CumBroth

@CumBroth@discuss.tchncs.de

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Need help routing Wireguard container traffic through Gluetun container⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
I think you already have a kill-switch (of sorts) in place with the two Wireguard container setup, since you lose client connectivity (except to the local network, since there’s a separate route for that) if any of the following happens:
- “Client” container is spun down
- The Wireguard interface inside the “client” container is spun down (you can try this out by execing “wg-quick down wg0” inside the container)
- or even if the interface is up but the VPN connection is down (try changing the endpoint IP to a random one instead of the correct one provided by your VPN service provider)
I can’t be 100% sure, because I’m not a networking expert, but this seems like enough of a “kill-switch” to me. I’m not sure what you mean by leveraging the restart. One of the things that I found annoying about the Gluetun approach is that I would have to restart every container that depends on its network stack if Gluetun itself gets restarted/updated.

But anyway, I went ahead and messed around on a VPS with the Wireguard+Gluetun approach and I got it working. I am using the latest version of The Linuxserver.io Wireguard container and Gluetun at the time of writing. There are two things missing in the Gluetun firewall configuration you posted:
- A MASQUERADE rule on the tunnel, meaning the tun0 interface.
- Gluetun is configured to drop all FORWARD packets (filter table) by default. You’ll have to change that chain rule to ACCEPT. Again, I’m not a network expert, so I’m not sure whether or not this compromises the kill-switch in any way, at least in any relevant way to the desired setup.
First, here’s the docker compose setup I used:
```
networks:
  wghomenet:
    name: wghomenet
    ipam:
      config:
        - subnet: 172.22.0.0/24
          gateway: 172.22.0.1

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - ./config:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=<your stuff here>
      - VPN_TYPE=wireguard
      # - WIREGUARD_PRIVATE_KEY=<your stuff here>
      # - WIREGUARD_PRESHARED_KEY=<your stuff here>
      # - WIREGUARD_ADDRESSES=<your stuff here>
      # - SERVER_COUNTRIES=<your stuff here>
      # Timezone for accurate log times
      - TZ= <your stuff here>
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      - UPDATER_PERIOD=24h
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      wghomenet:
        ipv4_address: 172.22.0.101

  wireguard-server:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard-server
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1001
      - TZ=<your stuff here>
      - INTERNAL_SUBNET=10.13.13.0
      - PEERS=chromebook
    volumes:
      - ./config/wg-server:/config
      - /lib/modules:/lib/modules #optional
    restart: always
    ports:
      - 51820:51820/udp
    networks:
      wghomenet:
        ipv4_address: 172.22.0.5
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
```
You already have your “server” container properly configured. Now for Gluetun: I exec into the container docker exec -it gluetun sh. Then I set the MASQUERADE rule on the tunnel: iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE. And finally, I change the FORWARD chain policy in the filter table to ACCEPT iptables -t filter -P FORWARD ACCEPT.

Note on the last command: In my case I did iptables-legacy because all the rules were defined there already (iptables gives you a warning if that’s the case), but your container’s version may vary. I saw different behavior/setup on the testing container I spun up on the VPS compared to the one I have running on my homelab.

Good luck, and let me know if you run into any issues!
⁨Comment⁩ on ⁨VPN to home network options⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
I set it up manually using this as a guide. It was a lot of work because I had to adapt it to my use case (not using a VPS), so I couldn’t just follow the guide, but I learned a lot in the process and it works well.
⁨Comment⁩ on ⁨Have you tried LocalGPT PrivateGPT or other similar alternatives to ChatGPT?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
I’ve tried both this and github.com/jmorganca/ollama. I liked the latter a lot more; just can’t remember why.

GUI for ollama is a separate project: github.com/ollama-webui/ollama-webui
⁨Comment⁩ on ⁨Firefox will support at least 200 new extensions on Android this December⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I wish they would carry on the momentum and return support for hardware keyboard shortcuts. This is the one thing that’s killing Android tablets for me (I’m not willing to use a Chromium-based browser): connect.mozilla.org/t5/ideas/…/3836

Issue is being tracked here: bugzilla.mozilla.org/show_bug.cgi?id=1794664
⁨Comment⁩ on ⁨Apple expected to post fourth consecutive quarterly sales decline Thursday⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:

B&O

Maybe they mean Bang & Olufsen?
⁨Comment⁩ on ⁨Bitwarden and Nginx proxy manager⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
SWAG is great for overwhelmed Nginx beginners. It comes preconfigured with reasonable defaults and also provides configs for a bunch of popular services: github.com/linuxserver/reverse-proxy-confs. Both Bitwarden and Vaultwarden are on there. Note that this setup assumes that you will run your service (Bitwarden/Vaultwarden) in a Docker container. You can make SWAG work with something that’s running directly on the host, but I’d recommend not starting with that until you’ve fooled around with this container setup a bit and gained a better understanding of how Nginx and reverse proxies work.
⁨Comment⁩ on ⁨I’m about to throw my entire Pihole out the window⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Lmao even
⁨Comment⁩ on ⁨Trouble moving a container and its data to another server⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
In response to your update: Try specifying the user that’s supposed to own the mapped directories in the docker compose file. Then make sure the UID and GID you use match an existing user on the new system you are testing the backup on.

