAIN=domain.com
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.domain.com
- URL_PATH=/_oauth
- WHITELIST=emails to allow, comma separate
- LOG_LEVEL=debug
- LOG_FORMAT=text
labels:
- traefik.enable=true
- traefik.http.routers.oauth-secure.entrypoints=websecure
- traefik.http.routers.oauth-secure.tls=true
- traefik.http.routers.oauth-secure.rule=Host(`oauth.domain.com`)
- traefik.http.routers.oauth-secure.tls.certresolver=leresolver
- traefik.http.routers.oauth-secure.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
- traefik.http.routers.oauth-secure.service=oauth-secure
## HTTP Services
- traefik.http.services.oauth-secure.loadbalancer.server.port=4181
my-app:
image: containous/whoami:v1.3.0
labels:
- traefik.http.routers.my-app.rule=Host(`myapp.domain.com`)
- traefik.http.routers.my-app.entrypoints=websecure
- traefik.http.routers.my-app.tls.certresolver=leresolver
- traefik.http.routers.my-app.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
I finally found something I don't like about Unraid. Doing all of this poo poo through the web interface is miserable.
|
|
#
?
Feb 14, 2020 02:38
|
|
- BeastOfExmoor
- Aug 19, 2003
-
I will be gone, but not forever.
|
So uh, I am unclear on what this means / how to do this. I have linuxserver sonarr docker installed on my unraid server and googling around doesn't seem to really provide instructions on where / how to download or change tags to preview etc.
Closest thing I found was in the Sonarr V2 UI to go to settings/general/ and in the list at the bottom under "Updates" there's a field titled "Branch" and I changed this text to 'preview' and restarted / checked for updates but its still just v2. Sorry to bother but am just kinda stuck on how to update this.
It has to happen in when you create the docker image. They make it really difficult to figure out what to change to get v3, but here is a portion of my docker-compose YML file that shows adding ":preview" the the end of the image name. Presumably the "tag" is added in a similar way if you're creating from the command line.
code: sonarr:
image: linuxserver/sonarr:preview
container_name: sonarr
|
|
#
?
Feb 15, 2020 05:23
|
|
- Jesse Iceberg
- Jan 7, 2012
-
|
Docker update, I got it all working. If anyone wants a my docker file I'll post it, I'm going through it now and santizing it (putting passwords in a secret file etc.
Yeah, if you could post the sanitised Docker compose file that'd be awesome.
I've been using the jwilder Nginx reverse proxy approach for a while, and slapping client cert auth in front for some additional protection, but this Traefik + Oauth2 + 2FA new hotness is looking better.
|
|
#
?
Feb 15, 2020 13:05
|
|
- Former Human
- Oct 15, 2001
-
|
Is there a master list anywhere of what newsservices carry which groups? Giganews has a search feature on their website but lol if you pay for Giganews. Astraweb had a feature like this on their site too but I'm pretty sure it was fake because you could type in any nonsense and it would come back "yes we carry it."
|
|
#
?
Feb 16, 2020 03:44
|
|
- Volguus
- Mar 3, 2009
-
|
If I already have a full fledged sab/sonarr/radarr/nzbhydra/indexers setup and running does spotnet add any additional value?
Eh, don't think so. I installed mine after a very popular indexer went offline about 10 years or so ago and I was basically left with nothing for a while. I used to use it a lot until I got myself some better indexers. Nowadays, not so much. I have it still running though and occasionally nzbhydra grabs from it.
|
|
#
?
Feb 16, 2020 18:47
|
|
- Fano
- Oct 20, 2010
-
|
I'm getting a lot more failures after switching from NewsHosting to NewsDemon + BulkNews, I also messed with my profiles a bunch to prefer x265 and x264 over everything else.
I wonder if it's related to profiles or if NewsDemon is just a shittier provider.
|
|
#
?
Feb 17, 2020 05:35
|
|
- Tea Bone
- Feb 18, 2011
-
I'm going for gasps.
|
Is there a setting in NZBget to just leave failed downloads inside the intermittent directory rather than delete them?
