• 3 Posts
  • 12 Comments
Joined 2 years ago
Cake day: July 2nd, 2023
  • @brewery@lemmy.worldtoSelfhosted@lemmy.worldThe best Cloud backup in 2025?English
    52 months ago

    After some research on here and reddit about 6 months so, I settled on Borgbase and its been pretty good. I also manually save occasionally to proton drive but you’re right to give up on that as a solution!

    The hardest part was choosing the backup method and properly setting up Borg or restic on my machine properly, especially with docker and databases. I have ended up with adding db backup images to each container with an important db, saving to a specific folder. Then that and all the files are backed up by restic to an attached external drive at well as borgbase. This happens at a specific time in the morning and found a restic action to stop all docker containers first, back them up, then spin them back up. I am find the guides that I used if it’s helpful to you.

    I also checked my backups a few times and found a few small problems I had to fix. I got the message from order users several times that your backups are useless unless you regularly test them.

  • @brewery@lemmy.worldtoSelfhosted@lemmy.worldCan't access VaultwardenEnglish
    22 months ago

    Theres a lot of different things going on here although it sounds simple, you’re actually touching many different technologies. I started a few years ago to self host and it took me a while to get my head around these and still have issues so don’t worry too much!

    Im not familiar with caddy but the ports look wrong. It would be looking for 80 and 443 presumably on the docker host (right hand side / “RHS Ports”. You could use any ports on the left hand side (“LHS Ports”).

    The section “DOMAIN}:1443” might be telling caddy to be looking on port 1443 inside docker, which means the port need to be flipped around. The RHS Ports are what the service inside docker is looking to use (often these are set by the developer but they can be changed in settings, it’s easier to leave these as default and only change the LHS Ports). The LHS Ports are what you choose to expose on the actual server itself. https://docs.docker.com/get-started/docker-concepts/running-containers/publishing-ports/

    Theres no mention of the router settings so the problem might be there. Are you forwarding the right ports through? You would need to forward ports 80 and 443 to the LHS Ports you choose for caddy. These port forwards would also need to point to your servers internal address. (Search “<your router name> port forward settings”)

    What do you have on port 80 as I would recommend to change that to something else and have caddy on ports 80 and 443. I would also suggest trying nginx proxy manager which is available on docker, has a nice web interface to add reverse proxy’s, and can handle your SSL certificates (inc automatic renewals). This would replace caddy and would use ports 80 and 443 on your server. https://nginxproxymanager.com/

    Also, just to mention, your safest option is not to expose vaultwarden to the internet unless your very sure you need to and add other protections (firewalls, fail2ban etc). If it’s just you/a few people, look into using a VPN like tailscale (easiest but relies on external party) or Wireguard (fully yours to control but pretty complicated).

    You would still need an SSL cert but your can do this through DuckDNS using https://github.com/maksimstojkovic/docker-letsencrypt. You could also buy a cheap domain and never have to expose anything, as they would give you a certificate to download (cloudflare or porkbun are good - https://kb.porkbun.com/article/71-how-your-free-ssl-certificates-work) and you manually upload it to caddy or nginx proxy manager. the best option is to use nginx proxy manager or certbot to handle these as the certificates expire. You can set up “DNS challenge” in your SSL certificate manager which needs details from your DNS to obtain the SSL certificates on your behalf.

    If I was you, I would search for online guides and setup in this order: nginx proxy manager, SSL cert (buying your own cheap domain from cloudflare and setting up DNS challenge in nginx proxy manager), tailscale, then vaultwarden.

  • @brewery@lemmy.worldtoSelfhosted@lemmy.worldWhat advice can you give to a beginner?English
    521 year ago

    Don’t provide services to others, including your own family, actually especially your own family, until you are quite comfortable with what is going on and what might be causing issues. Focus on helping yourself or keeping whatever other services you were using before just in case.

    Trying to fix something at night, with a fuming partner who’s already put up with a difficult to use service, because of your want for privacy even though they don’t care care, whilst saying “it should work, I don’t know what’s wrong”, is not a great place to be 😁.