First you need to get the id of the user you want to run the container as. For a user called foo, run id foo. Note down the UID and GID.

Then in your compose file, modify the db_recipes service definition and set the UID and GID of the user that should own the mapped volumes:
```
  db_recipes:
    restart: always
    image: postgres:15-alpine
    user: "1000:1000" # Replace this with the correct UID and GID matching your user
    volumes:
      - ./postgresql:/var/lib/postgresql/data
    env_file:
      - ./.env
```
Recreate the container using docker compose up -d (don’t just restart it; you need to load the new config from the docker compose file). Then inspect the postgresql directory using ls -l to check whether it’s actually owned by user with UID 1000 and group with GID 1000. This should solve the issue you are having with that backup program you’re using. It’s probably unable to copy that particular directory because it’s owned by root:root and you’re not running it as root (don’t do that; it would circumvent the real problem rather than help you address it).

Now, when it comes to copying this to another machine, as already mentioned you could use something that preserves permissions like rsync, but for learning purposes I’d intentionally do it manually as you did before to potentially mess things up. On the new machine, repeat this process. First find the UID and GID of the current non-root user (or whatever user you want to run your containers as). Then make sure that UID and GID are set in the compose files. Then inspect the directories to make sure they have the correct ownership. If the compose file isn’t honoring the user flag or if the ownership doesn’t match the UID and GID you set for whatever reason, you can also use chown -R ./postgresql to change ownership.
⁨Comment⁩ on ⁨Trouble moving a container and its data to another server⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
As others have already mentioned, you are probably correct that it’s a permission error. You could follow the already posted advice to use tools that maintain permissions like rsync, but fixing this botched backup manually could help you learn how to deal with permissions and that’s a rather fundamental concept that anyone selfhosting would benefit from understanding.

If you decide to do this, I would recommend reading up on the concept of user and group permissions on linux and the commands that allow you to inspect ownership and permissions of directories and files as well as the UID and GID of users. Next step would be to understand how Docker handles permissions for mapped directories. You can get a few pointers from this short explanation by LSIO: docs.linuxserver.io/…/understanding-puid-and-pgid. Bear in mind that this is not a Docker standard, but something specific to LSIO Docker images. See also docs.docker.com/compose/…/05-services/#long-synta…. This can also be set when using docker run by using the –user flag.

Logs can also help pinpoint the source of the issue. The default docker compose setup in Tandoor’s docs sets up several containers, one of which acts as a database (db_recipes based on postgres:15-alpine). Inspect that in real time using docker logs -f db_recipes to see the exact errors.
⁨Comment⁩ on ⁨Microsoft Edge could use a win⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
github.com/ChrisTitusTech/winutil

Run this after every update, specifically the tweak that uninstalls Edge. Makes things a lot easier. It also gives you the option to delay feature updates by two years and only install security updates on time.
⁨Comment⁩ on ⁨Online Ads Can Infect Your Device with Spyware⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
One thing I like about this particular layer of defense is that it gives you more insight into the activities of the software and operating systems you’re using. The statistics they provide (I use Adguard Home) have proven very useful for me on several occasions .
⁨Comment⁩ on ⁨A new smartphone again? Rethink unhealthy culture of frequent upgrades⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Fairphone allows you to unlock the bootloader and install an OS of your choice.

See …fairphone.com/…/9979154556817-Google-free-Androi…
⁨Comment⁩ on ⁨Mullvad and Tailscale Announce Partnership⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
If anyone wants to achieve something similar without using Tailscale or with alternative VPN providers, the setup outlined in this LSIO guide is pretty neat: linuxserver.io/…/advanced-wireguard-container-rou…
⁨Comment⁩ on ⁨Invidious Docker install hanging?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Ooooh, good catch. I assumed “it’s been giving me the same message for over an hour” to mean that they’ve been monitoring the logs, not running in interactive mode. O_O
⁨Comment⁩ on ⁨Invidious Docker install hanging?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
That log entry is unrelated to whatever issues you’re having. That’s what the default docker-compose.yaml uses for health checks:
```
  healthcheck:
      test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1
      interval: 30s
      timeout: 5s
      retries: 2
```
The fact that it returns a 200 probably means that Invidious is properly up and running. Could you elaborate further on what you mean by “setup isn’t completing”? How are you trying to connect to the web UI? Sharing your docker-compose.yaml might help us debug as well.
⁨Comment⁩ on ⁨Reverse Proxy vs VPN: How do you access your home-server?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
One thing I need to publicly expose is my own instance of Mealie. It’s a recipe manager that supports multiple users. I share it with family and friends, but also with more distant acquaintances. I don’t want to have to provide and manage access to my network for each and every one of them.
⁨Comment⁩ on ⁨YouTube’s anti-ad blocking test gets even pushier with a new timer⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
It drives me mad when I use PCs of friends and relatives and I see AdBlock Plus installed, but they still get ads and they never seem to stop and wonder why this “ad blocker” is not working! I do however enjoy their facial expressions when I install uBlock Origin for them and start refreshing pages.
⁨Comment⁩ on ⁨Be kind, everyone⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Am I the only one bothered by that slanted hyphen?