Home on FarisZRhttps://fariszr.com/Recent content in Home on FarisZRHugo -- gohugo.ioen-usWed, 01 Apr 2026 00:00:00 +0000How I Made My Homelab Fix Itself Using Komodo and OpenClawhttps://fariszr.com/homelab-fixes-itself-komodo-openclaw/Wed, 01 Apr 2026 00:00:00 +0000https://fariszr.com/homelab-fixes-itself-komodo-openclaw/<img src="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/thumbnail.jpeg" alt="Featured image of post How I Made My Homelab Fix Itself Using Komodo and OpenClaw" /><p>The most annoying thing about homelabbing is the upkeep. Keeping things running, handling breaking updates, fixing stuff as it breaks instead of letting everything slowly decay. It&rsquo;s kinda embarrassing telling people how cool your Homelab is, only for things to break constantly.</p> <p>Luckily AI agents have gotten good enough that you can use them for the upkeep of your homelab.</p> <p>Until now though, you still had to sit down at your computer, start an agent, copy the logs, show it the error, and unless it&rsquo;s running on the server itself, apply the fix manually.</p> <p>You could install the agent directly on the server and let it manage things, but what if you have multiple servers? Like a whole homelab network?</p> <p>Do you install an agent on every server? And what happens when services depend on each other?</p> <h2 id="komodo">Komodo </h2><p><img src="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/komodo.png" width="1699" height="941" srcset="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/komodo_hu3604480265148128085.png 480w, https://fariszr.com/homelab-fixes-itself-komodo-openclaw/komodo_hu3283292176384866200.png 1024w" loading="lazy" alt="komodo ui" class="gallery-image" data-flex-grow="180" data-flex-basis="433px" ></p> <p>Here comes <a class="link" href="https://komo.do/" target="_blank" rel="noopener" >Komodo</a>. Komodo is an open-source GitOps platform that lets you manage your Docker Compose stacks through a clean UI with full API access to logs, container status, and even a bash shell on the server.</p> <p>It&rsquo;s a central hub for all your servers. What makes it special is that any change you make to your stacks, resources, or Procedures in Komodo can be committed back to git, so things never drift from the repo. Everything around your compose stacks is described as code under the Resources folder: servers, procedures. That means your agent can also adjust how Komodo itself works on the fly.</p> <h3 id="my-secret-sauce-the-komodo-km-cli-agentic-edition">My secret sauce: The Komodo KM CLI, agentic edition. </h3><p>Komodo has a powerful API, but the official CLI doesn&rsquo;t expose all of it. So I built my own version, <a class="link" href="https://github.com/FarisZR/komodo-agentic-cli/tree/agentic-cli/bin/cli" target="_blank" rel="noopener" >the &ldquo;agentic&rdquo; edition</a>. It adds support for:</p> <ul> <li><code>stack</code> - manage stacks and see their status</li> <li><code>procedure</code> - trigger procedures like auto-updates</li> <li><code>sync</code> - manage resource sync (GitOps repos)</li> <li><code>variable</code> - manage variables and secrets without exposing values to the agent (e.g. setting secrets as command outputs)</li> </ul> <p>It also adjusts the <code>exec</code> and <code>ssh</code> commands so agents can run commands on the host or inside a container non-interactively. (<code>ssh</code> for interactive sessions, <code>exec</code> for non-interactive commands.)</p> <p>Running the KM CLI within a GitOps repo lets your agent debug running homelab services, fix issues, plan and push updates, or even tackle that migration we&rsquo;ve all been putting off for months.</p> <p>You can also create a service user so you have an idea what the agent did on komodo.</p> <p><img src="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/komodo-logs.png" width="426" height="205" srcset="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/komodo-logs_hu11125456043377363013.png 480w, https://fariszr.com/homelab-fixes-itself-komodo-openclaw/komodo-logs_hu5496957812307465962.png 1024w" loading="lazy" alt="komodo-logs" class="gallery-image" data-flex-grow="207" data-flex-basis="498px" ></p> <p>And if you don&rsquo;t want your agent running arbitrary commands on your servers, you can disable that at the container or server level in the Komodo &ldquo;periphery&rdquo; config. Just install periphery and edit the config to disable terminal access for the host or all containers.</p> <h2 id="ai-assistants-openclaw-or-hermes-agent">AI Assistants (OpenClaw or Hermes Agent) </h2><p>Komodo solves the stack access and management problem, but you still have to sit down, open your computer, and prompt the agent to fix things.</p> <p>What if you could just message your agent and say &ldquo;Jellyfin is down, fix it&rdquo;? That&rsquo;s the idea behind async personal assistants like OpenClaw and the newer Hermes. Fix things as you notice them, wherever you are.</p> <p>Just clone the git repo, install the agentic KM CLI skill, and your agent can debug and fix any issue across your homelab, even a multi-server network.</p> <p>Homelabbing becomes genuinely fun. You say what you want and it appears. You can see what changed, revert it easily thanks to git, and even set up backups to guard against catastrophic failures, though most models are smart enough to not do the classic <code>rm -rf</code> mistake anymore. Still nice to have.</p> <h3 id="openclaw-in-action">Openclaw in action </h3><p>So how does this look in reality? What can I use this for? Well, I quickly found a use for this.</p> <p>I self-host my own language tool server and it breaks often. So why not let OpenClaw figure out a solution for it?</p> <p><img src="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/openclaw-1.png" width="1049" height="423" srcset="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/openclaw-1_hu16749338968004068411.png 480w, https://fariszr.com/homelab-fixes-itself-komodo-openclaw/openclaw-1_hu5079639590609920361.png 1024w" loading="lazy" alt="my openclaw assistant Dax on Matrix (gpt 5.3-codex)" class="gallery-image" data-flex-grow="247" data-flex-basis="595px" ></p> <p>After telling it to investigate and actually solve the issue, it deployed a new modified docker stack that added a memory limit to the container <img src="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/openclaw-2.png" width="905" height="1259" srcset="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/openclaw-2_hu8592652574171081884.png 480w, https://fariszr.com/homelab-fixes-itself-komodo-openclaw/openclaw-2_hu15293945345280530701.png 1024w" loading="lazy" alt="the fix it found out" class="gallery-image" data-flex-grow="71" data-flex-basis="172px" ></p> <p>I legit did this while i was cooking in the kitchen, didn&rsquo;t need to do anything manually.</p> <p>I also used it to see if any of my servers had LiteLLM installed after the CVE was made public.</p> <p><img src="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/litellm-example.webp" width="1141" height="1123" srcset="https://fariszr.com/homelab-fixes-itself-komodo-openclaw/litellm-example_hu15711609569472859966.webp 480w, https://fariszr.com/homelab-fixes-itself-komodo-openclaw/litellm-example_hu17191363043675715496.webp 1024w" loading="lazy" alt="OpenClaw using komodo to check if litellm is installed anywhere" class="gallery-image" data-flex-grow="101" data-flex-basis="243px" ></p> <h2 id="the-next-step-full-automation">The next step: full automation. </h2><p>Deploying new services and fixing containers on demand is great. But what if things never broke in the first place? What if your agent fixed issues as they happened, not as you noticed them? AKA what if things just Self healed?</p> <p>it&rsquo;s actually doable now. All you need is Komodo&rsquo;s alert system calling a webhook connected to your OpenClaw or Hermes agent. The agent sees the logs and makes whatever changes are needed to bring the service back up. If it&rsquo;s a server-level issue, you could even hook into your hoster&rsquo;s API and trigger a force restart. It doesn&rsquo;t even have to be fully autonomous. You could build a way for the agent to reach you and ask you for approval.