Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
What's wrong with LDAP for users? (I'm trying to think of a negative, and can't).
Yet another service to maintain. If the server is crashing you can't log in, so you need backup UNIX users anyways.
You need backup local admin accounts, not Backups for each user.
Which is how enterprise does things. There are local accounts with root access, but the id's and passwords are tightly controlled.
Look into Single Sign-On services (SSO) like Authelia, Authentik, or KeyCloak. Most SSO tools do the sorts of things you’re looking for. Some will talk to the native UNIX user store. I do agree with the others, though: if you’re this far along, then it’s time to spin up LDAP and SSO, but this might be the same tool in your case.
But the problem is that most self-hosted apps don't integrate well with these. For example qBittorrent, Jellyfin, Metabase and many other common self-hosted apps.
They actually do, i am down the same path recently and installing authelia was the best choice I made. Still working on it.
But most stvies support either basic auth, headers auth, oidc or similar approaches. Very few don't.
How are you configuring this? I checked for Jellyfin and their are third-party plugins which don't look too mature, but none of them seem to work with apps. qBittorrent doesn't support much (actually I may be able to put reverse-proxy auth in front... I'll look into that) and Metabase locks SSO behind a premium subscription.
IDK why but it does seem that LDAP is much more widely supported. Or am I missing some method to make it work
You might use LDAP, but its total overkill.
I have not yet worked jellyfin with authelia, but its more or less the last piece and I don't really care so far if its left out.
A good reverse proxy with https is mandatory, so start with that one. I mean, from all point of views, not login.
I have all my services behing nginx, then authelia linked to nginx. Some stuff works only with basic auth. Most works with headers anyway, so natively with authelia. Some bitches don't, so I disable authelia for them. Annoying, but I have only four users so there is not much to keep in sync.
I do use a reverse proxy but for various reasons you can't just block off some apps. For example if you want to play Jellyfin on a Chromecast or similar, or PhotoPrism if you want to use sharing links. Unfortunately these systems are designed around the built-in auth and you can't just slap a proxy in front.
I do use nginx with basic with in front of services where I can. I trust nginx much more than 10 different services with varying quality levels. But unfortunately not all services play well.
Never found a service that don't work with nginx reverse proxy.
My jelly fin does.
Don't run photoprims tough...
Are you doing auth in the reverse proxy for Jellyfin? Do you use Chromecast or any non-web interface? If so I'm very interested how you got it to work.
This is my jellyfin nginx setup: https://wiki.gardiol.org/doku.php?id=services:jellyfin#reverse-proxy_configuration
currently i don't use any proxy related authentication because i need to find the time to work with the plugins in Jellyfin. I don't have any chromecast, but i do regularly use the Android Jellyfin app just fine.
I expect, using the OIDC plugin in jellyfin, that Jellyfin will still manage the login via Authelia itself, so i do not expect much changes in NGINX config (except, maybe, adding the endpoints).
Ah ok. You aren't doing auth. I don't understand how this is relevant.
Well, here is the relevant part then, sorry if it was not clear:
- Jellyfin will not play well with reverse proxy auth. While the web interface can be put behind it, the API endpoints will need to be excluded from the authentication (IIRC there are some examples on the web) but the web part will stil force you to double login and canot identify the proxy auth passed down to it.
- Jellyfin do support OIDC providers such Authelia and it's perfectly possible to link the two, in this case as i was pointing out, Jellyfin will still use it's own authentication login window and user management, so the proxy does not need to be modified.
TLDR: proxy auth doesnt work with Jellyfin, OIDC yes and it bypassess proxy, so in both cases proxy will not be involved.
Against which regular user database?
Yes
However, it is better just to move all users to ldap
So based on what you've said in the comments, I am guessing you are managing all your users with Nixos, in the Nixos config, and want to share these users to other services?
Yeah, I don't even know sharing Unix users is possible. EDIT: It seems to be based on comments below.
But what I do know is possible, is for Unix/Linux to get it's users from LDAP. Even sudo is able to read from LDAP, and use LDAP groups to authorize users as being able to sudo.
Setting these up on Nixos is trivial. You can use the users.ldap set of options on Nixos to configure authentication against an external LDAP user. Then, you can configure sudo
After all of that, you could declaratively configure an LDAP server using Nixos, including setting up users. For example, it looks like you can configure users and groups fro the kanidm ldap server
Or you could have a config file for the openldap server
RE: Manage auth at the reverse proxy: If you use Authentik as your LDAP server, it can reverse proxy services and auth users at that step. A common setup I've seen is to run another reverse proxy in front of authentik, and then just point that reverse proxy at authentik, and then use authentik to reverse proxy just the services you want behind a login page.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| HTTP | Hypertext Transfer Protocol, the Web |
| SSO | Single Sign-On |
| nginx | Popular HTTP server |
2 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.
[Thread #956 for this sub, first seen 8th Sep 2024, 13:25] [FAQ] [Full list] [Contact] [Source code]
Missed LDAP, bot.