serhii.net

cloudflared:
image: cloudflare/cloudflared:latest
command: tunnel run
environment:
  - TUNNEL_TOKEN=my-super-secred-tunnel-token
restart: unless-stopped
network_mode: "host"

Then whatever can run in its network with bridge driver:

networks:
  nextcloud:
    driver: bridge
....
services:
  nextcloud:
    networks:
      - nextcloud
	ports:
	  - "1234:80"

And then in the cloudflare zero trust UI add a tunnel from localhost:1234.

Neat thing is that tunnel type HTTP refers to the connection to the host running cloudflared, but the thing is accessible through cloudflare’s servers as both http and https. No need to manually do any certs stuff!

• General:
  • https://fleet.linuxserver.io/ has a list of docker images of things, not necessarily for self-hosting
  • List of docker-compose examples for various self-hosting-relevant apps: petersem/dockerholics: Apps and examples from the Dockerholics group.
• Specific services:
  • bitwarden-rs / vaultwarden:
    • Their example w/ caddy for domain name: Using Docker Compose · dani-garcia/vaultwarden Wiki
    • Generally their wiki is excellent: Home · dani-garcia/vaultwarden Wiki

Wanted to run frp’s client frpc with docker to forward the SSH port.

Main issue was binding to a port already open on the host, and one not controlled by a docker thing.

My first attempt led to this: “: Error starting userland proxy: listen tcp4 0.0.0.0:22: bind: address already in use”

After looking around the Internet, found a solution.

Docker’s docker-compose.yml:

services:
  frpc:
    image: chenhw2/frp
    restart: unless-stopped
    environment:
      - ARGS=frpc
    volumes:
      - ./conf/frpc.ini:/frp/frpc.ini
    network_mode: "host"
    ports:
      - "22:22"

The key being the “nertwork_mode” part.

Neither frp server nor client configs needed anything special.

Strangely , I didn’t even need to set any capabilities like I did for dns:

services:
  dns:
    restart: always
    image: strm/dnsmasq
    volumes:
      - ./conf/dnsmasq.conf:/etc/dnsmasq.conf
    ports:
      - "53:53/udp"
    cap_add:
      - NET_ADMIN

This goes into “things you’re allowed to do” (Previously: List of good things - serhii.net) territory, but:

• previously, screen/tmux’s use case was “ssh into a server far away and let things run even when your SSH session disconnects”
• had two terminals open on a remote server, had to edit the exact two files every time, over days and disconnections
• just realized that I can just have a screen session open with vim and the files I edit, and just attach to it next time I’d doing something on that server, whenever that is!

• Allegedly happens when the network is misconfigured.
  • Since a black screen issue I religiously md5sum the ISOs, otherwise that would’ve been the prime suspect
• In my case I had port forwarding and DMZ and ipv6 configured in the router, disabling all of that fixed the installation issues
• To debug installation issues, <Ctrl-Shift-F2> to go to the tty and cat /var/log/syslog
  • less is not installed but nano is
  • tty4 has live running logs
    • that are nice for non-graphical install and “is it doing anything now?”

Relevant: 5.4. Troubleshooting the Installation Process

I always look in zsh history for this string:

sudo dd if=/path/to/debian-live-11.5.0-amd64-cinnamon.iso of=/not/dev/sda bs=1M status=progress

/dev/sda is the usb drive, will be ofc. deleted fully; not a partition like /dev/sdaX but the actual /dev/sda disk itself.

I specifically added /not/dev/sda at the beginning for systems where I have not set up unset zle_bracketed_paste and that might press enter on paste or after I edit the .iso but not of. That way I’m forced to think when editing of.

For functions/callables, Callable is not the entire story: you can annotate the arguments and returns values of these callables!

From mypy documentation:

The type of a function that accepts arguments A1, …, An and returns Rt is Callable[[A1, ..., An], Rt]."

You can only have positional arguments, and only ones without default values, in callable types

If your @abstractmethod should also be a @staticmethod, you can happily blend both, as long as the @staticmethod (or other) decorator comes first.

In other words, @abstractmethod should always be the innermost decorator.¹

User Guide — Certbot 1.30.0 documentation

Needed to manually get a cerificate.

`` Needed to manually get a cerificate, as opposet to ‘get and install automatically’. `

• sudo certbot certonly --manual -d *.my.domain
• It gave me a TXT record to add to DNS records
• It gave me this link to check if adding the record worked
• I could prolly copy them to yunohost or something, but it wouldn’t be managed by it

The reason I’m doing this is weird DNS configuration.

Let’s try getting around it: Certificate | Yunohost Documentation

yunohost domain cert-install your.domain.tld --self-signed --force

if the certificate installation still doesn’t work, you can disable the checks with --no-checks after the cert-install command.

Oh nice! Let’s try with non self-signed:

admin@me:~$ sudo yunohost domain cert install sub.do.main --no-checks

Works! Even if the web interface complains of DNS issues, this works as long as it’s actually accessible from outside - say, with one of the 220924-2043 Options to access a host from behind NAT and firewall or something.

Adding domains through CLI is also much faster than using the GUI:

admin@me:~$ sudo yunohost domain add my.domain.another.one

And the certificate bit accepts lists of domains. Okay!

admin@me:~$ sudo yunohost domain add b.my.doma.in && sudo yunohost domain add g.my.doma.in && sudo yunohost domain add n.my.doma.in
admin@me:~$ sudo yunohost domain cert install n.my.doma.in b.my.doma.in g.my.doma.in --no-checks

• Except that I don’t see the added domains in the web interface :(
• And no adding through the web interface doesn’t work anymore.
• BUT after I added a domain

The Yunohost documentation adds checkmarks to articles you already read, I love this. Not to track progress, but to quickly parse the list and find the 4 articles I keep reading.