#authelia — Public Fediverse posts

@viq interesting... #KaniDM is new for me. I was thinking to deploy #authelia in my #Selfhosting environment. I'll read more about it. Thanks

@homelab

Woohoo. #authelia is working!

hm, how do I use #authelia in my homelab, where I don't have a proper domain name, but everything is under ${somehostname}.lan, at least as of now?

sind #authelia Nutzer hier, die das in einem kleinen #selfhosting / #homelab Umfeld betreiben, für ca 10 Dienste und max 2 User? Lohnt sich Overhead und Administrationsaufwand dafür überhaupt, oder ist das dann eher eine Spielerei „weil man es kann“?

Ich habe mich noch gar nicht damit befasst, was das so voraussetzt und weil ich mir nicht unbedingt das nächste Rabbithole aufmachen will. Am Ende ist der Komfortgewinn ja eher überschaubar ggü der Nutzung eines Passwort-Managers denke ich mir so.

So… did I get this right? Authelia is, basically, a service, which is there so nginx (or any other reverse proxy) can ask it "hey, is this user authenticated and are they allowed to access this particular service/resource"?

#authelia #homelab #selfhosting

Zentrale Authentifizierung muss kein Overkill sein.

Ich setze mir gerade Authelia ein und mag den Ansatz:
SSO und MFA an einer Stelle, sauber vor dem Reverse Proxy, ohne Cloud-Abhängigkeit.

Open Source, OpenID-Connect-zertifiziert, klar strukturierte Policies.
Einmal anmelden, mehrere Dienste nutzen – ruhig, kontrolliert, nachvollziehbar.

Macht genau das, was es soll.
Nicht mehr, nicht weniger.

#Authelia #SelfHosting #OpenSource #IAM #SSO #Security

Why would #authelia authentication for access via #caddy #reverseproxy fail over #VPN ? It seems to be an #expressvpn issue - they are not routing to my #IP it seems. Anyone else get this?

I was using (and loving it) #LogSeq to take notes, but there are problems in having it in sync with my phone, as iPhone does not allow you to easily open the files synced with #NextCloud in #LogSeq, and editing the MD files directly in #NextCloud break the formatting.
After some search for a substitute, I can already say that #silverbullet (https://silverbullet.md) might end up being a good substitute for it (hosted in my personal server, behind VPN + #Authelia)

Been playing with #authelia and #voidauth as a #selfhosted #oidc service today. Didn't get anything proper setup bit learned a lot in the process. Good contender for a blog post me thinks.
Even had a stab at adding them as oidc provider for #cloudflare but not sure if I really need that... Yet

Been playing with #authelia and #voidauth as a #selfhosted #oidc service today. Didn't get anything proper setup bit learned a lot in the process. Good contender for a blog post me thinks.
Even had a stab at adding them as oidc provider for #cloudflare but not sure if I really need that... Yet

Been playing with #authelia and #voidauth as a #selfhosted #oidc service today. Didn't get anything proper setup bit learned a lot in the process. Good contender for a blog post me thinks.
Even had a stab at adding them as oidc provider for #cloudflare but not sure if I really need that... Yet

Been playing with #authelia and #voidauth as a #selfhosted #oidc service today. Didn't get anything proper setup bit learned a lot in the process. Good contender for a blog post me thinks.
Even had a stab at adding them as oidc provider for #cloudflare but not sure if I really need that... Yet

I thought my #Authelia and #Stalwart configuration were completely broken, low and behold it's just a Stalwart bug in their admin panel. https://github.com/stalwartlabs/stalwart/issues/1381

Guess I should skip to the next step and see if I can connect some clients to this thing. :D

I finally finished my #Fail2Ban setup and am quite happy with the result. I've got #discord and #email notifications, global IP banning (on all servers) and automatic reporting to #abuseipdb based on multiple factors. This is awesome.

I'm so happy that i took the time to set up #Authelia as it's a breeze to #protect a single #endpoint and cover 70-80% of all services.

#homelab #selfhosting #linux #security #sso #oidc #OpenIDConnect

I've got #Stalwart configured against #Authelia...
https://www.authelia.com/integration/openid-connect/stalwart/

But idk next step for Authelia users to login, since logins currently fail. Do I have to manually add accounts for each authelia user, or are they generated on login? Again currently fails, so no idea.

Oh well, problem for another day, time to game.

When you get #caddy and #authelia working to expose your #selfhosted #homelab services

Authelia open-source authentication and authorization server passes OpenID Connect certification, confirming full conformance with implemented profiles.
https://linuxiac.com/authelia-authentication-server-achieves-openid-certified-status/

#authelia #sso #opensource #authentication #openid

#ayuda fediverso #tailscale #selfhosting
#ayudaTec

estoy probando nuevo setup red interna, usando funnel (tailscale serve) para exponer en web (dentro de tailscale) aplicaciones en la raspberry. ejemplo:
tengo #komodo en 127.0.0.1:9120. pero quiero poner varios funnels a la vez, como por ejemplo cockpit en 9090. se puede con --set-path

https://tailscale.com/kb/1242/tailscale-serve#serve-command-flags

y funciona:
(vease primer pantallazo)

pero no me cargan las aplicaciones. por el puto path. vease segundo pantallazo

las aplicaciones buscan todos los archivos en el root / y no en /komodo /cockpit. o lo que sea. y como resultado, no carga nada. todo roto

probe poner un reverse proxy y hacerle rewrite a las urls. pero aparte de ya parecerme muy absurdo: no puedo. al intentar desplegar nginx proxy manager (pero me pasaria con cualquier otro) me dice, con razon: que el puerto 443 esta siendo utilizado ya y que me peine.

