silenium_dev

@silenium_dev@feddit.org

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Keycloak or alternative?⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
I’m on Keycloak + lldap for user provisioning and services that don’t support OIDC or SAML. I have yet to find a OAuth or SAML feature it doesn’t have. It does have a steep learning curve tho, so Authentik is maybe a better solution to get started with. I personally hit a wall with Authentik when I was trying to get different signature key algorithms for different services (some services have different supported set of key algorithms than others) and custom plugins for custom JWT fields and user attributes. I believe Authentik has something for extensions as well, but Keycloak is just Java, which has a much better development and deployment experience than throwing a .py or .js file in some directory and hoping it works.
⁨Comment⁩ on ⁨What's your self-hosting success of the week?⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
I recreated the Keycloak account from LDAP, and then manually patched the databases for all OIDC-based services to the new account UUID, so the existing accounts are linked to the new Keycloak account.

I have two Keycloak accounts, one in the master realm for administrative purposes, and one in the apps realm for all my services, so I didn’t break access to Keycloak
⁨Comment⁩ on ⁨What's your self-hosting success of the week?⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
I already had Keycloak set up, but a few services don’t support OIDC or SAML (Jellyfin, Reposilite), so I’ve deployed lldap and connected those services and Keycloak to it. Now I really have a single user across all services
⁨Comment⁩ on ⁨Best reverse proxy with ACME to run in docker⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
I’m using istio (in ambient mode, so it doesn’t put its sidecar into every pod I create), and Nextcloud behind it, works flawlessly. It does consume a bit of time to set up properly though.

TLS is handled via cert-manager, which works with both Ingress and Gateway API, independent of which implementation you choose.

I’ve also tried envoy gateway (had issues with uploading larger files via Nextcloud Web UI and Gradle publish to maven repo).

Cilium (a CNI) also has an integrated Gateway and Ingress API implementation, works fine, but lacks some of the most recent stable features, and quite some experimental features. But if you just need a HTTPS gateway without much fuss, it’s rock-solid. Setup time is also minimal for the Ingress/Gateway controller part. Cilium CNI on the other hand takes a lot of time to understand and configure, if you’re unfamiliar with networking in general.

Traefik is comparable with Cilium’s Gateway API implementation, also works, simple to setup, and might be better suited, if you’re already familiar with it using docker, as it’s the same concepts, just slightly different config (docker labels vs. Ingress/Gateway API with Traefik specific annotations).
⁨Comment⁩ on ⁨Best reverse proxy with ACME to run in docker⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
If you’re moving to K8s, I recommend looking into K8s Gateway API, it’s the successor to the old Ingress API. There are other, more complete, implementations of it than Traefik. See https://gateway-api.sigs.k8s.io/
⁨Comment⁩ on ⁨Best reverse proxy with ACME to run in docker⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Caddy
⁨Comment⁩ on ⁨k8s storage (CSI)⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Mayastor or Linstor, Ceph requires too much CPU for these nodes
⁨Comment⁩ on ⁨Help fixing invalid origin with memos⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
You may need to configure nginx to pass through some additional headers, I haven’t used it in a while.

I’m using traefik (on kubernetes) as reverse proxy, and I don’t even set SITE_URL, but it still works.
⁨Comment⁩ on ⁨Help fixing invalid origin with memos⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
There’s no reason not to expose those services to the Internet, they have authentication, and noone can access them without logging in first. There are actually reasons for exposing them, you can share a memo or a file to other people
⁨Comment⁩ on ⁨Help fixing invalid origin with memos⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
If you’re exposing memos through nginx, the SITE_URL needs to be the public url where nginx exposed memos (so exactly the same as you enter in your browser), not the Public-IP and the internal port of memos.