#Christian woman. #Aroace. Totally #blind and #autistic with multiple #chronicIllnesses. #UsabilityTester, aspiring #AccessibilityConsultant. #Disability
rights advocate. Interests: #technology, #reading, #gaming, #food, #OpenSource. Human to Squeaker (MinPin). Creating a nonprofit for multiply disabled
people.
#tfr, #Fedi22
@selfhost @selfhosting @selfhosted @linux Authelia docker-compose.yml:
services:
authelia:
image: authelia/authelia:latest
container\_name: authelia
volumes:
\- ./config:/config
\- ./logs:/var/log/authelia
networks:
\- web
\- authelia\_internal
environment:
\- TZ=America/Chicago
\- AUTHELIA\_JWT\_SECRET\_FILE=/config/secrets/jwt\_secret
\- AUTHELIA\_SESSION\_SECRET\_FILE=/config/secrets/session\_secret
\- AUTHELIA\_STORAGE\_ENCRYPTION\_KEY\_FILE=/config/secrets/storage\_encryption\_key
labels:
\- "traefik.enable=true"
\- "traefik.http.routers.authelia.rule=Host(`auth.laniesplace.us`)"
\- "traefik.http.routers.authelia.entrypoints=websecure"
\- "traefik.http.routers.authelia.tls.certresolver=le"
\- "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=X-Forwarded-Proto,X-Forwarded-Host"
\- "traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Name,Remote-Email"
\- "traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify=true"
\- "traefik.http.services.authelia.loadbalancer.server.port=9091"
\- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=[https://auth.laniesplace.us](https://auth.laniesplace.us)"
\- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
\- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
restart: unless-stopped
security\_opt:
\- no-new-privileges:true
depends\_on:
\- redis
healthcheck:
test: ["CMD", "wget", "--no-check-certificate", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
interval: 30s
timeout: 10s
retries: 3
start\_period: 60s
redis:
image: redis:alpine
container\_name: authelia\_redis
networks:
\- authelia\_internal
restart: unless-stopped
volumes:
\- ./redis:/data
command: redis-server --save 60 1 --loglevel warning
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
security\_opt:
\- no-new-privileges:true
networks:
web:
external: true
authelia\_internal:
internal: true
@selfhost @selfhosting @selfhosted @linux traefik middlewares.yml:
http:
middlewares:
dashboard-auth:
basicAuth:
users:
\- "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"
@selfhost @selfhosting @selfhosted @linux traefik services.yml:
http:
services:
\# Docker Services
homer:
loadBalancer:
servers:
\- url: "http://homer:8080"
glances:
loadBalancer:
servers:
\- url: "http://glances:61208"
uptime-kuma:
loadBalancer:
servers:
\- url: "http://uptime-kuma:3001"
miniflux:
loadBalancer:
servers:
\- url: "http://miniflux:8080"
pihole:
loadBalancer:
servers:
\- url: "http://pihole:8088"
portainer:
loadBalancer:
servers:
\- url: "http://portainer:9000"
linkding:
loadBalancer:
servers:
\- url: "http://linkding:9090"
\# Non-Docker Services
filebrowser:
loadBalancer:
servers:
\- url: "http://127.0.0.1:8085"
netdata:
loadBalancer:
servers:
\- url: "http://127.0.0.1:19999"
forgejo:
loadBalancer:
servers:
\- url: "http://127.0.0.1:3000"
dokuwiki:
loadBalancer:
servers:
\- url: "http://127.0.0.1:81"
cockpit:
loadBalancer:
servers:
\- url: "http://127.0.0.1:9090"
@selfhost @selfhosting @selfhosted @linux traefik routers.yml:
http:
routers:
dashboard:
rule: "Host(`traefik.laniesplace.us`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
service: api@internal
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- dashboard-auth
homer:
rule: "Host(`laniesplace.us`)"
service: homer
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
glances:
rule: "Host(`glances.laniesplace.us`)"
service: glances
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "glances.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
uptime-kuma:
rule: "Host(`uptime.laniesplace.us`)"
service: uptime-kuma
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "uptime.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
miniflux:
rule: "Host(`rss.laniesplace.us`)"
service: miniflux
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "rss.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
pihole:
rule: "Host(`pihole.laniesplace.us`)"
service: pihole
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
\- pihole-redirect
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "pihole.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
portainer:
rule: "Host(`portainer.laniesplace.us`)"
service: portainer
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "portainer.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
linkding:
rule: "Host(`bookmarks.laniesplace.us`)"
service: linkding
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "bookmarks.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
Remote-User: "{{ .Request.Headers.Remote-User }}"
filebrowser:
rule: "Host(`files.laniesplace.us`)"
service: filebrowser
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "files.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
netdata:
rule: "Host(`netdata.laniesplace.us`)"
service: netdata
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "netdata.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
forgejo:
rule: "Host(`git.laniesplace.us`)"
service: forgejo
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "git.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
dokuwiki:
rule: "Host(`wiki.laniesplace.us`)"
service: dokuwiki
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "wiki.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
cockpit:
rule: "Host(`cockpit.laniesplace.us`)"
service: cockpit