(siento la parrafada, pero por explicarme bien, si alguien me puede dar otra solucion) la intencion de todo eso es hacer segura una red interna en la raspberry que pueda acceder servicios por urls sin saberme de memoria todos los puertos, y que pueda usar un gestor de contraseña para cada servicio sin tener que hacer copiar pegar manualmente porque no entienden de puertos.

problema muy primer mundista, ya lo se. pero me divierte.

idealmente quisiera poner un IAM como #keycloak #authentik #authelia o alguno de esos, con 2FA. pero soy demasiado inutil para configurarlos. me viene muy grande ese mundo aun. pero seria el objetivo final.

@t3rr0rz0n3 @matiargs
@trankten @sam @z3r0

Finally finished my #authelia setup yesterday. #SSO is amazing. Strong #password + #2FA everywhere just feels right.

Not only that, but you can also configure #AccessControls and trusted #IPRanges.

Since i'm not the only user on my #server, having fine-grained control is very welcome.

#security #linux #homelab #selfhosting

Finally finished my #authelia setup yesterday. #SSO is amazing. Strong #password + #2FA everywhere just feels right.

Not only that, but you can also configure #AccessControls and trusted #IPRanges.

Since i'm not the only user on my #server, having fine-grained control is very welcome.

#security #linux #homelab #selfhosting

Finally finished my #authelia setup yesterday. #SSO is amazing. Strong #password + #2FA everywhere just feels right.

Not only that, but you can also configure #AccessControls and trusted #IPRanges.

Since i'm not the only user on my #server, having fine-grained control is very welcome.

#security #linux #homelab #selfhosting

Finally finished my #authelia setup yesterday. #SSO is amazing. Strong #password + #2FA everywhere just feels right.

Not only that, but you can also configure #AccessControls and trusted #IPRanges.

Since i'm not the only user on my #server, having fine-grained control is very welcome.

#security #linux #homelab #selfhosting

Finally finished my #authelia setup yesterday. #SSO is amazing. Strong #password + #2FA everywhere just feels right.

Not only that, but you can also configure #AccessControls and trusted #IPRanges.

Since i'm not the only user on my #server, having fine-grained control is very welcome.

#security #linux #homelab #selfhosting

#Authelia is so awesome. Can't believe i've missed all this until now.

Hi everyone,

I'm encountering an issue with my self-hosted setup using Caddy 2.9.1 and Authelia 4.38.19. All domains except auth.laniecarmelo.tech return a 401 Unauthorized error. Journald logs suggest issues with insecure schemes ('') instead of https or wss.

Details:

• Setup: Caddy as reverse proxy, Authelia for authentication
• Domains: AdGuard Home, Forgejo, LinkAce, MiniFlux, TheLounge, Homepage, Beszel, Glances, Uptime Kuma, Tandoor Recipes, BookStack, Watchtower, Portainer
• Logs:
  Authelia:
  Feb 24 21:01:47 stormux authelia[2932]: level=error msg="Target URL '/' has an insecure scheme '', only 'https' and 'wss' are supported"Caddy:
  Feb 24 21:19:41 stormux caddy[48845]: {"msg":"handled request","method":"GET","host":"adguard.laniecarmelo.tech","status":200}

Configurations:

• Full Caddyfile and Authelia config: GitHub Gist

Curl Output:

HTTP Request:

$ curl home.laniecarmelo.tech -v
< HTTP/1.1 308 Permanent Redirect
< Location: https://home.laniecarmelo.tech/

HTTPS Request:

$ curl https://home.laniecarmelo.tech -v
< HTTP/2 401 
< content-type: text/plain; charset=utf-8
< server: Caddy
401 Unauthorized

Does anyone know what might be causing this? I suspect it could be related to forward_auth or trusted proxies.

Thanks in advance! 🙏

#SelfHosting #CaddyServer #Authelia #ReverseProxy #TechHelp #Linux #HomeLab
@selfhost @selfhosting @selfhosted

#SelfHosted #LinkAce Bookmark Manager Running, but Unable to Check for Updates or Generate a Cron Token

Hi all. Hoping someone in the #SelfHosting community can help here. I'm running LinkAce in #Docker behind non-Dockerized #Caddy and #Authelia, and most things are working, but I'm seeing "Could not check for updates" at the bottom of each page, and when I tried to generate a cron token, nothing happened except for the generate button graying out. I am seeing one or two 404 errors in my logs, but I don't know if that's causing the problem or not. I don't know much about #PHP applications.

Logs

2025-02-22 23:25:26,460 INFO supervisord started with pid 1
2025-02-22 23:25:27,465 INFO spawned: 'php-fpm' with pid 8
2025-02-22 23:25:27,467 INFO spawned: 'caddy' with pid 9
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: fpm is running, pid 8
[22-Feb-2025 23:25:27] NOTICE: ready to handle connections
{"level":"info","ts":1740266727.5264525,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1740266727.5280282,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1740266727.5280406,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1740266727.529092,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1740266727.529331,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1740266727.5294206,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40000bab00"}
{"level":"warn","ts":1740266727.530186,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1740266727.530195,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1740266727.530198,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1740266727.5412574,"msg":"autosaved config (load with --resume flag)","file":"/home/www-data/.config/caddy/autosave.json"}
{"level":"info","ts":1740266727.541271,"msg":"serving initial configuration"}
{"level":"info","ts":1740266727.5477707,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/home/www-data/.local/share/caddy"}
{"level":"info","ts":1740266727.5541356,"logger":"tls","msg":"finished cleaning storage units"}
2025-02-22 23:25:28,555 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-02-22 23:25:28,555 INFO success: caddy entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 200
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 404

Docker Compose file

services:
  # --- LinkAce
  linkace:
    image: docker.io/linkace/linkace:latest
    container_name: linkace
    restart: unless-stopped
    depends_on:
      - linkace_db
    ports:
      - "0.0.0.0:3009:80"
    volumes:
      - ./.env:/app/.env
      - ./backups:/app/storage/app/backups