</p> <p>It&rsquo;s proactive. The agent already has the fix and you are the one to allow it or not. You are actually the manager now.</p> <p>Honestly, thinking about it feels a bit wild. We&rsquo;re on our way to self-healing, self-aware systems that can change themselves to stay up no matter what. Give your agent enough access and resources, and it could restore a backup on another server and bring the service back up without you ever noticing. This is an exciting time for sure.</p>FYI: 2025 Huawei Matepads can't play 4k youtube videoshttps://fariszr.com/huawei-matepad-pro-4k-youtube-vp9/Mon, 05 Jan 2026 00:00:00 +0000https://fariszr.com/huawei-matepad-pro-4k-youtube-vp9/<img src="https://fariszr.com/huawei-matepad-pro-4k-youtube-vp9/thumbnail.jpg" alt="Featured image of post FYI: 2025 Huawei Matepads can't play 4k youtube videos" /><p>I got my hands on a 2025 Huawei Matepad pro 12.2, with a gorgeous display. I was kinda stocked to use it as my media power house, that&rsquo;s where the weirdness started. The device can&rsquo;t play 4k videos on YouTube for some reason, and to make it worse, it&rsquo;s a known issue, but it isn&rsquo;t something that gets mentioned in reviews. It can play 1080p vp9 videos just fine, and you can play 4k video on YouTube through the browser, so what&rsquo;s going on here?</p> <h2 id="the-reason">The reason </h2><p>Huawei in their ultimate wisdom chose to support the paid h264 and HEVC codecs, but cheeped out on supporting the royalty-free VP9 codec used by the world&rsquo;s most popular streaming Platform, YouTube. That&rsquo;s why streaming apps like Netflix can play 4k just fine, because they use HEVC.</p> <p>YouTube uses VP9, and the Kirin chipset has <strong>no hardware VP9 decoder whatsoever</strong>. it can only play 1080p vp9 videos because the software decoder is limited to 2048x2048, aka 1920x1080.</p> <p>Browsers can include their own software decoder, and that&rsquo;s what happening here, when playing a 4k video, the browser is using the CPU to do the decoding, and that&rsquo;s why it drops frames on 4k 60fps videos.</p> <p>What an absolutely asinine decision, what makes it crazier is that VP9 is supported by devices going back to <strong>2013</strong>!</p> <h2 id="confirmed-by-huawei-support">Confirmed by Huawei support </h2><p>I contacted the official Huawei support, and they confirmed that this is a known issue with the workaround being playing videos through the browser.</p> <p>They also said this issue is known for the 2025 13.3 and 12.2 Matepad Pros and the 2025 Matepad 12X, aka all of their 2025 releases. Great!</p> <p>A flagship tablet that can&rsquo;t play 4k videos in 2025, what a flagship!</p> <h2 id="how-i-found-out">How I found out </h2><p>I let OpenCode loose with ADB shell access to the device and &ldquo;we&rdquo; systematically checked:</p> <ol> <li> <p><strong>Huawei Browser (4K VP9)</strong>: <code>dumpsys media.resource_manager</code> showed only software VP9 decoders available (<code>c2.android.vp9.decoder</code>, <code>OMX.google.vp9.decoder</code>). Hardware decoders exist only for H.264 and HEVC. CPU monitoring revealed <code>vpx tile worker</code> threads maxing out cores - clear software decoding.</p> </li> <li> <p><strong>Codec inventory</strong>: Full decoder list from <code>dumpsys media.player</code> confirmed hardware support limited to <code>OMX.hisi.video.decoder.avc</code> (H.264) and <code>OMX.hisi.video.decoder.hevc</code> (HEVC, 4K capable). VP9 is software-only.</p> </li> <li> <p><strong>Grayjay (1080p AVC)</strong>: Confirmed hardware acceleration with <code>OMX.hisi.video.decoder.avc</code> allocation and efficient MediaCodec threads.</p> </li> <li> <p><strong>Grayjay (1080p VP9)</strong>: Switched to VP9 stream and confirmed degradation to <code>c2.android.vp9.decoder</code> software path. Even at 1080p, no hardware acceleration exists for VP9.</p> </li> </ol>Knocker: Skip the VPN for your homelab, Just Knockhttps://fariszr.com/knocker-access-your-homelab-without-vpn/Sun, 14 Dec 2025 00:00:00 +0000https://fariszr.com/knocker-access-your-homelab-without-vpn/<img src="https://fariszr.com/knocker-access-your-homelab-without-vpn/thumbnail.jpeg" alt="Featured image of post Knocker: Skip the VPN for your homelab, Just Knock" /><p>I have a homelab, but accessing it from outside my home network was always a pain. I didn&rsquo;t want to deal with the hassle of setting up VPNs on every device just to watch something on Jellyfin, so I built Knocker!</p> <p>It&rsquo;s a knock-based access control service for your homelab that actually works with mobile apps, with clients on most platforms used by homelabbers.</p> <!-- raw HTML omitted --> <div class="video-wrapper"> <video controls src="knocker-video.webm" poster="./.png" autoplay > <p> Your browser doesn't support HTML5 video. Here is a <a href="knocker-video.webm">link to the video</a> instead. </p> </video> </div> <!-- raw HTML omitted --> <h2 id="how-does-it-work">How does it work? </h2><div class="mermaid" data-mermaid="pending"> <script type="text/plain" data-mermaid-source>sequenceDiagram participant User participant Caddy as Reverse Proxy participant Knocker participant Service Note over User,Service: 1. Access Denied User->>Caddy: Request Service Caddy->>Knocker: Check Access? Knocker-->>Caddy: Denied Caddy-->>User: 401 Unauthorized Note over User,Knocker: 2. The "Knock" User->>Knocker: Send Knock (Token) Knocker->>Knocker: Whitelist User IP Note over User,Service: 3. Access Granted User->>Caddy: Request Service Caddy->>Knocker: Check Access? Knocker-->>Caddy: Allowed Caddy->>Service: Forward Request Service-->>User: Response</script> </div><p>By being completely transparent for whitelisted IPs, Knocker doesn&rsquo;t break API clients like mobile apps. Once you whitelist your IP, you are ready to go. You can even whitelist an IP other than your own if needed.</p> <h3 id="knocker-tokens">Knocker Tokens </h3><p>Knocker works by using tokens as passwords. Each token has specific permissions, like a customizable max TTL (capped server-side) and an option to allow whitelisting IPs other than your own.</p> <p>By connecting Knocker to your reverse proxy, Knocker will analyze the request IP. Depending on the local whitelists, it will either return a <code>200 OK</code> or a <code>401 Unauthorized</code> status, which is then forwarded to the end client.</p> <h2 id="why-not-just-use-a-vpn">Why Not Just Use a VPN? </h2><p>I already use Tailscale. In fact, the IP of my homelab is the Tailscale IP because I added custom routes for it.</p> <p>But using a VPN for everything is annoying. You have to install it on every single device, which is a nightmare on things like Smart TVs. Plus, keeping the Tailscale app running on Android drains my battery like crazy.</p> <p>With Knocker, you just need one device to knock, and thanks to NAT, your whole network gets access.</p> <h3 id="is-this-as-secure-as-a-vpn">Is This as Secure as a VPN? </h3><p>No.</p> <p>Knocker is a compromise. It trades some security for convenience. You can&rsquo;t whitelist specific devices, only source IPs (which might be shared CGNAT IPs).</p> <p>You&rsquo;re basically making a bet that within that short whitelist window, the likelihood of a hacker scanning your specific port and attacking it is pretty slim.</p> <p>That&rsquo;s why you should use short TTLs on public networks. In general, Knocker should be used in front of services that already have their own authentication.</p> <h2 id="setup">Setup </h2><p>Knocker is distributed as a Docker container that optionally uses the system DBus socket to interact with the FirewallD daemon.