    Overall though, I found it so interesting that I am doing a part time degree in computer science in my 30s, purely to learn more (whilst being forced to do it to timelines and having paid for it).

    I have a very comfortable and ‘forget about it’ setup my family are now using. Every now and then I add new services for myself, and if it works out, will give access to others to use, keep it just for me or just delete it and move on.

  • @brewery@lemmy.worldtoSelfhosted@lemmy.worldWhat's the deal with Docker?English
    161 year ago

    I have a reason I don’t think is covered. A few programs I have come across that I want to try recommend docker and some only provide instructions for docker. They can spend less time trying to help you with dependencies and installations knowing they’ve included everything you need in the docker file. I don’t have a background in Linux or programming so unless they tell you exactly how to install something, I can struggle. Their installation page is then just the docker compose file with a note on the environment variables you can change.

  • @brewery@lemmy.worldtoSelfhosted@lemmy.worldShould I use authentik with or without nginx proxy manager?English
    71 year ago

    They serve two different purposes. You can have one, both or neither. Sorry if you already know all this below but thought it might be good to explain in detail.

    NPM is a proxy provider so passes subdomains to the right service (e.g. service1.url.com passes to service 1 at IP x.x.x.x on port 5050). This allows you to only open one port to NPM but access other services through subdomains. I have NPM in front of myexternal apps so I can access each through a subdomain (e.g. service1.url.com). You could also use it for accessing internally if you setup your internal DNS to pass (e.g. service1.internal) to the IP address and port of your service, and set NPM only to allow access from internal IPs.

    Authentik provides single sign on so instead of having different usernames and passwords for every user on every service, you have one set of users and it manages the passwords.

    There are at a high level two levels of using it.

    Some services have proper SSO integration so you setup Authentik to replace it’s own login system. For instance, with Nextcloud you are going to the Nextcloud homepage but it then goes out to Authentik to do the login process and once passed, Authentik will tell Nextcloud user B has successfully logged in, I vouch for them and here are their details. You can do this for internal and external access. Obviously with Nextcloud you need to login either through it’s own login system or via SSO so even if I go directly to the internal IP and port (and therefore don’t need NPM to access it), I still need Authentik to login so it knows it’s me and not my partner trying to access her account

    Some services don’t have SSO integration or have no login required. For instance, I have Stirling PDF which doesn’t need user details or login. However, you don’t want to just allow anyone to access so I have setup NPM to use Authentik as a proxy pass. If I go to stirlingpdf.url.com then it sends me to Authentik to login. You can only ever get to the Stirling app if you successfully log in. You can also set Authentik so that only certain users or groups of users can access certain apps but that’s more than I need.

    It does take some effort to get SSO working correctly for each service and it’s only really worth it if you do have multiple users or services that need logins.

    You don’t want just NPM unless you trust the service to have a secure login.

    Others will probably say, you shouldn’t have anything facing externally. You can setup Tailscale or Wireguard tunnels so you always appear to be on the local network. That way, you don’t need NPM to be open externally. However you might still want it so you can type the address service1.internal instead of 192.168.1.1:8063 each time. You probably also want Authentik to make the login shared.

    In terms of network access to get them working, NPM needs to be able to access Authentik internally on your network. You could either put them on the same shared Docker network or in my case, they are both on the same server so share an internal IP. I have opened the individual ports on Docker so they can access each other internally just like I can access both from my laptop. If I’m accessing away from home, I have my domain pointing my home external network ID, port 443 open on my router pointing to my home server with NPM. NPM then “talks” to Authentik through the home network so I login through that but I don’t have to open the Authentik port externally.

    In my case, in the NPM settings, instead of using the docker created network for Authentik (like 172.3.1.1 or something that might change), I use the internal IP of the machine (like 192.168.1.1:4443 {if 4443 is the Authentik port}). I also have an NPM entry auth.url.com that points to Authentik which some apps need instead of the internal address. It took some playing around to get it right but once you do, it’s essentially copy and paste for new services.