  # --- Database
  linkace_db:
    image: docker.io/library/mariadb:11.5
    container_name: linkace_db
    restart: unless-stopped
    command: mariadbd --character-set-server=utf8mb4 --collation-server=utf8mb4_bin
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_PASSWORD}
      - MYSQL_USER=${DB_USERNAME}
      - MYSQL_PASSWORD=${DB_PASSWORD}
      - MYSQL_DATABASE=${DB_DATABASE}
    volumes:
      - db:/var/lib/mysql

  # --- Cache
  linkace_redis:
    image: docker.io/bitnami/redis:7.4
    container_name: linkace_redis
    restart: unless-stopped
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD}

volumes:
  db:

.env (secrets redacted)

## LINKACE CONFIGURATION

# The app key is generated later, please leave it like that
APP_KEY=redacted
APP_ENV=development

## Configuration of the database connection
## Attention: Those settings are configured during the web setup, please do not modify them now.
# Set the database driver (mysql, pgsql, sqlsrv, sqlite)
DB_CONNECTION=mysql
# Set the host of your database here
DB_HOST=linkace_db
# Set the port of your database here
DB_PORT=3306
# Set the database name here
DB_DATABASE=linkace
# Set both username and password of the user accessing the database
DB_USERNAME=linkace
# Wrap your password into quotes (") if it contains special characters
DB_PASSWORD=redacted

## Redis cache configuration
# Set the Redis connection here if you want to use it
REDIS_HOST=linkace_redis
REDIS_PASSWORD=redacted
REDIS_PORT=6379
APP_DEBUG=true

# SSO configuration
SSO_ENABLED=true
SSO_OIDC_ENABLED=true
SSO_REGISTRATION_ENABLED=true
REGULAR_LOGIN_DISABLED=true
SSO_OIDC_BASE_URL=https://auth.laniecarmelo.tech/  # Your Authelia base URL
SSO_OIDC_CLIENT_ID=linkace
SSO_OIDC_CLIENT_SECRET='redacted'
SSO_OIDC_SCOPES=openid,profile,email

Caddyfile snippet

{
    email [email protected]
    debug
    acme_dns cloudflare redacted
    http_port 80
    https_port 443
    admin :2019 {
        origins 127.0.0.1:2019 0.0.0.0:2019 stormux:2019 caddy.laniecarmelo.tech
    }
}

(logconfig) {
    log {
        output stdout
        format json
    }
}

(auth_headers) {
    header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}

(proxy_config) {
    header_up Host {http.request.host}
    header_up X-Real-IP {http.request.remote}
    header_up X-Forwarded-User {http.auth.user.id} # Pass user ID
    header_up X-Forwarded-Email {http.auth.user.email} # Pass email
}

(authelia_middleware) {
    forward_auth localhost:9091 {
        uri /api/verify?rd=https://auth.laniecarmelo.tech
        copy_headers Remote-User Remote-Email Remote-Groups Authorization
    }
}

bookmarks.laniecarmelo.tech {
    route {
        import authelia_middleware
        reverse_proxy localhost:3009 {  # Directly proxy to LinkAce's web server
            import proxy_config
        }
    }
    import logconfig
    import auth_headers
}

Authelia config snippet

    - domain: "*.laniecarmelo.tech"
      policy: bypass
      networks:
        - 192.168.1.0/24    # Local network
        - 172.17.0.0/16     # Docker bridge network
        - 100.64.0.0/10     # Tailscale network

    - domain: "bookmarks.laniecarmelo.tech"
      resources: ["^/api.*"]
      policy: bypass

    - domain: "*.laniecarmelo.tech"
      policy: one_factor      

      - client_id: linkace
        client_name: LinkAce bookmarking app
        client_secret: redacted
         public: false
        authorization_policy: one_factor
        scopes: [openid, groups, profile, email, offline_access]
        redirect_uris:
          - https://bookmarks.laniecarmelo.tech/auth/oidc/callback
        grant_types: [authorization_code]
        response_types: [code]
        response_modes: [form_post, query]
        userinfo_signed_response_alg: none
        consent_mode: explicit
        pre_configured_consent_duration: "1y"

Does anyone know what might be causing this and how I can fix it?
#Linux #ArchLinuxARM #Stormux #RaspberryPi #RaspberryPi500 #RPi #RPi500 #tech #technology
@selfhost @selfhosted @selfhosting

#SelfHosted #LinkAce Bookmark Manager Running, but Unable to Check for Updates or Generate a Cron Token

Hi all. Hoping someone in the #SelfHosting community can help here. I'm running LinkAce in #Docker behind non-Dockerized #Caddy and #Authelia, and most things are working, but I'm seeing "Could not check for updates" at the bottom of each page, and when I tried to generate a cron token, nothing happened except for the generate button graying out. I am seeing one or two 404 errors in my logs, but I don't know if that's causing the problem or not. I don't know much about #PHP applications.

Logs

2025-02-22 23:25:26,460 INFO supervisord started with pid 1
2025-02-22 23:25:27,465 INFO spawned: 'php-fpm' with pid 8
2025-02-22 23:25:27,467 INFO spawned: 'caddy' with pid 9
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: fpm is running, pid 8
[22-Feb-2025 23:25:27] NOTICE: ready to handle connections
{"level":"info","ts":1740266727.5264525,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1740266727.5280282,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1740266727.5280406,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1740266727.529092,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1740266727.529331,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1740266727.5294206,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40000bab00"}
{"level":"warn","ts":1740266727.530186,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1740266727.530195,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1740266727.530198,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1740266727.5412574,"msg":"autosaved config (load with --resume flag)","file":"/home/www-data/.config/caddy/autosave.json"}
{"level":"info","ts":1740266727.541271,"msg":"serving initial configuration"}
{"level":"info","ts":1740266727.5477707,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/home/www-data/.local/share/caddy"}
{"level":"info","ts":1740266727.5541356,"logger":"tls","msg":"finished cleaning storage units"}
2025-02-22 23:25:28,555 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-02-22 23:25:28,555 INFO success: caddy entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 200
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 404