entryPoints:
\- websecure
tls:
certResolver: le
middlewares:
\- authelia@docker
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "cockpit.laniesplace.us"
X-Forwarded-Uri: "/"
X-Forwarded-For: "true"
@selfhost @selfhosting @selfhosted @linux traefik docker-compose.yml:
networks:
web:
external: true
services:
traefik:
image: traefik:v3.2.5
container_name: traefik
security_opt:
- no-new-privileges:true
ports:
- “80:80”
- “443:443”
- “8080:8080”
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/acme.json
- ./dynamic:/etc/traefik/dynamic:ro
- ./logs:/etc/traefik/logs
networks:
- web
restart: unless-stopped
labels:
- “traefik.enable=true”
- “traefik.http.routers.dashboard.rule=Host(traefik.laniesplace.us
)”
- “traefik.http.routers.dashboard.service=api@internal”
- “traefik.http.routers.dashboard.entrypoints=websecure”
- “traefik.http.routers.dashboard.tls.certresolver=le”
- “traefik.http.routers.dashboard.middlewares=dashboard-auth”
@selfhost @selfhosting @selfhosted @linux traefik.yml:
global:
checkNewVersion: true
sendAnonymousUsage: false
log:
level: DEBUG
filePath: /etc/traefik/logs/traefik.log
accessLog:
filePath: /etc/traefik/logs/access.log
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
http:
tls:
certResolver: le
api:
dashboard: true
insecure: false
providers:
file:
directory: /etc/traefik/dynamic
watch: true
docker:
endpoint: unix:///var/run/docker.sock
watch: true
exposedByDefault: false
network: web
certificatesResolvers:
le:
acme:
email: laniegcarmelo@gmail.com
storage: /etc/traefik/acme.json
tlsChallenge: {}
@selfhost @selfhosting @selfhosted @linux Web services docker-compose.yml, includes Linkding:
services:
linkding:
image: sissbruecker/linkding:latest-plus
container\_name: linkding
environment:
LD\_ENABLE\_AUTH\_PROXY: "true"
LD\_AUTH\_PROXY\_HEADER: "Remote-User"
LD\_AUTH\_PROXY\_AUTO\_LOGIN: "true"
LD\_AUTH\_PROXY\_LOGOUT\_URL: "[https://auth.laniesplace.us/logout](https://auth.laniesplace.us/logout)"
volumes:
\- linkding\_data:/etc/linkding/data
healthcheck:
test: ["CMD", "node", "-e", "const http = require('http'); const options = {host: 'localhost', port: 9090, path: '/', timeout: 2000}; const request = http.request(options, (res) =\> { process.exit([200, 302].includes(res.statusCode) ? 0 : 1)}); request.on('error', () =\> process.exit(1)); request.end()"]
interval: 30s
timeout: 10s
retries: 3
networks:
\- web
labels:
\- "traefik.enable=true"
\- "traefik.http.routers.linkding.rule=Host(`bookmarks.laniesplace.us`)"
\- "traefik.http.routers.linkding.entrypoints=websecure"
\- "traefik.http.routers.linkding.tls.certresolver=le"
\- "traefik.http.services.linkding.loadbalancer.server.port=9090"
\- "traefik.http.routers.linkding.middlewares=authelia@docker"
volumes:
linkding\_data:
networks:
web:
external: true
@fmstrat Ah yeah just noticed you’re on Lemmy. Yeah I’m posting from Mastodon.
@fmstrat Not sure what you mean. I included hashtags in my post, but there was no title to it or anything.
@virtuous_sloth @selfhost @selfhosting @selfhosted @mastoblind @main No, my situation is weird. My domain is hosted on Porkbun.com but its nameservers point to Vultr.com, where my WordPress install is hosted on a friend’s server. Porkbun won’t let me edit DNS records or do much of anything with my domain unless I change back to the default nameservers, which would break my WordPress setup.
@jdw @selfhost @selfhosted @linux @selfhosting Not sure what you mean. I have a Raspberry Pi with MiniFlux, LinkAce, and a bunch of other stuff on it. The only thing I’m not hosting is the WordPress site.
@remakingeden @selfhost @selfhosted @linux @selfhosting Yeah I don’t want to add a whole log, just alerts that backups were done successfully or if something goes down, or a daily summary of how my system is doing. I’ll look into Pushover.
@selfhost @selfhosting @selfhosted @linux Authelia configuration.yml:
theme: light server: address: 0.0.0.0:9091 log: level: debug format: text file\_path: /var/log/authelia/authelia.log totp: issuer: laniesplace.us period: 30 skew: 1 authentication\_backend: file: path: /config/users\_database.yml password: algorithm: argon2id iterations: 3 memory: 65536 parallelism: 4 salt\_length: 16 key\_length: 32 access\_control: default\_policy: deny rules: \# Public Access \- domain: \- "pihole.laniesplace.us" \- "homer.laniesplace.us" policy: bypass \# High Security (Two Factor) \- domain: \- "portainer.laniesplace.us" \- "netdata.laniesplace.us" \- "cockpit.laniesplace.us" \- "glances.laniesplace.us" \- "code.laniesplace.us" policy: two\_factor subject: \- "group:admins" \# Medium Security (One Factor Admin) \- domain: \- "forgejo.laniesplace.us" \- "files.laniesplace.us" \- "uptime.laniesplace.us" policy: one\_factor subject: \- "group:admins" \# Standard Auth (One Factor) \- domain: \- "thelounge.laniesplace.us" \- "miniflux.laniesplace.us" \- "linkding.laniesplace.us" \- "wiki.laniesplace.us" policy: one\_factor \# Catch-all rule \- domain: "\*.laniesplace.us" policy: one\_factor session: name: authelia\_session domain: laniesplace.us same\_site: lax expiration: 3600 inactivity: 300 remember\_me: 1M regulation: max\_retries: 3 find\_time: 120 ban\_time: 300 storage: local: path: /config/db.sqlite3 notifier: disable\_startup\_check: false smtp: address: submission://smtp.gmail.com:587 username: laniegcarmelo@gmail.com password: rcig lqpk cbsg aqcm sender: "Authelia \<laniegcarmelo@gmail.com\>" identifier: auth.laniesplace.us subject: "[Authelia] {title}" startup\_check\_address: laniegcarmelo@gmail.com timeout: 5s identity\_validation: reset\_password: jwt\_secret: ${AUTHELIA\_JWT\_SECRET\_FILE}