Hi #SelfHosted community. I’ve figured out a lot of my setup. I now have a new domain, laniesplace.us, just for #HomeServer stuff. It’s set up through Porkbun with Dynu for #DDNS. I’ve now got #Traefik, #TailscaleVPN, #Linkding, #Forgejo, #Dokuwiki, Code-Server, #Portainer, #Netdata, #Watchtower, #Cockpit, #Pihole, #MiniFlux, #TheLounge, #Filebrowser, #UptimeKuma, and the #Homer dashboard service installed. I’m now trying to set up #Authelia so I can have single sign-on to my services. For some, it’s working now, but I can’t seem to get Linkding to work no matter what I do. This is on a #RaspberryPi 500 with 8 GB RAM and a 512 GB SD card, running #Stormux, which is based on #ArchlinuxARM. Can anyone help? I’ll reply to this post with all my relevant config files in separate posts. What’s happening is this: Linkding is supposed to be available at bookmarks.laniesplace.us. When I go there, I see a 401 unauthorized error and a link to sign into Authelia. Once I sign in, though, it redirects back to the page with the 401 error. I’ve been trying to figure this out for hours with no luck. Files will be in replies to this post.
#SelfHosting #Linux #HomeLab #RPi #RaspberryPi500 #RPi500 #Tech #Technology
@selfhost @selfhosting @selfhosted @linux
Nothing makes me realize I left my glasses at home quite like this post. 🤣
Why did you hashtag everything and comment every yaml 0_o
I believe this is a Mastodon post that’s also federating to lemmy
Ah that makes more sense
@ocean I didn’t. I hashtagged words I thought were important, and for the yaml files, I just copied and pasted.
@selfhost @selfhosting @selfhosted @linux Authelia configuration.yml:
theme: light server: address: 0.0.0.0:9091 log: level: debug format: text file\_path: /var/log/authelia/authelia.log totp: issuer: laniesplace.us period: 30 skew: 1 authentication\_backend: file: path: /config/users\_database.yml password: algorithm: argon2id iterations: 3 memory: 65536 parallelism: 4 salt\_length: 16 key\_length: 32 access\_control: default\_policy: deny rules: \# Public Access \- domain: \- "pihole.laniesplace.us" \- "homer.laniesplace.us" policy: bypass \# High Security (Two Factor) \- domain: \- "portainer.laniesplace.us" \- "netdata.laniesplace.us" \- "cockpit.laniesplace.us" \- "glances.laniesplace.us" \- "code.laniesplace.us" policy: two\_factor subject: \- "group:admins" \# Medium Security (One Factor Admin) \- domain: \- "forgejo.laniesplace.us" \- "files.laniesplace.us" \- "uptime.laniesplace.us" policy: one\_factor subject: \- "group:admins" \# Standard Auth (One Factor) \- domain: \- "thelounge.laniesplace.us" \- "miniflux.laniesplace.us" \- "linkding.laniesplace.us" \- "wiki.laniesplace.us" policy: one\_factor \# Catch-all rule \- domain: "\*.laniesplace.us" policy: one\_factor session: name: authelia\_session domain: laniesplace.us same\_site: lax expiration: 3600 inactivity: 300 remember\_me: 1M regulation: max\_retries: 3 find\_time: 120 ban\_time: 300 storage: local: path: /config/db.sqlite3 notifier: disable\_startup\_check: false smtp: address: submission://smtp.gmail.com:587 username: [email protected] password: rcig lqpk cbsg aqcm sender: "Authelia \<[email protected]\>" identifier: auth.laniesplace.us subject: "[Authelia] {title}" startup\_check\_address: [email protected] timeout: 5s identity\_validation: reset\_password: jwt\_secret: ${AUTHELIA\_JWT\_SECRET\_FILE}
@selfhost @selfhosting @selfhosted @linux Authelia docker-compose.yml:
