Skip to content

Secure Services setup

Guide to setup secsvcs on PVE1. Includes service installation and network configuration.

Setup containers

  • Install and start services
sudo su
cd /root/homelab-rendered
src/secsvcs/install_svcs.sh postgres
src/secsvcs/install_svcs.sh lldap
src/secsvcs/install_svcs.sh authelia
src/secsvcs/install_svcs.sh traefik
src/secsvcs/install_svcs.sh victoriametrics
src/secsvcs/install_svcs.sh victorialogs
src/secsvcs/install_svcs.sh gatus
src/secsvcs/install_svcs.sh alertmanager
src/secsvcs/install_svcs.sh vmalert
src/secsvcs/install_svcs.sh grafana
src/secsvcs/install_svcs.sh ntfy
src/secsvcs/install_svcs.sh ntfy-alertmanager
# src/secsvcs/install_svcs.sh vault
src/secsvcs/install_svcs.sh fluentbit

systemctl restart node_exporter

Networking

  • Enable LAN access to postgres, lldap, authelia and ntfy smtp
NET_IFACE=$(podman network inspect systemd-net | jq -r '.[0].network_interface')

ufw allow in from 192.168.2.20 to any port 5432,6360,9091,465 proto tcp
ufw allow in from 192.168.4.21 to any port 5432,6360,9091,465 proto tcp
ufw route allow in on enp6s18 out on $NET_IFACE to any port 5432,6360,9091,465 proto tcp
  • Confirm that the logs for traefik, authelia and lldap look good 
# Check service status, logs
systemctl status authelia
journalctl -eu authelia
  • Setup LLDAP
  • In the traefik dynamic config, comment out the authelia middleware from the lldap service (line 33) vim /etc/opt/traefik/config/dynamic/traefik.yml
  • Navigate to ldap.janedoe.com and login User = admin, get the password below /usr/local/bin/get_secret.sh lldap_admin_password
  • Add regular users, add them to the lldap_password_manager group
    • jane, jayden, jasper, (note for future: add_more_users)
  • Create the authelia_gen_access group, add users to it

  • Uncomment out the authelia middleware vim /etc/opt/traefik/config/dynamic/traefik.yml

  • Create robot users (Not currently used, ignore for now. Prefer OIDC client)

    • Use jdoe+USER@gmail.com for the email.
    • Use the stored password: /usr/local/bin/get_secret.sh USER_lldap_password
    • Add the new user to the lldap_strict_readonly group

  • Confirm that authelia is working, open https://auth.janedoe.com

Ntfy

  • Create users, ref
chmod 600 /var/opt/ntfy/*.db*
chmod 600 /var/lib/containers/storage/volumes/systemd-ntfydb/_data/*.db*
/usr/local/bin/get_secret.sh ntfy_admin_password
/usr/local/bin/get_secret.sh ntfy_alert_password
/usr/local/bin/get_secret.sh ntfy_hass_password
/usr/local/bin/get_secret.sh ntfy_person_password
podman exec -it ntfy sh

ntfy user add --role=admin admin
ntfy user add alert
ntfy access alert "alert*" rw
ntfy access alert "comment*" rw
ntfy user add hass
ntfy access hass "hass*" rw
ntfy user add person
ntfy access person "hass*" ro
ntfy access person "chat*" rw
# save for later
ntfy token add alert
exit
  • Record access token as a secret on pve1
ssh jdoe@pve1.janedoe.com
sudo su
/root/homelab-rendered/src/pve1/secret_update.sh secsvcs
/root/homelab-rendered/src/pve1/secret_update.sh websvcs
exit
exit

Debugging (optional)

  • Find container image name

  • podman search traefik --limit 10

  • Check unit generation

/usr/lib/systemd/system-generators/podman-system-generator -v --dryrun

/usr/lib/systemd/system-generators/podman-system-generator
ls /run/systemd/generator/
  • Confirm generator ran successfully

  • journalctl -e

  • List services and status

systemctl list-unit-files
systemctl --type=service