I had a bunch of movies fail over night during unpacking as the media drive wasn't available and they're nowhere to be found this morning. I'm sure I had it set on my old server when this happened I could just go in and manually move them to the correct directory?
|
|
#
?
Feb 17, 2020 12:18
|
|
- Henrik Zetterberg
- Dec 7, 2007
-
|
I thought having Radarr automatically upgrade my 1080p stuff to 4K was rad as hell until I realized that my 10ish yo Ivy Bridge Plex server PC couldn’t keep up with transcoding them from 4K -> 1080p for my smaller tv without tons of buffering. gently caress.
|
|
#
?
Feb 17, 2020 22:00
|
|
- Incessant Excess
- Aug 15, 2005
-
Cause of glitch:
Pretentiousness
|
I thought having Radarr automatically upgrade my 1080p stuff to 4K was rad as hell until I realized that my 10ish yo Ivy Bridge Plex server PC couldn’t keep up with transcoding them from 4K -> 1080p for my smaller tv without tons of buffering. gently caress.
You might want to try Plex pass for a month, it allows for hardware accelerated transcoding which should make those 4k files playable.
|
|
#
?
Feb 18, 2020 13:09
|
|
- Vykk.Draygo
- Jan 17, 2004
-
I say salesmen and women of the world unite!
|
You might want to try Plex pass for a month, it allows for hardware accelerated transcoding which should make those 4k files playable.
This made me check to see how Emby handles hardware transcoding, and they require a paid subscription too! Wild that everyone makes you pay for hardware transcoding even locally.
|
|
#
?
Feb 18, 2020 13:33
|
|
- Super-NintendoUser
- Jan 16, 2004
-
COWABUNGERDER COMPADRES
-
Soiled Meat
|
As mentioned before, here is my sanitized docker file. Very little of it is in external config files, but I'm starting to break it off and do it that way instead, but this is fully functioning.
code:
version: '3'
services:
heimdall:
image: linuxserver/heimdall
container_name: heimdall
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
ports:
- 8980:80
- 8443:443
volumes:
- ./config/heimdall:/config
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.heimdall.rule=Host(`heimdall.yourdomain.com`)
- traefik.http.routers.heimdall.entrypoints=websecure
- traefik.http.routers.heimdall.tls.certresolver=leresolver
- traefik.http.routers.heimdall.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
usenet:
backend:
traefik:
container_name: traefik
env_file:
# file contains Godaddy API keys
- ./config/traefik/.godaddy.env
image: "traefik:v2.1"
command:
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --api
- --log.level=DEBUG
- --certificatesresolvers.leresolver.acme.email=your.email@email.com
- --certificatesresolvers.leresolver.acme.storage=/leresolver/acme.json
- --certificatesresolvers.leresolver.acme.dnsChallenge=true
- --certificatesresolvers.leresolver.acme.dnsChallenge.provider=godaddy
- --certificatesresolvers.leresolver.acme.dnsChallenge.delayBeforeCheck=0
- --serverstransport.insecureskipverify=true
labels:
- traefik.enable=true
- traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
- traefik.http.routers.http-catchall.entrypoints=web
- traefik.http.routers.http-catchall.middlewares=redirect-to-https
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
- traefik.http.routers.traefik-secure.entrypoints=websecure
- traefik.http.routers.traefik-secure.rule=Host(`dashboard.yourdomain.com`)
- traefik.http.routers.traefik-secure.tls.certresolver=leresolver
- traefik.http.routers.traefik-secure.service=api@internal
- traefik.http.routers.traefik-secure.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
ports:
- "443:443"
- "80:80"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config/traefik/leresolver:/leresolver
networks:
usenet:
backend:
aliases:
- traefik-app
oauth:
container_name: oauth
image: thomseddon/traefik-forward-auth
restart: always
environment:
# next three come from google's API auth setup
- PROVIDERS_GOOGLE_CLIENT_ID=asdfasdfasdf