</p> <p><code>docker-compose.yml</code>: <a class="link" href="https://github.com/FarisZR/knocker/blob/main/docker-compose.yml" target="_blank" rel="noopener" >github.com/FarisZR/knocker</a></p> <h3 id="knockeryaml">knocker.yaml </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">server</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0.0.0.0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">8000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trusted_proxies</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Trust the IPv4 and IPv6 subnets of the caddy_net docker network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Adjust these to match your specific Docker network configuration.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;172.16.238.0/24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;fd00:dead:beef::/64&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cors</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowed_origin</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://knocker.fariszr.com&#34;</span><span class="w"> </span><span class="c"># SECURITY: Set to your Knocker webapp&#39;s origin if you are hosting your own.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">always_allowed_ips</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># These IPs/CIDRs are always allowed to pass through the /verify endpoint</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># without needing to be dynamically whitelisted.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># It&#39;s recommended to include your reverse proxy&#39;s IP here.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;172.16.238.0/24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;fd00:dead:beef::/64&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Also your home&#39;s local network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;192.168.1.0/24&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">excluded_paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Request paths that start with any of these values will bypass</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># the IP whitelist check entirely.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Example:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - &#34;/api/v1/status&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - &#34;/metrics&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;/knock&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Maximum number of entries in the whitelist (default: 10000)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_whitelist_entries</span><span class="p">:</span><span class="w"> </span><span class="m">10000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">whitelist</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># The path where the whitelist file will be stored.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># This path is relative to the container&#39;s file system.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># The docker-compose.yml file will mount a volume to this location.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storage_path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/data/whitelist.json&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">api_keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;admin-key-for-remote-whitelisting&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;CHANGE_ME_SUPER_SECRET_ADMIN_KEY&#34;</span><span class="w"> </span><span class="c"># SECURITY: Change this to a strong, random key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_ttl</span><span class="p">:</span><span class="w"> </span><span class="m">3600</span><span class="w"> </span><span class="c"># Maximum TTL in seconds (1 hour)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_remote_whitelist</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Can whitelist other IP/CIDR specified in request body</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="connecting-your-reverse-proxy-to-knocker">Connecting Your Reverse Proxy to Knocker </h3><p>I use Caddy, but Knocker should work with any reverse proxy that supports using an external auth endpoint.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-caddy" data-lang="caddy"><span class="line"><span class="cl"><span class="c1"># Define a reusable snippet for the knock-knock check. </span></span></span><span class="line"><span class="cl"><span class="c1"># It points to the knocker service using Docker&#39;s internal DNS. </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="n">(knocker_auth)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">forward_auth</span> <span class="n">knocker</span><span class="p">:</span><span class="mi">8000</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">uri</span> <span class="nd">/verify?</span> </span></span><span class="line"><span class="cl"> <span class="k">copy_headers</span> <span class="s">X-Forwarded-For</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># The public endpoint for performing the knock. </span></span></span><span class="line"><span class="cl"><span class="c1"># Make sure this domain points to your Caddy server&#39;s IP. </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="gh">knock.your-domain.com</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">reverse_proxy</span> <span class="n">knocker</span><span class="p">:</span><span class="mi">8000</span> </span></span><span class="line"><span class="cl"><span class="p">}</span><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># An example protected service. </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="gh">jellyfin.your-domain.com</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">import</span> knocker_auth<span class="c1"> # Apply the forward_auth check </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="k">reverse_proxy</span> <span class="s">jellyfin_service_name:8096</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><p>Now your service will respond with a <code>401 Unauthorized</code> for every non-whitelisted IP.</p> <h2 id="firewalld-integration">FirewallD Integration </h2><p>Knocker has another trick up its sleeve: it can integrate with FirewallD to operate on the firewall level, allowing you to use it for non-HTTP services like a game server!</p> <div class="mermaid" data-mermaid="pending"> <script type="text/plain" data-mermaid-source>sequenceDiagram participant User participant Firewall participant Knocker participant Service Note over User,Service: 1. Port Blocked User->>Firewall: Connect to Service Firewall--xUser: Drop Connection Note over User,Knocker: 2. The "Knock" User->>Knocker: Send Knock (Token) Knocker->>Firewall: Open Port for User IP Note over User,Service: 3. Access Granted User->>Firewall: Connect to Service Firewall->>Service: Allow Traffic Service-->>User: Connected</script> </div><!-- raw HTML omitted --> <div class="video-wrapper"> <video controls src="firewall-demo.webm" poster="./.png" autoplay > <p> Your browser doesn't support HTML5 video. Here is a <a href="firewall-demo.webm">link to the video</a> instead. </p> </video> </div> <!-- raw HTML omitted --> <p>There is a caveat, though: <strong>exposed bridge Docker ports will still bypass these rules.</strong> Unfortunately, there isn&rsquo;t any firewall that deals with Docker port forwarding rules well. You have to use host networking mode for it to work.