Docker Compose file

services:
  # --- LinkAce
  linkace:
    image: docker.io/linkace/linkace:latest
    container_name: linkace
    restart: unless-stopped
    depends_on:
      - linkace_db
    ports:
      - "0.0.0.0:3009:80"
    volumes:
      - ./.env:/app/.env
      - ./backups:/app/storage/app/backups

  # --- Database
  linkace_db:
    image: docker.io/library/mariadb:11.5
    container_name: linkace_db
    restart: unless-stopped
    command: mariadbd --character-set-server=utf8mb4 --collation-server=utf8mb4_bin
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_PASSWORD}
      - MYSQL_USER=${DB_USERNAME}
      - MYSQL_PASSWORD=${DB_PASSWORD}
      - MYSQL_DATABASE=${DB_DATABASE}
    volumes:
      - db:/var/lib/mysql

  # --- Cache
  linkace_redis:
    image: docker.io/bitnami/redis:7.4
    container_name: linkace_redis
    restart: unless-stopped
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD}

volumes:
  db:

.env (secrets redacted)

## LINKACE CONFIGURATION

# The app key is generated later, please leave it like that
APP_KEY=redacted
APP_ENV=development

## Configuration of the database connection
## Attention: Those settings are configured during the web setup, please do not modify them now.
# Set the database driver (mysql, pgsql, sqlsrv, sqlite)
DB_CONNECTION=mysql
# Set the host of your database here
DB_HOST=linkace_db
# Set the port of your database here
DB_PORT=3306
# Set the database name here
DB_DATABASE=linkace
# Set both username and password of the user accessing the database
DB_USERNAME=linkace
# Wrap your password into quotes (") if it contains special characters
DB_PASSWORD=redacted

## Redis cache configuration
# Set the Redis connection here if you want to use it
REDIS_HOST=linkace_redis
REDIS_PASSWORD=redacted
REDIS_PORT=6379
APP_DEBUG=true

# SSO configuration
SSO_ENABLED=true
SSO_OIDC_ENABLED=true
SSO_REGISTRATION_ENABLED=true
REGULAR_LOGIN_DISABLED=true
SSO_OIDC_BASE_URL=https://auth.laniecarmelo.tech/  # Your Authelia base URL
SSO_OIDC_CLIENT_ID=linkace
SSO_OIDC_CLIENT_SECRET='redacted'
SSO_OIDC_SCOPES=openid,profile,email

Caddyfile snippet

{
    email [email protected]
    debug
    acme_dns cloudflare redacted
    http_port 80
    https_port 443
    admin :2019 {
        origins 127.0.0.1:2019 0.0.0.0:2019 stormux:2019 caddy.laniecarmelo.tech
    }
}

(logconfig) {
    log {
        output stdout
        format json
    }
}

(auth_headers) {
    header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}

(proxy_config) {
    header_up Host {http.request.host}
    header_up X-Real-IP {http.request.remote}
    header_up X-Forwarded-User {http.auth.user.id} # Pass user ID
    header_up X-Forwarded-Email {http.auth.user.email} # Pass email
}

(authelia_middleware) {
    forward_auth localhost:9091 {
        uri /api/verify?rd=https://auth.laniecarmelo.tech
        copy_headers Remote-User Remote-Email Remote-Groups Authorization
    }
}

bookmarks.laniecarmelo.tech {
    route {
        import authelia_middleware
        reverse_proxy localhost:3009 {  # Directly proxy to LinkAce's web server
            import proxy_config
        }
    }
    import logconfig
    import auth_headers
}

Authelia config snippet

    - domain: "*.laniecarmelo.tech"
      policy: bypass
      networks:
        - 192.168.1.0/24    # Local network
        - 172.17.0.0/16     # Docker bridge network
        - 100.64.0.0/10     # Tailscale network

    - domain: "bookmarks.laniecarmelo.tech"
      resources: ["^/api.*"]
      policy: bypass

    - domain: "*.laniecarmelo.tech"
      policy: one_factor      

      - client_id: linkace
        client_name: LinkAce bookmarking app
        client_secret: redacted
         public: false
        authorization_policy: one_factor
        scopes: [openid, groups, profile, email, offline_access]
        redirect_uris:
          - https://bookmarks.laniecarmelo.tech/auth/oidc/callback
        grant_types: [authorization_code]
        response_types: [code]
        response_modes: [form_post, query]
        userinfo_signed_response_alg: none
        consent_mode: explicit
        pre_configured_consent_duration: "1y"

Does anyone know what might be causing this and how I can fix it?
#Linux #ArchLinuxARM #Stormux #RaspberryPi #RaspberryPi500 #RPi #RPi500 #tech #technology
@selfhost @selfhosted @selfhosting

#SelfHosted #LinkAce Bookmark Manager Running, but Unable to Check for Updates or Generate a Cron Token

Hi all. Hoping someone in the #SelfHosting community can help here. I'm running LinkAce in #Docker behind non-Dockerized #Caddy and #Authelia, and most things are working, but I'm seeing "Could not check for updates" at the bottom of each page, and when I tried to generate a cron token, nothing happened except for the generate button graying out. I am seeing one or two 404 errors in my logs, but I don't know if that's causing the problem or not. I don't know much about #PHP applications.

