|
Gay Retard posted:I ran into some issues years ago getting Lets Encrypt + DuckDNS setup for proper reverse proxy https forwarding and never bothered trying again, but I thought nginx proxy was pretty simple once I forwarded my domain's DNS to cloudflare and set all my DNS up in there, as well as SSL/TLS certs. It's free. From a security standpoint, I only expose things that support SSO or MFA. So for me it's just Overseerr (with only Plex login enabled). And yeah everything else sits behind wireguard. Please all, NPM/traefik are awesome but basic auth is not secure in any way even over SSL unless you've got some kind of IP ban mechanism in place.
|
# ¿ Nov 18, 2021 15:28 |
|
|
# ¿ May 14, 2024 10:17 |
|
Scruff McGruff posted:Completely agree, the only things I have exposed are Overseerr (Plex OAuth), Tautulli (Plex OAuth), Nextcloud (MFA), and HomeAssistant (MFA). Everything else lives behind Wireguard. I always die a little inside when I see posts on the Unraid forums asking how to expose their server UI externally even after being told about Wireguard, which is insanely easy to set up on Unraid. I think I saw someone expose radarr and sonarr completely unprotected wondering why their server went apeshit with all these mysterious movie adds. Made me laugh in horror. I just wish services supported SSO for more than just opening up pages because Authelia is fantastic and Ibracorp have a few very good videos on it. Google even provides a good SSO service but a lot of these apps don't support it for auth.
|
# ¿ Nov 18, 2021 18:27 |
|
Reminder for wild card certs: *.domain.com Does not cover: *.internal.domain.com So make sure you add both wildcards in your certbot/ngxpm/traefik/acme.sh request.
|
# ¿ Nov 24, 2021 20:27 |
|
yeah new browsers don’t like http anymore. it’s not a big deal but it’s also not too hard to fix. also if you understand cert chains you can get a raise because hardly anyone does.
|
# ¿ Nov 25, 2021 05:36 |
|
I've been downloading sample packs recently (bought legally) for futzing around with in Ableton and a few samplers. I'm having the damndest time finding this but is there some kind of nice web gui I can feed a URL to and tell it where to download to? Preferably one with a nice adaptive webui that I can use on my phone or iPad? This would be on UnRAID so a docker is preferred.
|
# ¿ Nov 27, 2021 19:44 |
|
CopperHound posted:I haven't tried, but aria2+webui might be what you're looking for. That looks perfect. I'll check it out. Thanks!
|
# ¿ Nov 28, 2021 00:17 |
|
Canine Blues Arooo posted:I'm looking for guidance on how to better execute on my self-hosted setup. It might be in the OP, but I'm too dumb to piece it together. Dynamic DNS using duckdns. Then set up WireGuard or Tailscale and don't expose anything to the internet.
|
# ¿ Dec 2, 2021 21:57 |
|
Just a note, I think I've said it before but do not expose anything of it doesn't support Single Sign On or 2FA. Basic auth even over SSL is not enough.
|
# ¿ Dec 2, 2021 22:16 |
|
Nitrousoxide posted:I edited this in to my post, but yes should absolutely implement fail2ban or other brute force protections like 2FA or SSO if you're exposing anything to the internet at large. This does increase the complexity of your implementation. Something like https://hub.docker.com/r/authelia/authelia#! would work for this. Though I don't know if it works for NGINX. It works for Traefik, which is another implementation of a reverse proxy, though one i'm not familiar with. Iberocorp has a bunch of videos for Authelia on YouTube. It's UnRAID focus but will work fine for any docker based deployment. The big problem I have with it is it's fine as a gate keeping mechanism (kind of) but it doesn't pass the token through to your underlying service. Still better than nothing and not any knock against it. Honestly though I still wouldn't expose anything I don't have to. My only open services are Overseearr (only plex login), Nextcloud (2FA enforced), and Plex. Everything else is behind Wireguard.
|
# ¿ Dec 3, 2021 00:01 |
|
If you want VPN built on WireGuard that doesn't need a hole punched in your firewall, look into Tailscale.
|
# ¿ Dec 6, 2021 19:59 |
|
CopperHound posted:I've been spending the past week or two giving myself a crash course on self hosted kubernetes clusters. I just barely got the self contained ha control plane and load balancer figured out along with basic ingress with traefik. If I find it at all practical for home use I'll try posting a guide to get some basic stuff hosted. Are you doing this for learning or have you watched too much TechnoTim on YouTube?
|
# ¿ Dec 8, 2021 19:54 |
|
CopperHound posted:What got this started was me wanting to have a dhcp server integrated with local DNS so I could just type whateverhostname.local.mydomain and my current router doesn't support that. I also want some fault tolerance, so one computer going down doesn't break my whole network. If you want "easy mode" for kubernetes, look into Rancher.