- PROVIDERS_GOOGLE_CLIENT_SECRET=Rasdfasdfasdf
- SECRET=zsdfasdfasdfasdf
- COOKIE_DOMAIN=yourdomain.com
- INSECURE_COOKIE=false
- AUTH_HOST=oauth.yourdomain.com
- URL_PATH=/_oauth
# list of emails that can pass google auth login
- WHITELIST=your.email@email.com,other.email@allowed.com
- LOG_LEVEL=debug
- LOG_FORMAT=text
labels:
- traefik.enable=true
- traefik.http.routers.oauth-secure.entrypoints=websecure
- traefik.http.routers.oauth-secure.tls=true
- traefik.http.routers.oauth-secure.rule=Host(`oauth.yourdomain.com`)
- traefik.http.routers.oauth-secure.tls.certresolver=leresolver
- traefik.http.routers.oauth-secure.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
- traefik.http.routers.oauth-secure.service=oauth-secure
## HTTP Services
- traefik.http.services.oauth-secure.loadbalancer.server.port=4181
networks:
usenet:
backend:
my-app:
# simple app used for testing, just returns some computer information
image: containous/whoami:v1.3.0
container_name: my-app
labels:
- traefik.http.routers.my-app.rule=Host(`myapp.yourdomain.com`)
- traefik.http.routers.my-app.entrypoints=websecure
- traefik.http.routers.my-app.tls.certresolver=leresolver
- traefik.http.routers.my-app.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
backend:
plex:
image: linuxserver/plex
container_name: plex
network_mode: host
environment:
- PUID=1000
- PGID=1000
- VERSION=docker
- UMASK_SET=022 #optional
- PLEX_CLAIM=claim-xxxxxxxxxxx #optional
volumes:
- /mnt/vault/docker/config/plexmediaserver:/config
- /mnt/vault/Shares/media:/media
restart: unless-stopped
ddclient:
image: linuxserver/ddclient
container_name: ddclient
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- /mnt/vault/docker/config/ddclient:/config
restart: unless-stopped
calibre:
image: linuxserver/calibre
container_name: calibre
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- GUAC_USER=user #optional
- GUAC_PASS=dddddddddddddddddddddddddddddddd #optional
volumes:
- /mnt/vault/Shares/media/Books:/config
- /mnt/vault/Shares/sabnzbd/downloads:/downloads
ports:
- 8180:8080
- 8181:8081
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.calibre.entrypoints=websecure
- traefik.http.routers.calibre.tls=true
- traefik.http.routers.calibre.rule=Host(`calibre.yourdomain.com`)
- traefik.http.routers.calibre.tls.certresolver=leresolver
- traefik.http.services.calibre.loadbalancer.server.port=8080
- traefik.http.routers.calibre.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
usenet:
aliases:
- calibre-app
calibre-web:
image: linuxserver/calibre-web
container_name: calibre-web
ports:
- 8083:8080
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- DOCKER_MODS=linuxserver/calibre-web:calibre
labels:
- traefik.enable=true
- traefik.http.routers.calibre-web.entrypoints=websecure
- traefik.http.routers.calibre-web.tls=true
- traefik.http.routers.calibre-web.rule=Host(`books.yourdomain.com`)
- traefik.http.routers.calibre-web.tls.certresolver=leresolver
- traefik.http.services.calibre-web.loadbalancer.server.port=8083
- traefik.http.routers.calibre-web.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
volumes:
- /mnt/vault/docker/config/calibre-web:/config
- /mnt/vault/Shares/media/Books:/books
restart: unless-stopped
networks:
usenet:
aliases:
- calibre-web-app
locatebot:
# my own custom app, don't worry about it
build: /mnt/vault/bots/locatebot
restart: unless-stopped
container_name: locatebot
labels:
- traefik.http.routers.locatebot.rule=Host(`locatebot.yourdomain.com`)
- traefik.http.services.locatebot.loadbalancer.server.port=5000
- traefik.http.routers.locatebot.entrypoints=websecure
- traefik.http.routers.locatebot.tls.certresolver=leresolver
- traefik.http.routers.locatebot.middlewares=whitelist
# doesn't support oauth, so it's locked down by IP
- traefik.http.middlewares.whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.0/24