services: authelia: image: authelia/authelia:latest container\_name: authelia volumes: \- ./config:/config \- ./logs:/var/log/authelia networks: \- web \- authelia\_internal environment: \- TZ=America/Chicago \- AUTHELIA\_JWT\_SECRET\_FILE=/config/secrets/jwt\_secret \- AUTHELIA\_SESSION\_SECRET\_FILE=/config/secrets/session\_secret \- AUTHELIA\_STORAGE\_ENCRYPTION\_KEY\_FILE=/config/secrets/storage\_encryption\_key labels: \- "traefik.enable=true" \- "traefik.http.routers.authelia.rule=Host(`auth.laniesplace.us`)" \- "traefik.http.routers.authelia.entrypoints=websecure" \- "traefik.http.routers.authelia.tls.certresolver=le" \- "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=X-Forwarded-Proto,X-Forwarded-Host" \- "traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Name,Remote-Email" \- "traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify=true" \- "traefik.http.services.authelia.loadbalancer.server.port=9091" \- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=%5Bhttps%3A%2F%2Fauth.laniesplace.us%5D%28https%3A%2F%2Fauth.laniesplace.us%29" \- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" \- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" restart: unless-stopped security\_opt: \- no-new-privileges:true depends\_on: \- redis healthcheck: test: ["CMD", "wget", "--no-check-certificate", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"] interval: 30s timeout: 10s retries: 3 start\_period: 60s redis: image: redis:alpine container\_name: authelia\_redis networks: \- authelia\_internal restart: unless-stopped volumes: \- ./redis:/data command: redis-server --save 60 1 --loglevel warning healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 30s timeout: 10s retries: 3 security\_opt: \- no-new-privileges:true networks: web: external: true authelia\_internal: internal: true
@selfhost @selfhosting @selfhosted @linux traefik middlewares.yml:
http: middlewares: dashboard-auth: basicAuth: users: \- "admin:$apr1$t5/O0mIb$M6Mkxlqxmi2RRJHNL007Q1"
@selfhost @selfhosting @selfhosted @linux traefik services.yml:
http: services: \# Docker Services homer: loadBalancer: servers: \- url: "http://homer:8080/" glances: loadBalancer: servers: \- url: "http://glances:61208/" uptime-kuma: loadBalancer: servers: \- url: "http://uptime-kuma:3001/" miniflux: loadBalancer: servers: \- url: "http://miniflux:8080/" pihole: loadBalancer: servers: \- url: "http://pihole:8088/" portainer: loadBalancer: servers: \- url: "http://portainer:9000/" linkding: loadBalancer: servers: \- url: "http://linkding:9090/" \# Non-Docker Services filebrowser: loadBalancer: servers: \- url: "http://127.0.0.1:8085/" netdata: loadBalancer: servers: \- url: "http://127.0.0.1:19999/" forgejo: loadBalancer: servers: \- url: "http://127.0.0.1:3000/" dokuwiki: loadBalancer: servers: \- url: "http://127.0.0.1:81/" cockpit: loadBalancer: servers: \- url: "http://127.0.0.1:9090/"
@selfhost @selfhosting @selfhosted @linux traefik routers.yml:
http: routers: dashboard: rule: "Host(`traefik.laniesplace.us`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" service: api@internal entryPoints: \- websecure tls: certResolver: le middlewares: \- dashboard-auth homer: rule: "Host(`laniesplace.us`)" service: homer entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" glances: rule: "Host(`glances.laniesplace.us`)" service: glances entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "glances.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" uptime-kuma: rule: "Host(`uptime.laniesplace.us`)" service: uptime-kuma entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "uptime.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" miniflux: rule: "Host(`rss.laniesplace.us`)" service: miniflux entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "rss.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" pihole: rule: "Host(`pihole.laniesplace.us`)" service: pihole entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker \- pihole-redirect headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "pihole.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" portainer: rule: "Host(`portainer.laniesplace.us`)" service: portainer entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "portainer.