|
# ¿ Dec 8, 2021 20:02 |
|
BlankSystemDaemon posted:kubernetes is made for hyperscalers that need massive scale-out orchestration Whole lot of people use their homelabs to host things and learn. K3s is perfectly fine for an Arr/Plex/Dowloading setup.
|
# ¿ Dec 9, 2021 01:26 |
|
BlankSystemDaemon posted:Sure, but k3s isn't kubernetes. You'll still have the joy of not properly formatting your YML and debugging it for hours until you see the errant space.
|
# ¿ Dec 9, 2021 01:51 |
|
CommieGIR posted:For minecraft the fix is simple: add '-dlog4j2.formatmsgnolookups=true' to your java runtime args. For the record, this is a mitigation not a fix.
|
# ¿ Dec 12, 2021 22:26 |
|
CommieGIR posted:Its worth noting this is what log4j 2.15.0 is doing, it just makes it default. It's still just mitigation. If you set that flag to false you're vulnerable again. Completely understandable as it's a humongous vulnerability but they still have to fix the actual problem. I'm sorry if I'm being pedantic here. Just realize there's a big patch coming that you're going to want to install to actually fix this.
|
# ¿ Dec 13, 2021 04:59 |
|
None of this poo poo should be directly internet facing anyway. If you're self hosting and need something exposed without VPN you should be using cloudflared and a good reverse proxy.
|
# ¿ May 13, 2022 21:20 |
|
Zapf Dingbat posted:Where does that reverse proxy sit? Locally or remote? Ideally both and with SSL on both ends.
|
# ¿ Jun 1, 2022 00:59 |
|
An older NUC (8th gen is what I have) running proxmox and then you can run whatever distorts you want as VMs and mess around with LXC. Small, reasonable power usage, and very versatile. For running a NAS, different story but you always have the option of getting a Synology to make things easier on yourself. Personally I’m running unraid on old hardware because i like the flexibility of mixing drives, and the docker containers as apps store thing they have going on.
|
# ¿ Jan 9, 2023 22:02 |
|
Well Played Mauer posted:Cool, thanks. Been doing a bit of side research and it sounds like I could power most of what I need on a ~$400 NUC with Unraid, then connect a Synology NAS when I grow beyond external USB SSDs. That sounds like the expensive option, but it also seems like I could run OMV on the NUC in the meantime. Is that correct? No need for UnRAID if you have a NUC. You can run proxmox which has filesharing built in and use LXC for any services you need and then slice the rest up into VMs for learning or whatever.
|
# ¿ Jan 9, 2023 23:08 |
|
Serve the home has a whole series on SFF pcs so yeah don't get too attached to a NUC unless you find a sweet deal on one. Depending on where you are you can also trawl Craigslist or FB Marketplace. Used equipment is always a great place to start when you begin self hosting and homelabbing.
|
# ¿ Jan 10, 2023 00:58 |
|
Well Played Mauer posted:One thing I noticed is it takes the containers a good bit of time to fully initialize. I thought I broke something when getting Calibre-web to start up because the web GUI wasn't immediately available. Then I looked at the logs and realized it was still initializing 3-5 minutes after I ran the container. Is that normal, or is the external SSD I have everything on poo poo? (Maybe both?) Try to stick to a single distributor for images who builds off the same base image. https://www.linuxserver.io are really good about this. All of their containers are built off the same base image. So let's say you have 3 containers from them where the base image is updated. The first image will pull the needed layers and if it shares any of them with the other 2, you already have them downloaded. This is a nice rundown on it: https://vsupalov.com/docker-image-layers/ I believe hotio do the same with their images too.
|
# ¿ Jan 17, 2023 19:19 |
|
Well Played Mauer posted:I managed to get it running after finding a tutorial to create self-signed keys. I whipped one up with a 10-year expiration and threw it into NPM, and now everything's over https and Proxmox et al are happy campers. Now I just gotta figure out why Firefox is being a dick about the pem I created. This is such a deep rabbit hole you've fallen down but if you learn it (PKI management) you'll be ahead of 75% of the people applying for jobs.
|
# ¿ Jan 18, 2023 23:54 |
|
Neslepaks posted:Rolling your own CA is actually a nightmare and I recommend against it. So many bothersome issues went away when I changed to a LE wildcard instead. Yep. It's a good exercise if you homelab to learn though. Most people don't know what a CA is or the difference between a private CA and self signed cert is. A few years ago I had to deep dive on this for work and it definitely took me a few weeks to really wrap my head around PKI infrastructure. But yeah at home? No way would I use my own CA.
|
# ¿ Jan 25, 2023 09:36 |
|
https://buildarr.github.io/ It's not ready yet, but this looks interesting. Do all your Arr config from one app with YML.