environment:
- CONFIGDIR=/config
- LOGDIR=/logfiles
volumes:
- /mnt/vault/docker/config/locatebot/config:/config
- /mnt/vault/docker/config/locatebot/logfiles:/logfiles
- /mnt/vault/bots/locatebot/resources/needles:/app/needles
- /mnt/vault/bots/locatebot/resources/code:/app/code
networks:
backend:
lazylibrarian:
image: linuxserver/lazylibrarian
container_name: lazylibrarian
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- DOCKER_MODS=linuxserver/calibre-web:calibre #optional
volumes:
- ./config/lazylibrarian:/config
- /mnt/vault/Shares/sabnzbd/downloads/books:/downloads
- /mnt/vault/Shares/media/Books:/books
labels:
- traefik.enable=true
- traefik.http.routers.lazylibrarian.entrypoints=websecure
- traefik.http.routers.lazylibrarian.tls=true
- traefik.http.routers.lazylibrarian.rule=Host(`lazylibrarian.yourdomain.com`)
- traefik.http.routers.lazylibrarian.tls.certresolver=leresolver
- traefik.http.services.lazylibrarian.loadbalancer.server.port=5299
- traefik.http.routers.lazylibrarian.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
ports:
- 5299:5299
restart: unless-stopped
networks:
usenet:
aliases:
- lazylibrarian-app
nzbhydra2:
image: linuxserver/hydra2
container_name: nzbhydra2
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- ./config/nzbhydra2:/config
- /mnt/vault/Shares/newz/downloads:/downloads
ports:
- 5076:5076
labels:
- traefik.enable=true
- traefik.http.routers.nzbhydra2.entrypoints=websecure
- traefik.http.routers.nzbhydra2.tls=true
- traefik.http.routers.nzbhydra2.rule=Host(`nzbhydra2.yourdomain.com`)
- traefik.http.routers.nzbhydra2.tls.certresolver=leresolver
- traefik.http.services.nzbhydra2.loadbalancer.server.port=5076
- traefik.http.routers.nzbhydra2.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
restart: unless-stopped
networks:
usenet:
aliases:
- hydra2-app
jackett:
image: linuxserver/jackett
container_name: jackett
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
labels:
- traefik.enable=true
- traefik.http.routers.jackett.entrypoints=websecure
- traefik.http.routers.jackett.tls=true
- traefik.http.routers.jackett.rule=Host(`jackett.yourdomain.com`)
- traefik.http.routers.jackett.tls.certresolver=leresolver
- traefik.http.services.jackett.loadbalancer.server.port=9117
- traefik.http.routers.jackett.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
volumes:
- ./config/jackett:/config
- /mnt/vault/Shares/jackett/downloads:/downloads
ports:
- 9117:9117
restart: unless-stopped
networks:
usenet:
aliases:
- jackett-app
ombi:
image: linuxserver/ombi
container_name: ombi
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- ./config/ombi:/config
ports:
- 3579:3579
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.ombi.entrypoints=websecure
- traefik.http.routers.ombi.tls=true
- traefik.http.routers.ombi.rule=Host(`ombi.yourdomain.com`)
- traefik.http.routers.ombi.tls.certresolver=leresolver
- traefik.http.services.ombi.loadbalancer.server.port=3579
- traefik.http.routers.ombi.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
usenet:
aliases:
- ombi-app
portainer:
image: portainer/portainer
restart: always
container_name: portainer
ports:
- 9000:9000
command: -H unix:///var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./config/portainer:/data
labels:
- traefik.enable=true
- traefik.http.routers.portainer.entrypoints=websecure
- traefik.http.routers.portainer.tls=true
- traefik.http.routers.portainer.rule=Host(`portainer.yourdomain.com`)
- traefik.http.routers.portainer.tls.certresolver=leresolver
- traefik.http.services.portainer.loadbalancer.server.port=9000
- traefik.http.routers.portainer.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
backend:
usenet:
radarr:
image: linuxserver/radarr
container_name: radarr
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- UMASK_SET=022 #optional
volumes:
- ./config/radarr:/config