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" linkding: rule: "Host(`bookmarks.laniesplace.us`)" service: linkding entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "bookmarks.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" Remote-User: "{{ .Request.Headers.Remote-User }}" filebrowser: rule: "Host(`files.laniesplace.us`)" service: filebrowser entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "files.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" netdata: rule: "Host(`netdata.laniesplace.us`)" service: netdata entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "netdata.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" forgejo: rule: "Host(`git.laniesplace.us`)" service: forgejo entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "git.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" dokuwiki: rule: "Host(`wiki.laniesplace.us`)" service: dokuwiki entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "wiki.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true" cockpit: rule: "Host(`cockpit.laniesplace.us`)" service: cockpit entryPoints: \- websecure tls: certResolver: le middlewares: \- authelia@docker headers: customRequestHeaders: X-Forwarded-Proto: "https" X-Forwarded-Host: "cockpit.laniesplace.us" X-Forwarded-Uri: "/" X-Forwarded-For: "true"
@selfhost @selfhosting @selfhosted @linux traefik docker-compose.yml:
networks:
web:
external: trueservices:
traefik:
image: traefik:v3.2.5
container_name: traefik
security_opt:
- no-new-privileges:true
ports:
- “80:80”
- “443:443”
- “8080:8080”
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./acme.json:/acme.json
- ./dynamic:/etc/traefik/dynamic:ro
- ./logs:/etc/traefik/logs
networks:
- web
restart: unless-stopped
labels:
- “traefik.enable=true”
- “traefik.http.routers.dashboard.rule=Host(traefik.laniesplace.us
)”
- “traefik.http.routers.dashboard.service=api@internal”
- “traefik.http.routers.dashboard.entrypoints=websecure”
- “traefik.http.routers.dashboard.tls.certresolver=le”
- “traefik.http.routers.dashboard.middlewares=dashboard-auth”@selfhost @selfhosting @selfhosted @linux traefik.yml:
global: checkNewVersion: true sendAnonymousUsage: false log: level: DEBUG filePath: /etc/traefik/logs/traefik.log accessLog: filePath: /etc/traefik/logs/access.log entryPoints: web: address: :80 http: redirections: entryPoint: to: websecure scheme: https websecure: address: :443 http: tls: certResolver: le api: dashboard: true insecure: false providers: file: directory: /etc/traefik/dynamic watch: true docker: endpoint: unix:///var/run/docker.sock watch: true exposedByDefault: false network: web certificatesResolvers: le: acme: email: [email protected] storage: /etc/traefik/acme.json tlsChallenge: {}
@selfhost @selfhosting @selfhosted @linux Web services docker-compose.yml, includes Linkding:
services: linkding: image: sissbruecker/linkding:latest-plus container\_name: linkding environment: LD\_ENABLE\_AUTH\_PROXY: "true" LD\_AUTH\_PROXY\_HEADER: "Remote-User" LD\_AUTH\_PROXY\_AUTO\_LOGIN: "true" LD\_AUTH\_PROXY\_LOGOUT\_URL: "[https://auth.laniesplace.us/logout](https://auth.laniesplace.us/logout)" volumes: \- linkding\_data:/etc/linkding/data healthcheck: test: ["CMD", "node", "-e", "const http = require('http'); const options = {host: 'localhost', port: 9090, path: '/', timeout: 2000}; const request = http.request(options, (res) =\> { process.exit([200, 302].includes(res.statusCode) ? 0 : 1)}); request.on('error', () =\> process.exit(1)); request.end()"] interval: 30s timeout: 10s retries: 3 networks: \- web labels: \- "traefik.enable=true" \- "traefik.http.routers.linkding.rule=Host(`bookmarks.laniesplace.us`)" \- "traefik.http.routers.linkding.entrypoints=websecure" \- "traefik.http.routers.linkding.tls.certresolver=le" \- "traefik.http.services.linkding.loadbalancer.server.port=9090" \- "traefik.http.routers.linkding.middlewares=authelia@docker" volumes: linkding\_data: networks: web: external: true