this post was submitted on 21 Oct 2023
2 points (100.0% liked)

Self-Hosted Main

502 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
[email protected]
2
Need Brains from the self-hosters (alien.top)
submitted 11 months ago by [email protected] to c/[email protected]
6 comments fedilink hide all child comments
 

I have a very simple setup running Gitea which I love. However, I enabled Elastic Search because it makes searching much faster than the default method.

I have a VPS running 16GB memory. The only things running on it are Nginx, PHP, Mysql, docker, and a few other things. Very rarely I ever hit over 6GB usage.

The issue comes when I enable Elastic Search. It seems to wipe me out at 15.7GB usage out of 16GB as soon as I start it up.

I searched online and found out about the /etc/elasticsearch/jvm.options.d/jvm.options and adding

-XmxXG
-XmsXG

The question is, what should this amount be. I read that by default, Elastic uses 50%, however, when I started it up, it was wiping me out of memory and making the system almost have a stroke.

But setting it to 2GB seems to make it not as responsive on the Gitea website, sometimes even timing the website out.

So I'm not sure what "range" I should be using here. Or if I'm going to have to upgrade my VPS to 32GB in order to run this properly.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 11 months ago (1 children)

Oh damn, thanks. I'll throw this in Obsidian.

Reverse proxy is exactly why I don't have more things setup in docker. I haven't quite figured out how it, nginx, and the app work together yet.

I had to setup caddy when I installed vaultwarden, and while that was easy because I had a very good guide to assist me, I would have been completely and totally lost if I had to setup caddy2 on my own.

So I definitely need to sit down one day and just do a full day's read on reverse proxy, how it works with Docker and its function, and what I can do with it. Because the vaultwarden setup made it no easier to understand.

I wanted to actually move nginx and mysql over to docker, but reverse proxy is also the reason that's holding me back.

[–] [email protected] 1 points 11 months ago

If you already have Caddy running on that same Docker host then its very simple to add another proxy target to that through the Caddyfile.

I have been using Traefik for years and i am mostly happy with it but recently spend a day on trying out Caddy together with Authelia for authentication. Here is what came out of it as a very basic example to use them together. Its using a custom Docker image for Caddy that contains a few extra modules but it can easily be replaced with the basic official one, depending on what modules you need (for example, Lets Encrypt with dns01-challenge requires modules for DNS providers). My example uses www.desec.io for that but Cloudflare, DuckDNS etc. are possible too.

docker-compose.yml

version: "3.3"

networks:
  caddy:
    external: true

services:

  caddy:
    container_name: caddy
    image: l33tlamer/caddy-desec:latest
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - 0.0.0.0:80:80/tcp
      - 0.0.0.0:443:443/tcp
      - 0.0.0.0:443:443/udp
    environment:
      - TZ=Europe/Berlin
      - DESEC_TOKEN=CHANGEME
    volumes:
      - ./required/Caddyfile:/etc/caddy/Caddyfile
      - ./config:/config
      - ./data:/data

  authelia:
    container_name: authelia
    image: authelia/authelia:latest
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - 9091:9091
    environment:
      - TZ=Europe/Berlin
    volumes:
      - ./required/configuration.yml:/config/configuration.yml:ro
      - ./required/users_database.yml:/config/users_database.yml:ro
      - ./required/db.sqlite3:/config/db.sqlite3

    ### use pre-defined external Docker network: docker network create caddy
    ### db.sqlite3 needs to exist before first container start, can be created with: touch ./required/db.sqlite3
    ### Caddy config can be quickly reloaded with: docker exec -w /etc/caddy caddy caddy reload
    ### changes to Authelia files require its container to be restarted

required/Caddyfile

{
        debug
        http_port 80
        https_port 443
        email [email protected]
        # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        acme_ca https://acme-v02.api.letsencrypt.org/directory
}

*.example.com {
        tls {
                dns desec {
                        token {env.DESEC_TOKEN}
                }
                propagation_timeout -1
        }

        @authelia host auth.example.com
        handle @authelia {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy authelia:9091
        }

        ### example of a basic site entry
        @matomo host matomo.example.com
        handle @matomo {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy matomo:8080
        }

        ### example of a site entry when target is HTTPS
        @proxmox host proxmox.example.com
        handle @proxmox {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy 192.168.50.75:8006 {
                        transport http {
                                tls_insecure_skip_verify
                        }
                }
        }

        ### Fallback for otherwise unhandled domains
        handle {
                abort
        }

}

required/configuration.yml

# yamllint disable rule:comments-indentation

theme: grey

# generate with: openssl rand -hex 32
jwt_secret: CHANGEME

default_redirection_url: https://www.google.com/

default_2fa_method: ""

server:
  host: 0.0.0.0
  port: 9091
  path: ""
# asset_path: /config/assets/
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""
    client_certificates: []
  headers:
    csp_template: ""

log:
  level: debug

telemetry:
  metrics:
    enabled: false
    address: tcp://0.0.0.0:9959

totp:
  disable: false
  issuer: Authelia
  algorithm: sha1
  digits: 6
  period: 30
  skew: 1
  secret_size: 32

webauthn:
  disable: false
  timeout: 60s
  display_name: Authelia
  attestation_conveyance_preference: indirect
  user_verification: preferred

ntp:
  address: "time.cloudflare.com:123"
  version: 4
  max_desync: 3s
  disable_startup_check: false
  disable_failure: false

authentication_backend:
  password_reset:
    disable: false
    custom_url: ""
  refresh_interval: 1m

  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 1024
      parallelism: 8

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true
  zxcvbn:
    enabled: false
    min_score: 3

access_control:
  default_policy: deny
  rules:
    # authelia itself gets bypass
    - domain:
        - "auth.example.com"
      policy: bypass
    # list all your protected subdomains like this
    - domain: "matomo.example.com"
      policy: one_factor
    - domain: "proxmox.example.com"
      policy: one_factor

session:
  name: authelia_session
  domain: example.com
  same_site: lax
  # generate with: openssl rand -hex 32
  secret: CHANGEME
  expiration: 3h
  inactivity: 15m
  remember_me_duration: 1M

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 12h

storage:
  local:
    path: /config/db.sqlite3
  # generate with: openssl rand -hex 32
  encryption_key: CHANGEME

notifier:
  disable_startup_check: false
  filesystem:
    filename: /config/notification.txt

required/users_database.yml

users:

  admin:
    displayname: "Admin"
    # generate encoded password with for example https://argon2.online/
    # settings: argon2id, random salt, parallelism=8, memorycost=1024, iterations=1, hashlength=32
    # this example password = admin
    password: "$argon2id$v=19$m=1024,t=1,p=8$WnZGOU03d1lnMFRuYzZVQw$V+pcZ9KqXmsSZGuhzrv75ZPy5VQi9rfrWZnFKlJxTcI"
    email: [email protected]
    groups:
      - admins