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">firewalld</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">zone_name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;knocker&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># WARNING: Zone won&#39;t be cleaned up automatically on shutdown</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">zone_priority</span><span class="p">:</span><span class="w"> </span>-<span class="m">100</span><span class="w"> </span><span class="c"># Zone priority (negative numbers = higher priority)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># zone_target: &#34;default&#34; # Optional: Set the zone target (default: not set)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Options: &#34;default&#34;, &#34;ACCEPT&#34;, &#34;REJECT&#34;, &#34;DROP&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># &#34;default&#34; = practically matches reject behavior</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># &#34;ACCEPT&#34; = Accept all packets not matched by rules set by knocker</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># &#34;REJECT&#34; = Reject all packets not matched by rules set by knocker</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># &#34;DROP&#34; = Silently drop all packets not matched by rules set by knocker</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_action</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;drop&#34;</span><span class="w"> </span><span class="c"># Action for blocked traffic on monitored ports:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">monitored_ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Only these ports will be protected by knocker firewall rules</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">tcp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">tcp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">22</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">tcp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">monitored_ips</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># WARNING: Using 0.0.0.0/0 or ::/0 applies DROP/REJECT rules to ALL traffic</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;203.0.113.0/24&#34;</span><span class="w"> </span><span class="c"># Example WAN IPv4 range - CHANGE THIS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;2001:db8:1234::/48&#34;</span><span class="w"> </span><span class="c"># Example WAN IPv6 range - CHANGE THIS</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="clients">Clients </h2><p>The strong point of Knocker, and where I actually spent most of my time, is the clients. I designed them to get out of the way as much as possible.</p> <h3 id="knocker-web">Knocker-Web </h3><p><a class="link" href="https://github.com/FarisZR/Knocker-Web" target="_blank" rel="noopener" >GitHub.com/FarisZR/Knocker-Web</a></p> <p><img src="https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-web.webp" width="705" height="858" srcset="https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-web_hu565177608104904794.webp 480w, https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-web_hu10262828763814643767.webp 1024w" loading="lazy" alt="Knocker-Web" class="gallery-image" data-flex-grow="82" data-flex-basis="197px" ></p> <p>Knocker Web is a web client built with Vite. It&rsquo;s fully static and can be installed as a PWA. It&rsquo;s meant to be the primary client, as it works basically everywhere.</p> <p>What makes it really convenient is the &ldquo;knock on reload&rdquo; feature. You just open the site and that&rsquo;s it; you don&rsquo;t care what happens after that. It&rsquo;s especially useful when used as a PWA, as it means it will perform a knock when opened.</p> <h3 id="knocker-cli">Knocker-CLI </h3><p><a class="link" href="https://github.com/FarisZR/knocker-CLI" target="_blank" rel="noopener" >GitHub.com/FarisZR/knocker-CLI</a></p> <p>A CLI client written in Go with support for creating a background service for periodic knocks using Systemd/LaunchAgent.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">&gt;&gt; knocker --help </span></span><span class="line"><span class="cl">A reliable, cross-platform service that keeps your external IP address whitelisted. </span></span><span class="line"><span class="cl">It runs in the background, detects IP changes, and ensures you always have access. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Usage: </span></span><span class="line"><span class="cl"> knocker <span class="o">[</span>flags<span class="o">]</span> </span></span><span class="line"><span class="cl"> knocker <span class="o">[</span>command<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Available Commands: </span></span><span class="line"><span class="cl"> completion Generate the autocompletion script <span class="k">for</span> the specified shell </span></span><span class="line"><span class="cl"> <span class="nb">help</span> Help about any <span class="nb">command</span> </span></span><span class="line"><span class="cl"> install Install the Knocker service </span></span><span class="line"><span class="cl"> knock Manually trigger a whitelist request </span></span><span class="line"><span class="cl"> run Run the Knocker service </span></span><span class="line"><span class="cl"> start Start the Knocker service </span></span><span class="line"><span class="cl"> status Get the status of the Knocker service </span></span><span class="line"><span class="cl"> stop Stop the Knocker service </span></span><span class="line"><span class="cl"> uninstall Uninstall the Knocker service </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Flags: </span></span><span class="line"><span class="cl"> --check_interval int Interval in minutes to poll <span class="k">for</span> IP changes <span class="o">(</span>only used when ip_check_url is <span class="nb">set</span><span class="o">)</span> <span class="o">(</span>default 5<span class="o">)</span> </span></span><span class="line"><span class="cl"> --config string config file <span class="o">(</span>default is <span class="nv">$HOME</span>/.knocker.yaml<span class="o">)</span> </span></span><span class="line"><span class="cl"> -h, --help <span class="nb">help</span> <span class="k">for</span> knocker </span></span><span class="line"><span class="cl"> --ip_check_url string URL of the external IP checker service </span></span><span class="line"><span class="cl"> --ttl int Time to live in seconds <span class="k">for</span> the knock request <span class="o">(</span><span class="m">0</span> <span class="k">for</span> server default<span class="o">)</span> </span></span><span class="line"><span class="cl"> -v, --version version <span class="k">for</span> knocker </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Use <span class="s2">&#34;knocker [command] --help&#34;</span> <span class="k">for</span> more information about a command.</span></span></code></pre></td></tr></table> </div> </div><h4 id="knocker-gnome">Knocker-Gnome </h4><p><a class="link" href="https://github.com/FarisZR/knocker-Gnome" target="_blank" rel="noopener" >GitHub.com/FarisZR/knocker-Gnome</a></p> <p><img src="https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-gnome.webp" width="461" height="376" srcset="https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-gnome_hu1290299578857773620.webp 480w, https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-gnome_hu5103673797175496364.webp 1024w" loading="lazy" alt="Knocker Gnome Extension" class="gallery-image" data-flex-grow="122" data-flex-basis="294px" ></p> <p>An experimental Gnome extension that interprets the JSON logs output by Knocker-CLI, and allows you to manually trigger knocks, disable the service, and see the timeout for the current knock.</p> <h3 id="knocker-expo">Knocker-EXPO </h3><p><a class="link" href="https://github.com/FarisZR/knocker-expo" target="_blank" rel="noopener" >GitHub.com/FarisZR/knocker-expo</a></p> <figure class="gallery-image" style="flex-grow: 47; flex-basis: 1080px; --img-max-height: 70vh;"> <a href="https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-expo.webp" style="display: block;"> <img src="https://fariszr.com/knocker-access-your-homelab-without-vpn/knocker-expo.webp" width="1080" height="2286" loading="lazy" alt="Knocker EXPO" style="max-height: 70vh; width: auto; height: auto;" > </a> <figcaption>Knocker EXPO</figcaption> </figure> <p>An experimental Android App built using React EXPO. It does the same thing as the PWA, with support for creating a background service to regularly send knocks.</p> <p>However, its reliability depends on the manufacturer, as not all of them actually allow Android background processes to run reliably.</p> <h2 id="vibe-coded-with-ai">Vibe Coded with AI </h2><p>Thanks to the Roo Code hackathon (sponsored by Requestly and Google), I finally had the excuse to build this. I started with Gemini 2.5 Pro, burned through over $1700 in tokens, and eventually moved to GPT-5-CODEX and GitHub Coding Agent (Sonnet 4, later Sonnet 4.5) to build out features.