- /mnt/vault/Shares/media/movies:/movies
- /mnt/vault/Shares/sabnzbd/downloads:/downloads
ports:
- 7878:7878
labels:
- traefik.enable=true
- traefik.http.routers.radarr.entrypoints=websecure
- traefik.http.routers.radarr.tls=true
- traefik.http.routers.radarr.rule=Host(`radarr.yourdomain.com`)
- traefik.http.routers.radarr.tls.certresolver=leresolver
- traefik.http.services.radarr.loadbalancer.server.port=7878
- traefik.http.routers.radarr.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
restart: unless-stopped
networks:
usenet:
aliases:
- radarr-app
sabnzbd:
image: linuxserver/sabnzbd
container_name: sabnzbd
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- ./config/sabnzbd:/config
- /mnt/vault/Shares/alts:/alts
- /mnt/vault/Shares/sabnzbd/downloads:/downloads
- /mnt/vault/Shares/sabnzbd/incomplete-downloads:/incomplete-downloads
labels:
- traefik.enable=true
- traefik.http.routers.sabnzbd.entrypoints=websecure
- traefik.http.routers.sabnzbd.tls=true
- traefik.http.routers.sabnzbd.rule=Host(`sabnzbd.yourdomain.com`)
- traefik.http.routers.sabnzbd.tls.certresolver=leresolver
- traefik.http.services.sabnzbd.loadbalancer.server.port=8080
- traefik.http.routers.sabnzbd.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
restart: unless-stopped
networks:
usenet:
aliases:
- sabnzbd-app
sonarr:
image: linuxserver/sonarr
container_name: sonarr
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- UMASK_SET=022 #optional
volumes:
- ./config/sonarr:/config
- /mnt/vault/Shares/media/tv:/tv
- /mnt/vault/Shares/media/tv.backup:/tv.backup
- /mnt/vault/Shares/media/tv_old:/tv_old
- /mnt/vault/Shares/sabnzbd/downloads:/downloads
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.sonarr.entrypoints=websecure
- traefik.http.routers.sonarr.tls=true
- traefik.http.routers.sonarr.rule=Host(`sonarr.yourdomain.com`)
- traefik.http.routers.sonarr.tls.certresolver=leresolver
- traefik.http.services.sonarr.loadbalancer.server.port=8989
- traefik.http.routers.sonarr.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
usenet:
aliases:
- sonarr-app
transmission:
image: linuxserver/transmission
container_name: transmission
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- TRANSMISSION_WEB_HOME=/transmission-web-control/
- USER=admin
- PASS=buckethead
volumes:
- ./config/transmission/config:/config
- ./config/transmission/watch:/watch
- /mnt/vault/Shares/alts:/downloads
- /mnt/vault/Shares/media:/media
ports:
- 9091:9091
- 51413:51413
- 51413:51413/udp
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.transmission.entrypoints=websecure
- traefik.http.routers.transmission.tls=true
- traefik.http.routers.transmission.rule=Host(`transmission.yourdomain.com`)
- traefik.http.routers.transmission.tls.certresolver=leresolver
- traefik.http.services.transmission.loadbalancer.server.port=9091
- traefik.http.routers.transmission.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
usenet:
aliases:
- transmission-app
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
- 53:53/tcp
- 53:53/udp
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
- WEBPASSWORD=
volumes:
- ./config/pihole/etc-pihole/:/etc/pihole/
- ./config/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/
dns:
- 127.0.0.1
- 1.1.1.1
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.http.routers.pihole.entrypoints=websecure
- traefik.http.routers.pihole.tls=true
- traefik.http.routers.pihole.rule=Host(`pihole.yourdomain.com`)
- traefik.http.routers.pihole.tls.certresolver=leresolver
- traefik.http.services.pihole.loadbalancer.server.port=80
- traefik.http.routers.pihole.middlewares=oauth
- traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.oauth.forwardauth.Address=http://oauth:4181
- traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User,X-WebAuth-User
networks:
backend:
aliases:
- pihole-app
networks:
backend:
usenet:
|
|
#
?