Logs

2025-02-22 23:25:26,460 INFO supervisord started with pid 1
2025-02-22 23:25:27,465 INFO spawned: 'php-fpm' with pid 8
2025-02-22 23:25:27,467 INFO spawned: 'caddy' with pid 9
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: fpm is running, pid 8
[22-Feb-2025 23:25:27] NOTICE: ready to handle connections
{"level":"info","ts":1740266727.5264525,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1740266727.5280282,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1740266727.5280406,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1740266727.529092,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1740266727.529331,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1740266727.5294206,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40000bab00"}
{"level":"warn","ts":1740266727.530186,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1740266727.530195,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1740266727.530198,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1740266727.5412574,"msg":"autosaved config (load with --resume flag)","file":"/home/www-data/.config/caddy/autosave.json"}
{"level":"info","ts":1740266727.541271,"msg":"serving initial configuration"}
{"level":"info","ts":1740266727.5477707,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/home/www-data/.local/share/caddy"}
{"level":"info","ts":1740266727.5541356,"logger":"tls","msg":"finished cleaning storage units"}
2025-02-22 23:25:28,555 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-02-22 23:25:28,555 INFO success: caddy entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 200
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 404

Docker Compose file

services:
  # --- LinkAce
  linkace:
    image: docker.io/linkace/linkace:latest
    container_name: linkace
    restart: unless-stopped
    depends_on:
      - linkace_db
    ports:
      - "0.0.0.0:3009:80"
    volumes:
      - ./.env:/app/.env
      - ./backups:/app/storage/app/backups

  # --- Database
  linkace_db:
    image: docker.io/library/mariadb:11.5
    container_name: linkace_db
    restart: unless-stopped
    command: mariadbd --character-set-server=utf8mb4 --collation-server=utf8mb4_bin
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_PASSWORD}
      - MYSQL_USER=${DB_USERNAME}
      - MYSQL_PASSWORD=${DB_PASSWORD}
      - MYSQL_DATABASE=${DB_DATABASE}
    volumes:
      - db:/var/lib/mysql

  # --- Cache
  linkace_redis:
    image: docker.io/bitnami/redis:7.4
    container_name: linkace_redis
    restart: unless-stopped
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD}

volumes:
  db:

.env (secrets redacted)

## LINKACE CONFIGURATION

# The app key is generated later, please leave it like that
APP_KEY=redacted
APP_ENV=development

## Configuration of the database connection
## Attention: Those settings are configured during the web setup, please do not modify them now.
# Set the database driver (mysql, pgsql, sqlsrv, sqlite)
DB_CONNECTION=mysql
# Set the host of your database here
DB_HOST=linkace_db
# Set the port of your database here
DB_PORT=3306
# Set the database name here
DB_DATABASE=linkace
# Set both username and password of the user accessing the database
DB_USERNAME=linkace
# Wrap your password into quotes (") if it contains special characters
DB_PASSWORD=redacted

## Redis cache configuration
# Set the Redis connection here if you want to use it
REDIS_HOST=linkace_redis
REDIS_PASSWORD=redacted
REDIS_PORT=6379
APP_DEBUG=true

# SSO configuration
SSO_ENABLED=true
SSO_OIDC_ENABLED=true
SSO_REGISTRATION_ENABLED=true
REGULAR_LOGIN_DISABLED=true
SSO_OIDC_BASE_URL=https://auth.laniecarmelo.tech/  # Your Authelia base URL
SSO_OIDC_CLIENT_ID=linkace
SSO_OIDC_CLIENT_SECRET='redacted'
SSO_OIDC_SCOPES=openid,profile,email

Caddyfile snippet

{
    email [email protected]
    debug
    acme_dns cloudflare redacted
    http_port 80
    https_port 443
    admin :2019 {
        origins 127.0.0.1:2019 0.0.0.0:2019 stormux:2019 caddy.laniecarmelo.tech
    }
}

(logconfig) {
    log {
        output stdout
        format json
    }
}

(auth_headers) {
    header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}

(proxy_config) {
    header_up Host {http.request.host}
    header_up X-Real-IP {http.request.remote}
    header_up X-Forwarded-User {http.auth.user.id} # Pass user ID
    header_up X-Forwarded-Email {http.auth.user.email} # Pass email
}

(authelia_middleware) {
    forward_auth localhost:9091 {
        uri /api/verify?rd=https://auth.laniecarmelo.tech
        copy_headers Remote-User Remote-Email Remote-Groups Authorization
    }
}

bookmarks.laniecarmelo.tech {
    route {
        import authelia_middleware
        reverse_proxy localhost:3009 {  # Directly proxy to LinkAce's web server
            import proxy_config
        }
    }
    import logconfig
    import auth_headers
}

Authelia config snippet

    - domain: "*.laniecarmelo.tech"
      policy: bypass
      networks:
        - 192.168.1.0/24    # Local network
        - 172.17.0.0/16     # Docker bridge network
        - 100.64.0.0/10     # Tailscale network

    - domain: "bookmarks.laniecarmelo.tech"
      resources: ["^/api.*"]
      policy: bypass

    - domain: "*.laniecarmelo.tech"
      policy: one_factor      

      - client_id: linkace
        client_name: LinkAce bookmarking app
        client_secret: redacted
         public: false
        authorization_policy: one_factor
        scopes: [openid, groups, profile, email, offline_access]
        redirect_uris:
          - https://bookmarks.laniecarmelo.tech/auth/oidc/callback
        grant_types: [authorization_code]
        response_types: [code]
        response_modes: [form_post, query]
        userinfo_signed_response_alg: none
        consent_mode: explicit
        pre_configured_consent_duration: "1y"

Does anyone know what might be causing this and how I can fix it?
#Linux #ArchLinuxARM #Stormux #RaspberryPi #RaspberryPi500 #RPi #RPi500 #tech #technology
@selfhost @selfhosted @selfhosting

#SelfHosted #LinkAce Bookmark Manager Running, but Unable to Check for Updates or Generate a Cron Token

Hi all. Hoping someone in the #SelfHosting community can help here. I'm running LinkAce in #Docker behind non-Dockerized #Caddy and #Authelia, and most things are working, but I'm seeing "Could not check for updates" at the bottom of each page, and when I tried to generate a cron token, nothing happened except for the generate button graying out. I am seeing one or two 404 errors in my logs, but I don't know if that's causing the problem or not. I don't know much about #PHP applications.