</p> <p>I used CodeRabbit for reviews and set up a full integration test environment for the agents to iterate against that&rsquo;s why this thing actually works at all.</p> <p>I ran static analysis on the backend and found zero vulnerabilities, so there&rsquo;s that.</p> <p>What I&rsquo;m trying to say is, this isn&rsquo;t your average &ldquo;I told Replit to code it&rdquo; project, but still, if you&rsquo;re anti-AI, don&rsquo;t use this please.</p> <p>I may go into more details about my workflow for implementing Knocker using Roo Code in a separate blog post, because it wasn&rsquo;t easy to go this far with AI.</p>How to use the Proxy Protocol with Caddy (Get the Source IP from a TCP proxy)https://fariszr.com/use-proxy-protocol-with-caddy/Thu, 16 Oct 2025 00:00:00 +0000https://fariszr.com/use-proxy-protocol-with-caddy/<img src="https://fariszr.com/use-proxy-protocol-with-caddy/thumbnail.jpg" alt="Featured image of post How to use the Proxy Protocol with Caddy (Get the Source IP from a TCP proxy)" /><p>My Homelab often has peering issues when connecting from another ISP. The solution to this is just to pass the connection through a proxy, which has better speed than a direct connection. But if I want to do this without MITMing the connection, it can&rsquo;t be a classic reverse proxy sandwich.</p> <p>That&rsquo;s where tools like <a class="link" href="https://fariszr.com/home-server-access-without-port-forwarding/" target="_blank" rel="noopener" >rathole</a> come in, they are TCP proxies that allow you to forward any TCP connection to your homelab. However, there&rsquo;s always the issue of the source IP. Due to how these proxies work, the source will always be the IP of the rathole client on the homelab (AKA the proxy itself) and not the actual source IP of the connection.</p> <p>Proxy protocol fixes this by appending headers to the TCP proxied connections that give details about the actual source IP.</p> <h2 id="using-the-proxy-protocol-with-caddy">Using the Proxy Protocol with Caddy </h2><p>Assuming your TCP proxy supports the proxy protocol (example, <a class="link" href="https://fariszr.com/home-server-access-without-port-forwarding/#forward-source-ip-with-proxy-protocol-in-rathole" target="_blank" rel="noopener" >modified version of rathole</a>)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-caddyfile" data-lang="caddyfile"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">servers</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">listener_wrappers</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">proxy_protocol</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">allow</span> <span class="mi">172</span><span class="s">.20.0.0/16</span><span class="c1"> #ip with netmask of the proxy </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="k">fallback_policy</span> <span class="s">reject</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">tls</span><span class="c1"> # the proxied packets are HTTPS, so we still need the tls wrapper https://caddyserver.com/docs/caddyfile/options#proxy-protocol </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="gh">example.fariszr.com</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">reverse_proxy</span> <span class="n">service</span><span class="p">:</span><span class="mi">8000</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">header_up</span> <span class="s">X-Forwarded-For</span> <span class="se">{client_ip}</span><span class="c1"> # {client_ip} is the source ip in the proxy </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="k">header_up</span> <span class="s">X-Real-IP</span> <span class="se">{client_ip}</span> </span></span><span class="line"><span class="cl"> <span class="k">header_up</span> <span class="s">X-Forwarded-Proto</span> <span class="se">{scheme}</span> </span></span><span class="line"><span class="cl"> <span class="k">header_up</span> <span class="s">X-Forwarded-Host</span> <span class="se">{host}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><p>Now your app should get the source IP correctly without actually being aware of the proxy protocol and the connection being proxied through a TCP proxy.</p>Gitea Actions, a buggy messhttps://fariszr.com/gitea-actions-a-buggy-mess/Wed, 03 Sep 2025 00:00:00 +0000https://fariszr.com/gitea-actions-a-buggy-mess/<img src="https://fariszr.com/gitea-actions-a-buggy-mess/thumbnail.jpg" alt="Featured image of post Gitea Actions, a buggy mess" /><p>My team uses Jenkins for CI/CD, and we want to migrate away from it due to its insanely complex and hard to understand scripts.</p> <p>We use Gitea as our git hosting platform, the direct CI/CD offer for it is Gitea Actions, it&rsquo;s already there, integrated into Gitea and gives us access to the huge community Ecosystem around GitHub Actions.</p> <p>Gitea says everything works apart from a few limitations, then everything else should work, right?</p> <p><a class="link" href="https://docs.gitea.com/usage/actions/comparison" target="_blank" rel="noopener" >https://docs.gitea.com/usage/actions/comparison</a></p> <p>WRONG!!!!</p> <h2 id="private-reusable-workflows">Private reusable workflows </h2><p>In GitHub Actions you can use reusable workflows from private repos, as long as the GitHub token has access to the repo.</p> <p>Gitea Actions don&rsquo;t have such a token, but you can just add a PAT to the actions URL for this to work, right?</p> <p>Wrong, it just doesn&rsquo;t work no matter what, as the YAML parser doesn&rsquo;t allow anything other than a specific syntax.</p> <p>This also affects limited Orgs (Organizations that are only visible to authenticated users). You would think the runner is authenticated, but apparently not.</p> <p><a class="link" href="https://github.com/go-gitea/gitea/issues/25929" target="_blank" rel="noopener" >https://github.com/go-gitea/gitea/issues/25929</a></p> <p>Reported in 2023, still broken.</p> <p>Sure no biggie, we can just create a dedicated public organization for the workflows.</p> <h2 id="reusable-workflow-steps-are-all-shown-as-one-step">Reusable workflow steps are all shown as one step </h2><p>Gitea parses the steps through the workflow file, and then sorts the logs under each step. When you are using a reusable workflow, Gitea only parses one step, and all logs are shown under it.</p> <p>This makes debugging a nightmare when workflows fail.</p> <p><a class="link" href="https://github.com/go-gitea/gitea/issues/26187" target="_blank" rel="noopener" >https://github.com/go-gitea/gitea/issues/26187</a> Reported in 2023, still broken.</p> <p>Well, we just have to get used to the mangled logs, maybe just add an emoji to each step, and then search for it in the browser to find the step logs.</p> <h2 id="actions-are-only-pulled-once">Actions are only pulled once </h2><p>When using a major tag for an action like v4, the latest release belonging to that version will be pulled, including patches and minor releases.</p> <p>Guess what? That doesn&rsquo;t work in the Gitea Actions act_runner, since the act_runner has a runtime cache, and the runner won&rsquo;t check for updates after the first pull.</p> <p>This is an even bigger problem for reusable workflows, where you might prefer to use a branch instead of tags, and just assume the runner will use the latest commit on each run.</p> <p><a class="link" href="https://gitea.com/gitea/act_runner/issues/726" target="_blank" rel="noopener" >https://gitea.com/gitea/act_runner/issues/726</a></p> <p>Simple fix, just tag the actions to the last patch release, and run Renovate to automatically update the tag used, that surely gotta work?</p> <p>Only for actions hosted on GitHub, not on Gitea.</p> <h3 id="renovate-cant-update-workflow-tags-in-gitea">Renovate can&rsquo;t update workflow tags in Gitea </h3><p><a class="link" href="https://github.com/renovatebot/renovate/discussions/27734" target="_blank" rel="noopener" >https://github.com/renovatebot/renovate/discussions/27734</a></p> <p>Renovate still looks for packages in GitHub and not Gitea for reusable workflows and actions.