Feb 18, 2020 15:04
|
|
- Billa
- Jul 12, 2005
-
The Emperor protects.
|
As mentioned before, here is my sanitized docker file. Very little of it is in external config files, but I'm starting to break it off and do it that way instead, but this is fully functioning.
What's this for if you don't mind me aksing?
|
|
#
?
Feb 18, 2020 15:08
|
|
- Super-NintendoUser
- Jan 16, 2004
-
COWABUNGERDER COMPADRES
-
Soiled Meat
|
What's this for if you don't mind me aksing?
So it's a full stack for all these apps, self explanatory if you are in this thread. I can give more details if someone wants:
container_name: heimdall
container_name: traefik
container_name: plex
container_name: ddclient
container_name: calibre
container_name: calibre-web
container_name: lazylibrarian
container_name: nzbhydra2
container_name: jackett
container_name: ombi
container_name: portainer
container_name: radarr
container_name: sabnzbd
container_name: sonarr
container_name: transmission
container_name: pihole
It also includes these:
container_name: oauth
container_name: traefik
Traefik basically the coolest thing ever. It's fully functional reverse proxy (think NGINX) that is docker aware and basically hooks into the docker config to automatically make rules based on the labels applied to container. Every since site I server is https with lets encrypt, and also has Oauth configured with is Google MFA. I have 443 and 80 open, but if you go to any of my sites, you get a Google auth challenge, and I have a whitelist configured for gmail address to allow in.
These two apps:
container_name: my-app
container_name: locatebot
Aren't important for the stack, my-app, is a simple all just used for testing the setup, and locatebot is a personal project I'm using to learn python and how to make my own docker applications. However, it's also protected by a whitelist since it is technically exposed.
|
|
#
?
Feb 18, 2020 15:27
|
|
- Tea Bone
- Feb 18, 2011
-
I'm going for gasps.
|
As mentioned before, here is my sanitized docker file. Very little of it is in external config files, but I'm starting to break it off and do it that way instead, but this is fully functioning.
What benefit does pihole add to the usenet stack? Or is it just on there for general purposes?
|
|
#
?
Feb 20, 2020 10:01
|
|
- lordfrikk
- Mar 11, 2010
-
Oh, say it ain't fuckin' so,
you stupid fuck!
|
I signed up for a monthly on NewsgroupDirect and while it works great most of the time I'm noticing lot of older stuff is missing parts. Do I understand it correctly that this is not an indexer problem but a usenet provider problem? If so, what other providers have great retention and won't have you paying through the roof? For reference, I snagged their $3.14/mo deal.
|
|
#
?
Feb 20, 2020 11:36
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
|
#
?
Jun 5, 2024 04:18
|
|
- Jesse Iceberg
- Jan 7, 2012
-
|
As mentioned before, here is my sanitized docker file. Very little of it is in external config files, but I'm starting to break it off and do it that way instead, but this is fully functioning.
code:Lots of docker-compose
That's awesome, thanks for that, that gives me a really good jumping off point to start converting.
The docker-gen + Nginx approach was getting increasingly brittle over successive LetsEncypt renewals.
One thing I had wondered about Traefik is, is it necessary to give it DNS API credentials, if instead you have a wildcard A record to catch all your apps and services?
|
|
#
?
Feb 20, 2020 15:16
|
|
#
?
Feb 13, 2020 22:33
