Services
Guides and documentation for miscellaneous services that don't categorize under system.
- Authentik
- CUPS
- Docker Healthchecks
- docker-socket-proxy
- How to upgrade MariaDB inside Docker
- Samba/SMB
- searx-ng
- Syncthing
- Troubleshooting
Authentik
CUPS
Firewall rules:
Docker Healthchecks
Rationale
Use these to verify the health of database containers. This allows me to only run web services when a database is healthy. This prevents us from hiding a silent failure.
MariaDB
healthcheck:
test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
start_period: 10s
interval: 10s
timeout: 5s
retries: 3MySQL
healthcheck:
test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
timeout: 20s
retries: 10
Postgres
healthcheck:
test: ["CMD", "pg_isready", "-U", "<user>"]
interval: 30s
timeout: 20s
retries: 3 Web Services
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:3000/api/healthz | grep pass"]
interval: 1m
timeout: 2m
retries: 5
If the service has an HTTP endpoint and has the curl binary, use the above to create a healthcheck.
Use CMD-SHELL as the first token to be able to pipe output from curl to grep
Valkey
healthcheck:
test: ["CMD-SHELL", "valkey-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3sdocker-socket-proxy
Use this service to expose the docker socket and protect it from unauthorized operations
Prevent
Required Permissions
authentik
- CONTAINERS
- IMAGES
uptime-kuma
traefik
How to upgrade MariaDB inside Docker
docker compose exec -it db bash -c "mariadb-upgrade -u root -p"
Then enter password
Samba/SMB
Configuration
My user is set up in unix groups that correspond to the groups outlined in the following config sections and added in the groups paperless and timemachine.
Paperless-ngx Consumer Share
[paperlessngx-consumer]
comment = Paperless-ngx Consumption Directory
path = /path/to/consumer/directory
# Make this share accessible to all users in the paperless group
valid users = @paperless
write list = @paperless
public = no
writable = yes
printable = no
Time Machine Share
[krypton-timemachine]
comment = Time machine backup share
path = /path/to/time/machine/backups
# Make this share accessible to all users in the timemachine group
valid users = @timemachine
write list = @timemachine
public = no
writable = yes
printable = nosearx-ng
HTTP method: use GET to be able to use the back button on websites
Syncthing
Troubleshooting
Django
CSRF verification failed: null does not match any trusted origins
If a django-backed service is sitting behind a reverse proxy, ensure that for referrer policy header, it is passing 'same-origin'.
For example, in traefik's file provider:
headers-middleware:
headers:
referrerPolicy: same-origin