</p> <p>Meaning auto updates for Gitea-hosted actions/workflows aren&rsquo;t possible.</p> <p>Yeah, I&rsquo;ve had enough, Gitea ain&rsquo;t it then.</p> <h2 id="conclusion">Conclusion </h2><p>Gitea Actions might work for simple workflows that are only used in one repo, don&rsquo;t need concurrency limits, don&rsquo;t need to get updated regularly, and don&rsquo;t rely on anything non-public.</p> <p>In addition to these crazy bugs, dealing with HTTP proxies in Gitea Actions is just insane. The NOPROXY proxy exception env variable is very finicky where it&rsquo;s just ignored most of the time, but I think it&rsquo;s more of an Actions problem than a Gitea Actions problem.</p> <p>After hitting so many bugs that were reported years ago! I just can&rsquo;t continue to invest time in Gitea Actions. Who knows what issues will show up when these workflows become part of the team&rsquo;s development process? It seems like GitLab is really the way to go.</p>Vibecoding with GitHub Copilot: Lessons Learnedhttps://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/Thu, 31 Jul 2025 00:00:00 +0000https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/<img src="https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/thumbnail.jpg" alt="Featured image of post Vibecoding with GitHub Copilot: Lessons Learned" /><p>Over the past few weeks, I&rsquo;ve been vibecoding a new app with GitHub Copilot.</p> <p>I know it&rsquo;s not meant for that, but here&rsquo;s what I learned anyway:</p> <h2 id="200-requests-are-actually-a-lot">200 requests are actually a lot </h2><p>The GitHub Copilot pro sub includes 200 premium requests and unlimited gpt4.1 and gpt-4o requests.</p> <p>It&rsquo;s genuinely a lot, especially considering o4-mini&rsquo;s 0.33x multiplier. It&rsquo;s great for debugging but not ideal for designing.</p> <p>Don&rsquo;t forget that the Copilot coding agent on GitHub uses only one premium request for the entire session.</p> <h3 id="not-enough-with-third-party-extensions">Not enough with third party extensions </h3><p>Cline and its forks added support for using copilot as a provider through the VS Code LM API.</p> <p>However, the way these requests are handled differs significantly. A request in the official plugin is an interaction, every action done by LLM till it stops generating is included in that request.</p> <p>However, when third party extensions do this each API request counts as a premium request on its own, meaning instead of using one premium request to do the entire generation workflow, it&rsquo;s using 5 to 10.</p> <p>That&rsquo;s at least the case with Cline based tools.</p> <h2 id="limited-context-window">Limited context window </h2><p>All Copilot models are capped at a <a class="link" href="https://github.com/microsoft/vscode-copilot-release/issues/8303#issuecomment-2835038819" target="_blank" rel="noopener" >64k context window</a>, which is disappointing, especially for Gemini models that shine with their 1m context window.</p> <p>(maybe that&rsquo;s not the case for the async coding agent?)</p> <h2 id="the-continue-to-iterate-prompt-is-a-disaster">The Continue to iterate prompt is a disaster </h2><p><img src="https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/continue-to-iterate.png" width="796" height="1874" srcset="https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/continue-to-iterate_hu3855612166667711327.png 480w, https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/continue-to-iterate_hu11657535787081642525.png 1024w" loading="lazy" alt="GitHub Copilot Continue to Iterate Prompt" class="gallery-image" data-flex-grow="42" data-flex-basis="101px" ></p> <p>This is the worst thing in GitHub Copilot, it shows up when it&rsquo;s actually doing work and stops the agent.</p> <p>This wouldn&rsquo;t be a problem if the LLM actually just continued iterating, but due to the limited context window it seems to get only a summary of the chat and just starts anew.</p> <p>It&rsquo;s very annoying, but luckily there&rsquo;s a fix, you can increase the request limit, so that it practically never shows up</p> <p><img src="https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/continue-to-iterate-setting.png" width="1196" height="235" srcset="https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/continue-to-iterate-setting_hu12519701475077990308.png 480w, https://fariszr.com/vibe-coding-with-github-copilot-lessons-learned/continue-to-iterate-setting_hu17717783893429209245.png 1024w" loading="lazy" alt="GitHub Copilot Continue to Iterate Setting" class="gallery-image" data-flex-grow="508" data-flex-basis="1221px" ></p> <h2 id="context7-mcp-is-op">Context7 MCP is OP </h2><p>Context7 is an MCP that enables the LLM to fetch up-to-date documentation in Markdown for almost any library out there. Adding it is crucial as it prevents the model from hallucinating or using outdated functions.</p> <p>Sonnet 4 especially excelled at this, it always used context7 before doing anything, or while debugging.</p> <p>Other models like o4-mini needed to be reminded explicitly for them to actually use it, either by text or by adding it to the context window.</p> <h2 id="stagewise-mcp-is-superb-for-editing-ui-elements">Stagewise MCP is superb for editing UI elements </h2><p><a class="link" href="https://stagewise.io/" target="_blank" rel="noopener" >Stagewise</a> is an MCP client that adds an npm dev module that allows you to select elements and forward them to Copilot.</p> <p>This makes adjusting frontend elements much easier.</p> <h2 id="generating-copilotmd-instructions-is-actually-useful">Generating copilot.md instructions is actually useful </h2><p>Copilot can now generate a <code>copilot-instructions.md</code> file for itself.</p> <p>It might sound odd, but it works by providing the LLM with a general project overview, which you can build on with additional instructions.</p> <h2 id="one-long-detailed-prompt-is-way-better-than-refining-things-later-especially-for-the-copilot-coding-agent">One long, detailed prompt is way better than refining things later, especially for the Copilot coding agent </h2><p>This could be a side effect of the small context window, but there&rsquo;s a huge difference when actually starting with a fully detailed prompt.</p> <p>The LLM generates based on its assumptions. The more detailed you are, the better these assumptions align with your expectations.</p> <p>It&rsquo;s the reason why I think Kiro.dev will excel in this, because it unpacks these assumptions into separate markdown files, which then you can refine.</p> <p>if you want to use the GitHub Copilot async coding agent, you can trigger it from the chat which will do a search and then write a really detailed prompt. The Results are way better than usual with this.</p> <p>In general, it&rsquo;s been decent, but most of the issues really stem from the limited 64k context window, it makes Gemini models almost useless.</p> <p>However, Copilot&rsquo;s access to GitHub has been a strong point.</p>Automatically sync files to Mega.io with dockerized mega-cmdhttps://fariszr.com/dockerized-mega-cmd-automatic-file-sync/Mon, 30 Jun 2025 00:00:00 +0000https://fariszr.com/dockerized-mega-cmd-automatic-file-sync/<img src="https://fariszr.com/dockerized-mega-cmd-automatic-file-sync/thumbnail.webp" alt="Featured image of post Automatically sync files to Mega.io with dockerized mega-cmd" /><p>I self-host my own private cloud, but sometimes I have to make files available on external clouds like Mega.</p> <p>In this post I will explain how to create a dockerized mega-cmd with an entrypoint script that will automatically sync files and watch for changes.</p> <h2 id="dockerfile">dockerfile </h2><p>To make it easier to build the image, i embedded the entrypoint script inside the dockerfile.