Logs

2025-02-22 23:25:26,460 INFO supervisord started with pid 1
2025-02-22 23:25:27,465 INFO spawned: 'php-fpm' with pid 8
2025-02-22 23:25:27,467 INFO spawned: 'caddy' with pid 9
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: fpm is running, pid 8
[22-Feb-2025 23:25:27] NOTICE: ready to handle connections
{"level":"info","ts":1740266727.5264525,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1740266727.5280282,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1740266727.5280406,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1740266727.529092,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1740266727.529331,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1740266727.5294206,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40000bab00"}
{"level":"warn","ts":1740266727.530186,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1740266727.530195,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1740266727.530198,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1740266727.5412574,"msg":"autosaved config (load with --resume flag)","file":"/home/www-data/.config/caddy/autosave.json"}
{"level":"info","ts":1740266727.541271,"msg":"serving initial configuration"}
{"level":"info","ts":1740266727.5477707,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/home/www-data/.local/share/caddy"}
{"level":"info","ts":1740266727.5541356,"logger":"tls","msg":"finished cleaning storage units"}
2025-02-22 23:25:28,555 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-02-22 23:25:28,555 INFO success: caddy entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 200
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 404

Docker Compose file

services:
  # --- LinkAce
  linkace:
    image: docker.io/linkace/linkace:latest
    container_name: linkace
    restart: unless-stopped
    depends_on:
      - linkace_db
    ports:
      - "0.0.0.0:3009:80"
    volumes:
      - ./.env:/app/.env
      - ./backups:/app/storage/app/backups

  # --- Database
  linkace_db:
    image: docker.io/library/mariadb:11.5
    container_name: linkace_db
    restart: unless-stopped
    command: mariadbd --character-set-server=utf8mb4 --collation-server=utf8mb4_bin
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_PASSWORD}
      - MYSQL_USER=${DB_USERNAME}
      - MYSQL_PASSWORD=${DB_PASSWORD}
      - MYSQL_DATABASE=${DB_DATABASE}
    volumes:
      - db:/var/lib/mysql

  # --- Cache
  linkace_redis:
    image: docker.io/bitnami/redis:7.4
    container_name: linkace_redis
    restart: unless-stopped
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD}

volumes:
  db:

.env (secrets redacted)

## LINKACE CONFIGURATION

# The app key is generated later, please leave it like that
APP_KEY=redacted
APP_ENV=development

## Configuration of the database connection
## Attention: Those settings are configured during the web setup, please do not modify them now.
# Set the database driver (mysql, pgsql, sqlsrv, sqlite)
DB_CONNECTION=mysql
# Set the host of your database here
DB_HOST=linkace_db
# Set the port of your database here
DB_PORT=3306
# Set the database name here
DB_DATABASE=linkace
# Set both username and password of the user accessing the database
DB_USERNAME=linkace
# Wrap your password into quotes (") if it contains special characters
DB_PASSWORD=redacted

## Redis cache configuration
# Set the Redis connection here if you want to use it
REDIS_HOST=linkace_redis
REDIS_PASSWORD=redacted
REDIS_PORT=6379
APP_DEBUG=true

# SSO configuration
SSO_ENABLED=true
SSO_OIDC_ENABLED=true
SSO_REGISTRATION_ENABLED=true
REGULAR_LOGIN_DISABLED=true
SSO_OIDC_BASE_URL=https://auth.laniecarmelo.tech/  # Your Authelia base URL
SSO_OIDC_CLIENT_ID=linkace
SSO_OIDC_CLIENT_SECRET='redacted'
SSO_OIDC_SCOPES=openid,profile,email

Caddyfile snippet

{
    email [email protected]
    debug
    acme_dns cloudflare redacted
    http_port 80
    https_port 443
    admin :2019 {
        origins 127.0.0.1:2019 0.0.0.0:2019 stormux:2019 caddy.laniecarmelo.tech
    }
}

(logconfig) {
    log {
        output stdout
        format json
    }
}

(auth_headers) {
    header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}

(proxy_config) {
    header_up Host {http.request.host}
    header_up X-Real-IP {http.request.remote}
    header_up X-Forwarded-User {http.auth.user.id} # Pass user ID
    header_up X-Forwarded-Email {http.auth.user.email} # Pass email
}

(authelia_middleware) {
    forward_auth localhost:9091 {
        uri /api/verify?rd=https://auth.laniecarmelo.tech
        copy_headers Remote-User Remote-Email Remote-Groups Authorization
    }
}

bookmarks.laniecarmelo.tech {
    route {
        import authelia_middleware
        reverse_proxy localhost:3009 {  # Directly proxy to LinkAce's web server
            import proxy_config
        }
    }
    import logconfig
    import auth_headers
}

Authelia config snippet

    - domain: "*.laniecarmelo.tech"
      policy: bypass
      networks:
        - 192.168.1.0/24    # Local network
        - 172.17.0.0/16     # Docker bridge network
        - 100.64.0.0/10     # Tailscale network

    - domain: "bookmarks.laniecarmelo.tech"
      resources: ["^/api.*"]
      policy: bypass

    - domain: "*.laniecarmelo.tech"
      policy: one_factor      

      - client_id: linkace
        client_name: LinkAce bookmarking app
        client_secret: redacted
         public: false
        authorization_policy: one_factor
        scopes: [openid, groups, profile, email, offline_access]
        redirect_uris:
          - https://bookmarks.laniecarmelo.tech/auth/oidc/callback
        grant_types: [authorization_code]
        response_types: [code]
        response_modes: [form_post, query]
        userinfo_signed_response_alg: none
        consent_mode: explicit
        pre_configured_consent_duration: "1y"

Does anyone know what might be causing this and how I can fix it?
#Linux #ArchLinuxARM #Stormux #RaspberryPi #RaspberryPi500 #RPi #RPi500 #tech #technology
@selfhost @selfhosted @selfhosting

#SelfHosted #LinkAce Bookmark Manager Running, but Unable to Check for Updates or Generate a Cron Token

Hi all. Hoping someone in the #SelfHosting community can help here. I'm running LinkAce in #Docker behind non-Dockerized #Caddy and #Authelia, and most things are working, but I'm seeing "Could not check for updates" at the bottom of each page, and when I tried to generate a cron token, nothing happened except for the generate button graying out. I am seeing one or two 404 errors in my logs, but I don't know if that's causing the problem or not. I don't know much about #PHP applications.

