El_Quentinator

joined 2 months ago
sorted by: new top controversial old
Looking for Software to Track Watched Shows in c/selfhosted@lemmy.world
[–] El_Quentinator@lemmy.world 5 points 1 week ago (1 children)

I've been using watcharr for this purpose. It's fairly simple but fits my needs perfectly (I also really like the ability to change the rating system to be 0-100). It also has a rudimentary import from jellyfin (needs a few clicks, no builtin scheduled imports unfortunately).

Fair warning the last update was 5 months ago but I'm not personally missing anything apart from jellyfin scheduled imports.

Assign privileged port to caddy running with rootless podman in c/selfhosted@lemmy.world
[–] El_Quentinator@lemmy.world 2 points 2 months ago* (last edited 2 months ago)

TBH I haven't played with passing caddy's podman network to other containers, mine is a simple reverse proxy to other standalone containers but not directly connected via podman run --network (or quadlet network). In my scenario I can at least confirm that net.ipv4.ip_unprivileged_port_start doesn't need to be modified, the only annoyance is that I cannot use a systemd user service, even though the end process doesn't run as root.

EDIT: Actually looking at the examples a bit more closely I think the primary difference with my setup is that the systemd socket is started with systemd --user which thus requires the sysctl change, whereas I'm not using a systemd user service, relying instead on User=some-non-root-user to use rootless podman, but requiring root privileges to manage the systemd service.

Assign privileged port to caddy running with rootless podman in c/selfhosted@lemmy.world
[–] El_Quentinator@lemmy.world 5 points 2 months ago* (last edited 2 months ago) (2 children)

You can use rootless caddy via systemd socket activation, here's a basic setup:

  1. rootless-caddy.service
[Unit]
Description=rootless-caddy

Requires=rootless-caddy.socket
After=rootless-caddy.socket

[Service]
# a non root user here
User=El_Quentinator
ExecStart=podman run --name caddy --rm -v [...] docker.io/caddy:alpine

[Install]
WantedBy=default.target
  1. rootless-caddy.socket
[Socket]
BindIPv6Only=both

### sockets for the HTTP reverse proxy
# fd/3
ListenStream=[::]:443

# fdgram/4
ListenDatagram=[::]:443

[Install]
WantedBy=sockets.target
  1. Caddyfile
{$SITE_ADDRESS} {
        # tcp/443
        bind fd/3 {
                protocols h1 h2
        }
        # udp/443
        bind fdgram/4 {
                protocols h3
        }
        [...]
}

And that's it really.

You can find a few more examples over here: https://github.com/eriksjolund/podman-caddy-socket-activation

Systemd socket activation has a few more interesting advantages on top of unlocking binding priviliged ports:

  • allowing to not bind any port on the container, which itself allows to use --network none while still being able to connect to it via systemd socket, pretty neat to expose some web app while completely cutting its own external access.
  • getting rootful networking performance
  • starting up your service only when connecting to it (and potentially shutting it back down after some time)

Drawbacks is that the file descriptor binding is a bit awkward and not always supported (caddy/nginx/haproxy do support it though). And that podman pods / kube do not support it (or at least not yet).