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="s"> debian:12</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Install dependencies and MegaCMD</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">RUN</span> apt-get update <span class="o">&amp;&amp;</span> apt-get install -y <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> wget <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> curl <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> gnupg <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> apt-transport-https <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="o">&amp;&amp;</span> mkdir -p /etc/apt/keyrings <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="o">&amp;&amp;</span> curl -fsSL https://mega.nz/keys/MEGA_signing.key <span class="p">|</span> gpg --dearmor -o /etc/apt/keyrings/mega.nz.gpg <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">&#34;deb [arch=amd64,arm64 signed-by=/etc/apt/keyrings/mega.nz.gpg] https://mega.nz/linux/repo/Debian_12/ ./&#34;</span> <span class="p">|</span> tee /etc/apt/sources.list.d/mega.nz.list &gt; /dev/null <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="o">&amp;&amp;</span> apt-get update <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="o">&amp;&amp;</span> apt-get install -y megacmd <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="o">&amp;&amp;</span> apt-get clean <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="o">&amp;&amp;</span> rm -rf /var/lib/apt/lists/*<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Create directories for configuration and data</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">RUN</span> mkdir -p /root/.megaCmd /data<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Create startup script</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">RUN</span> <span class="nb">echo</span> <span class="s1">&#39;#!/bin/bash\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">set -e\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Function to check if already logged in\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">check_login() {\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> mega-whoami &gt; /dev/null 2&gt;&amp;1\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> return $?\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">}\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Check if already logged in\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">if check_login; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> echo &#34;Existing session found. Skipping login.&#34;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">else\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> # Check if credentials are provided\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> if [ -z &#34;$MEGA_EMAIL&#34; ] || [ -z &#34;$MEGA_PASSWORD&#34; ]; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> echo &#34;Error: MEGA_EMAIL and MEGA_PASSWORD environment variables must be set&#34;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> exit 1\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> # Login to MEGA\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> if [ -n &#34;$MEGA_2FA&#34; ]; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> mega-login $MEGA_EMAIL $MEGA_PASSWORD --auth-code=$MEGA_2FA\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> else\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> mega-login $MEGA_EMAIL $MEGA_PASSWORD\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Show account info to confirm login\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">echo &#34;Logged in as:&#34;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">mega-whoami\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Set up sync if MEGA_SYNC_LOCAL_PATH and MEGA_SYNC_REMOTE_PATH are provided\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">if [ ! -z &#34;$MEGA_SYNC_LOCAL_PATH&#34; ] &amp;&amp; [ ! -z &#34;$MEGA_SYNC_REMOTE_PATH&#34; ]; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> # Check if sync already exists\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> if mega-sync | grep -q &#34;$MEGA_SYNC_LOCAL_PATH&#34;; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> echo &#34;Sync already exists for $MEGA_SYNC_LOCAL_PATH. Skipping sync setup.&#34;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> else\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> echo &#34;Setting up sync from $MEGA_SYNC_LOCAL_PATH to $MEGA_SYNC_REMOTE_PATH&#34;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> mega-sync $MEGA_SYNC_LOCAL_PATH $MEGA_SYNC_REMOTE_PATH\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Keep the container running and show logs\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">echo &#34;MegaCMD is now running and syncing...&#34;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">echo &#34;Streaming MegaCMD logs...&#34;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Wait a moment for log files to be created\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">sleep 2\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Tail the mega-cmd log files to show activity in docker logs\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># MegaCMD creates log files in ~/.megaCmd/\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">if [ -f /root/.megaCmd/megacmdserver.log ]; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> tail -f /root/.megaCmd/megacmdserver.log &amp;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">if [ -f /root/.megaCmd/megacmd.log ]; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> tail -f /root/.megaCmd/megacmd.log &amp;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Also monitor any sync-related logs\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">if [ -d /root/.megaCmd/logs ]; then\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"> tail -f /root/.megaCmd/logs/*.log 2&gt;/dev/null &amp;\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">fi\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">\n\ </span></span></span><span class="line"><span class="cl"><span class="s1"># Keep the main process alive\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">wait\n\ </span></span></span><span class="line"><span class="cl"><span class="s1">&#39;</span> &gt; /entrypoint.sh <span class="o">&amp;&amp;</span> chmod +x /entrypoint.sh<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="c"># Set the entrypoint</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">ENTRYPOINT</span> <span class="p">[</span><span class="s2">&#34;/entrypoint.sh&#34;</span><span class="p">]</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="docker-composeyml">docker-compose.yml </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">megacmd</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build</span><span class="p">:</span><span class="w"> </span><span class="l">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">MEGA_EMAIL=your@email.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;MEGA_PASSWORD=pass&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">MEGA_2FA=10101</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">MEGA_SYNC_LOCAL_PATH=/data</span><span class="w"> </span><span class="c"># directory to sync inside the container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">MEGA_SYNC_REMOTE_PATH=/remote-dir</span><span class="w"> </span><span class="c"># directory on mega</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">MEGA_DEVICE_ID=dockerized-mega</span><span class="w"> </span><span class="c">#device name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">~/files:/data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./megacmd-config:/root/.megaCmd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/etc/machine-id:/etc/machine-id:ro</span></span></span></code></pre></td></tr></table> </div> </div><p>the authentication variables are only needed for the first run, after that the token is stored in the .megaCmd folder.</p> <p>And now your files should show up on mega!</p> <p>Keep in mind mega support only two-way sync, mounting the data as read only isn&rsquo;t an option due to megacmd checking for write-access on startup.