Logs

2025-02-22 23:25:26,460 INFO supervisord started with pid 1
2025-02-22 23:25:27,465 INFO spawned: 'php-fpm' with pid 8
2025-02-22 23:25:27,467 INFO spawned: 'caddy' with pid 9
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[22-Feb-2025 23:25:27] NOTICE: fpm is running, pid 8
[22-Feb-2025 23:25:27] NOTICE: ready to handle connections
{"level":"info","ts":1740266727.5264525,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1740266727.5280282,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1740266727.5280406,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1740266727.529092,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1740266727.529331,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1740266727.5294206,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40000bab00"}
{"level":"warn","ts":1740266727.530186,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1740266727.530195,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1740266727.530198,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1740266727.5412574,"msg":"autosaved config (load with --resume flag)","file":"/home/www-data/.config/caddy/autosave.json"}
{"level":"info","ts":1740266727.541271,"msg":"serving initial configuration"}
{"level":"info","ts":1740266727.5477707,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/home/www-data/.local/share/caddy"}
{"level":"info","ts":1740266727.5541356,"logger":"tls","msg":"finished cleaning storage units"}
2025-02-22 23:25:28,555 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2025-02-22 23:25:28,555 INFO success: caddy entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 200
::1 -  22/Feb/2025:23:25:34 +0000 "GET /index.php" 404

Docker Compose file

services:
  # --- LinkAce
  linkace:
    image: docker.io/linkace/linkace:latest
    container_name: linkace
    restart: unless-stopped
    depends_on:
      - linkace_db
    ports:
      - "0.0.0.0:3009:80"
    volumes:
      - ./.env:/app/.env
      - ./backups:/app/storage/app/backups

  # --- Database
  linkace_db:
    image: docker.io/library/mariadb:11.5
    container_name: linkace_db
    restart: unless-stopped
    command: mariadbd --character-set-server=utf8mb4 --collation-server=utf8mb4_bin
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_PASSWORD}
      - MYSQL_USER=${DB_USERNAME}
      - MYSQL_PASSWORD=${DB_PASSWORD}
      - MYSQL_DATABASE=${DB_DATABASE}
    volumes:
      - db:/var/lib/mysql

  # --- Cache
  linkace_redis:
    image: docker.io/bitnami/redis:7.4
    container_name: linkace_redis
    restart: unless-stopped
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD}

volumes:
  db:

.env (secrets redacted)

## LINKACE CONFIGURATION

# The app key is generated later, please leave it like that
APP_KEY=redacted
APP_ENV=development

## Configuration of the database connection
## Attention: Those settings are configured during the web setup, please do not modify them now.
# Set the database driver (mysql, pgsql, sqlsrv, sqlite)
DB_CONNECTION=mysql
# Set the host of your database here
DB_HOST=linkace_db
# Set the port of your database here
DB_PORT=3306
# Set the database name here
DB_DATABASE=linkace
# Set both username and password of the user accessing the database
DB_USERNAME=linkace
# Wrap your password into quotes (") if it contains special characters
DB_PASSWORD=redacted

## Redis cache configuration
# Set the Redis connection here if you want to use it
REDIS_HOST=linkace_redis
REDIS_PASSWORD=redacted
REDIS_PORT=6379
APP_DEBUG=true

# SSO configuration
SSO_ENABLED=true
SSO_OIDC_ENABLED=true
SSO_REGISTRATION_ENABLED=true
REGULAR_LOGIN_DISABLED=true
SSO_OIDC_BASE_URL=https://auth.laniecarmelo.tech/  # Your Authelia base URL
SSO_OIDC_CLIENT_ID=linkace
SSO_OIDC_CLIENT_SECRET='redacted'
SSO_OIDC_SCOPES=openid,profile,email

Caddyfile snippet

{
    email [email protected]
    debug
    acme_dns cloudflare redacted
    http_port 80
    https_port 443
    admin :2019 {
        origins 127.0.0.1:2019 0.0.0.0:2019 stormux:2019 caddy.laniecarmelo.tech
    }
}

(logconfig) {
    log {
        output stdout
        format json
    }
}

(auth_headers) {
    header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}

(proxy_config) {
    header_up Host {http.request.host}
    header_up X-Real-IP {http.request.remote}
    header_up X-Forwarded-User {http.auth.user.id} # Pass user ID
    header_up X-Forwarded-Email {http.auth.user.email} # Pass email
}

(authelia_middleware) {
    forward_auth localhost:9091 {
        uri /api/verify?rd=https://auth.laniecarmelo.tech
        copy_headers Remote-User Remote-Email Remote-Groups Authorization
    }
}

bookmarks.laniecarmelo.tech {
    route {
        import authelia_middleware
        reverse_proxy localhost:3009 {  # Directly proxy to LinkAce's web server
            import proxy_config
        }
    }
    import logconfig
    import auth_headers
}

Authelia config snippet

    - domain: "*.laniecarmelo.tech"
      policy: bypass
      networks:
        - 192.168.1.0/24    # Local network
        - 172.17.0.0/16     # Docker bridge network
        - 100.64.0.0/10     # Tailscale network

    - domain: "bookmarks.laniecarmelo.tech"
      resources: ["^/api.*"]
      policy: bypass