|
# ¿ Feb 15, 2023 15:54 |
|
Warbird posted:Is *arr stack config that elaborate for people? It’s like 10 minutes and change, less if you throw recyclarr at it. Single point of backup for all your config. I guess 2 with Recyclarr.
|
# ¿ Feb 15, 2023 16:28 |
|
Heck Yes! Loam! posted:I've installed enough phone systems to know what system people used based on the hold music unless it's something custom. There is only one https://www.youtube.com/watch?v=Np9Ga4XFTxc
|
# ¿ Feb 15, 2023 22:42 |
|
THF13 posted:It was brought up in the Plex thread in a slight derail, but thought it was better to talk about it here. Using code-server with Unraid's appdata folder mounted has been great. Especially using the dockermod for swag which autoreloads nginx when it detects valid changes. Thanks Matt Zerella You're welcome but credit to Ibracorp for the idea. Also DO NOT expose that publicly.
|
# ¿ Feb 23, 2023 19:50 |
|
Heck Yes! Loam! posted:don't expose your plex instance to the internet folks If I'm reading this right either the Plex server was used as a jump box or the person who got hacked shared a password?
|
# ¿ Feb 28, 2023 16:20 |
|
If you don't mind paying I'd just go with fast mail.
|
# ¿ Mar 25, 2023 15:02 |
|
Quick question RE: Argo tunnels Currently im using it for Overseerr. Chain is as follows: Overseerr (http, 5055) -> NginxProxyManager (https, using CF origin cert) -> cloudflared tunnel -> Internet I kind of want to simplify things here, can I remove NPM and CF takes care of the SSL for the endpoint?
|
# ¿ Mar 29, 2023 15:07 |
|
Nitrousoxide posted:Unless you only have one service you're exposing to the internet and can route the 80/443 port from the internet directly to it with your network's router, you'll need a reverse proxy like NPM to handle the SSL routing in your network. It will look at the domain headers from incoming requests and send them to the appropriate location. Your router won't do that. The tunnel exposes it out. I want to avoid as many open ports as possible on my home connection. I had originally put NPM in-between cloudflared and overseerr to ensure all traffic was encrypted but on further research, anything inside the tunnel is encrypted. I just changed my yml config to go directly from cloudflared to overseerr and CF forces SSL and everything looks good. I even used the Qualys ssl test site to check the URL and all traffic is encrypted. I guess I just needed some rubber ducky debugging here.
|
# ¿ Mar 29, 2023 16:37 |
|
Dollars to doughnuts LastPass guy switched over and hasn't updated.
|
# ¿ Apr 24, 2023 21:46 |
|
So with the death of Apollo for Reddit, I'm thinking of going back to Reader. Initial research shows that FreshRSS is everyone's favorite self hosted option. Anyone have any experience with it or alternative suggestions? This will be exposed via a cloud flare tunnel. Because it'll be public I have a rule that MFA is required and everything I'm seeing about FRSS seems like it doesn't support anything beyond normal auth. So I'm not wild about this. The only other service I have exposed is Overseerr which uses plex SSO so that one is fine.
|
# ¿ Jun 11, 2023 15:23 |
|
Azhais posted:You can just set up nginx reverse proxy, it can enforce mfa in front of any application you're proxying My concern there is that will break Readar accessing the api.
|
# ¿ Jun 11, 2023 15:42 |
|
Looks like miniflux is what I'm going to try since I can set it up with google oauth. I don't think I'll ever use the webapp. It'll just feed into Reeder on my iOS devices.
|
# ¿ Jun 11, 2023 16:11 |
|
hogofwar posted:Yeah, my end goal is to somewhat replace setup documentation with ansible (and maybe terraform)? I should probably learn Terraform for my job anyway, so I think I will go that route. I am still not entirely sure where one tools area of use ends and the other begins (When to use ansible vs when to use terraform?) Terraform for infrastructure, Ansible for configuration of said infrastructure. This applies mostly to VMs. So with Proxmox it's terraform. For the VMs inside of proxmox it's Ansible. I'd back out one step further and build VMtemplates with packer that are preconfigured for your Ansible code and are deployed with TF.
|
# ¿ Jul 14, 2023 19:59 |
|
hogofwar posted:So a rough overview would be this? Yep. And then if you want to get fancy you do a git/cicd setup to track everything. You can probably skip terraform unless you've got some kind of complicated deployment pattern.
|
# ¿ Jul 15, 2023 18:52 |
|
hogofwar posted:Without terraform, would I just manually create the VMs out of the templates, or do I just rely on Ansible to do that? I would not managed Proxmox with Ansible. I'm not even sure if it's possible tbh.
|
# ¿ Jul 15, 2023 19:09 |
|
|
# ¿ May 14, 2024 10:17 |
|
Please don't use docker desktop on Mac. It's very very bad.
|
# ¿ Jul 17, 2023 19:47 |