    - domain: "*.laniecarmelo.tech"
      policy: one_factor      

      - client_id: linkace
        client_name: LinkAce bookmarking app
        client_secret: redacted
         public: false
        authorization_policy: one_factor
        scopes: [openid, groups, profile, email, offline_access]
        redirect_uris:
          - https://bookmarks.laniecarmelo.tech/auth/oidc/callback
        grant_types: [authorization_code]
        response_types: [code]
        response_modes: [form_post, query]
        userinfo_signed_response_alg: none
        consent_mode: explicit
        pre_configured_consent_duration: "1y"

Does anyone know what might be causing this and how I can fix it?
#Linux #ArchLinuxARM #Stormux #RaspberryPi #RaspberryPi500 #RPi #RPi500 #tech #technology
@selfhost @selfhosted @selfhosting

I give up on #Authelia. Why can't it just come up with a very basic configuration for a very basic purpose like if you just want a simple username and password security for some of your services? Why complicate everything from the start? Any suggestion for alternatives please?

I'm looking at setting up a bunch of self hosted services to replace our (self, family, friends) dependence on corporate cloud stuff. Email (custom, since none of the Just Add Server offerings do everything I need for free), shared drive (likely nextcloud, ugh), docs (likely collabora), jitsi for video, discourse for group forums, and so on.

I'd like to make all of this SSO, to the extent that it reasonably can be.

I'm probably going to use FreeIPA as the identity source of truth, but I'm finding that there are enough new things I need to learn about centralized authentication that I'm having a hard time finding a starting point that doesn't require a bunch of other context. So I'm asking for help.

Does anyone know of a good guide to these sorts of concepts, preferably available online? I'm familiar with most of the other Linux sysadmin concepts and have plenty of hardware and bandwidth at my disposal.

If you don't have an answer but have followers who might, boosts would be appreciated.

#selfhosted #selfhosting #SelfHostedApps #freeipa #ldap #authentication #keycloak #authentik #authelia #kerberos #sysadmin #linux

Today was a good day. Switched from #wireguard to #tailscale, improved and simplified my #dns setup, learned about #beszel (love it) and set the ground work for #authelia, which i will setup tomorrow.

#homelab #homeserver #selfhosting

@lacontrevoie Super article et gros travail 👏
Dommage que vous ayez abandonné l'idée de tester #LemonLDAP mais j'avoue que le courbe d'apprentissage est peu ardue.
Concernant #Authelia et l'annuaire LDAP, je ne peux que vous conseillez, si ce n'est pas trop tard, de tester #LLDAP https://github.com/lldap/lldap. C'est un annuaire LDAP tournant sous docker, très léger et dont la prise en main est ultra-simple. J'ai rédigé quelques articles dessus dont le dernier est https://doc.quercylibre.fr/Projets/Cluster%20RPI/12-clusterrpi/

À La Contre-Voie, ces deux dernières années, nous avons testé plus d’une dizaine d’outils d’authentification centralisée (#SSO)… On vous livre les conclusions de nos recherches !
https://lacontrevoie.fr/blog/2024/comparatif-de-onze-solutions-de-sso-libres/

La semaine prochaine, nous vous présenterons notre troisième et dernier article sur la partie technique de notre association, avec un coup de projecteur sur nos « fermes à services » :)

#authelia #authentik #keycloak #ory #canaille #zitadel

por ahora las opciones que veo son:
- #authelia
- #authentik
- #keycloak
alguien sabe de alguna guia facil y para imbeciles como yo de como instalar y configurar junto con #nginx_proxy_manager y aplicaciones tipo #sonarr #radarr #plex ?
se agradece boost
#selfhosting
@elsultan77 @zicoxy3
@asturel
@samcre

#ayuda fediverso por favor
cual es el autenticador / identity provider mas sencillo que utilizar?
estoy tratando (pero atascado) de usar #authelia con #nginx_proxy_manager con esta guia: https://ambientnode.uk/authelia-npm/ pero estoy atascado con el apartado de #totp
busco uno que sea:
- sencillo de configurar e instalar
- que tenga #2fa #totp
- y muy idealmente, soporte para llaves fisicas (#fido)
se agradece boost

Got my #Ansible role for #LLDAP setup tonight. Running the binary as a service on an #LXC with a simple #nginx proxy setup for SSL.

https://github.com/jrtashjian/homelab-ansible/commit/a40bf9a140ba140cd0da0e5e860884e595c303d8

Next I'll get #Authelia running on an LXC the same way and lock it down since it will be publicly accessible via a #CloudFlare tunnel. #homelab

With centralized auth via #LLDAP, #Authelia for SSO, and NetBird for VPN all set, it's time to dive into automating the setup with #Terraform and #Ansible! 😃

Almost got my self-hosted #NetBird linked with #LLDAP+#Authelia, but hitting a snag. Authelia isn't accepting the redirect_uri which seems to be `https://${NETBIRD_DOMAIN}/#callback`

Working to figure out the issue. #homelab

I’ve been tinkering with #Authelia and #LLDAP for centralizing user accounts in my #homelab. So far, I’ve successfully set up LDAP and OIDC with #Proxmox and #GitLab. My next challenge is integrating #NetBird with Authelia and securely exposing entrypoints for friends and family to access internal services through the NetBird VPN.

I've been using #Authentik for centralizing user accounts in my #homelab but I've learned about some lighter weight options like #LLDAP and #Authelia that I'm trying out. Also considering #NetBird as an self-hosted alternative to #Tailscale.

Now I just need to figure out how to put them all together🤔

If you have opinions about different Authentication-stacks, @yunohost is currently considering which would be the best fit for #FreeSoftware #selfhosting.

https://github.com/YunoHost/issues/issues/676

https://github.com/YunoHost/issues/issues/2240

@lemonldapng #authelia #dex #keycloak #shibboleth #kaidm #ory #authentik #Glewlwyd #zitadel