</p>How to add support for Element Call with Docker Compose & Caddyhttps://fariszr.com/matrix-rtc-setup-with-docker-caddy/Tue, 27 May 2025 00:00:00 +0000https://fariszr.com/matrix-rtc-setup-with-docker-caddy/<img src="https://fariszr.com/matrix-rtc-setup-with-docker-caddy/thumbnail.jpg" alt="Featured image of post How to add support for Element Call with Docker Compose & Caddy" /><p>If you have been getting <code>MISSING_MATRIX_RTC_FOCUS</code> on Element X recently when starting calls, the reason is that Element has stopped their free relay for Matrix RTC, AKA Element Call. It was there just to speed up initial Element X adoption.</p> <p>Luckily, adding it isn&rsquo;t that hard. The tricky part is the reverse proxy and updating the well-known files for the clients, but don&rsquo;t worry, I already did the hard work for you 😅</p> <p>We need two domains: one for LiveKit (the RTC service) and one for the JWT auth service for Element X.</p> <h2 id="docker-compose-additions">Docker Compose additions </h2><p>(livekit_api_key) = api key name</p> <p>(livekit_api_secret) = random 20+ character string.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="c"># JWT Authentication Service for Element Call</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lk-jwt-service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/element-hq/lk-jwt-service:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Port the JWT service listens on internally</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">LK_JWT_PORT=8080</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Publicly accessible URL for the LiveKit SFU WebSocket endpoint (updated domain)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">LIVEKIT_URL=wss://matrixrtc.fariszr.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># API Key and Secret (must match LiveKit service and secrets)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">LIVEKIT_KEY=(livekit_api_key)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">LIVEKIT_SECRET=(livekit_api_secret)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Optional: Restrict call creation to users from specific homeservers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">LIVEKIT_LOCAL_HOMESERVERS=fariszr.com</span><span class="w"> </span><span class="c"># server name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">web</span><span class="p">:</span><span class="w"> </span><span class="c"># Needs to be reachable by Caddy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">livekit</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">livekit/livekit-server:v1.8</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">livekit</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Use config file instead of just environment variables</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span>--<span class="l">config /etc/livekit.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># LIVEKIT_KEYS is still needed here for the server itself</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">LIVEKIT_KEYS</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;(livekit_api_key): (livekit_api_secret)&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Remove other env vars now handled by config.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - LIVEKIT_WS_URL=wss://livekit.fariszr.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - LIVEKIT_PORT=7880</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Port 7880 is now only needed internally for Caddy proxying to /livekit/sfu</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - &#34;7880:7880&#34; # Client API and Webhook callback - proxied via Caddy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;7881:7881&#34;</span><span class="w"> </span><span class="c"># TURN/TLS (LiveKit&#39;s own TURN, though disabled in config)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;50100-50200:50100-50200/udp&#34;</span><span class="w"> </span><span class="c"># UDP port range for media over WebRTC</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Mount the new config file</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./livekit-config.yaml:/etc/livekit.yaml:ro</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">web</span><span class="p">:</span><span class="w"> </span><span class="c"># Needs to be reachable by Caddy</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="configs">Configs </h2><p>Additions to the Synapse config:</p> <h3 id="homeserveryaml">homeserver.yaml </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">experimental_features</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># MSC3266: Room summary API. Used for knocking over federation.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">msc3266_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># MSC4222: Needed for syncv2 state_after. Allows clients to correctly track room state.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">msc4222_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># MSC4140: Delayed events are required for proper call participation signalling.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># If disabled, you might get stuck calls in Matrix rooms.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">msc4140_enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># The maximum allowed duration by which sent events can be delayed, as per MSC4140.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">max_event_delay_duration</span><span class="p">:</span><span class="w"> </span><span class="l">24h</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Adjust rate limiting for call-related events</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">rc_message</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Needs to match at least E2EE key sharing frequency plus headroom.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Key sharing events are bursty.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">per_second</span><span class="p">:</span><span class="w"> </span><span class="m">0.5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">burst_count</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">rc_delayed_event_mgmt</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Needs to match at least the heartbeat frequency (5s = 0.2/s) plus headroom.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">per_second</span><span class="p">:</span><span class="w"> </span><span class="m">1.0</span><span class="w"> </span><span class="c"># Increased from example&#39;s 1 to be safer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">burst_count</span><span class="p">:</span><span class="w"> </span><span class="m">20</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="livekit-configyaml">livekit-config.yaml: </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Basic LiveKit configuration</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">7880</span><span class="w"> </span><span class="c"># Port LiveKit listens on internally</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">bind_addresses</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;0.0.0.0&#34;</span><span class="w"> </span><span class="c"># Listen on all interfaces within the container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">rtc</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tcp_port</span><span class="p">:</span><span class="w"> </span><span class="m">7881</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port_range_start</span><span class="p">:</span><span class="w"> </span><span class="m">50100</span><span class="w"> </span><span class="c"># Match docker-compose port range</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port_range_end</span><span class="p">:</span><span class="w"> </span><span class="m">50200</span><span class="w"> </span><span class="c"># Match docker-compose port range</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">use_external_ip</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># Rely on reverse proxy/NAT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">info</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Disable LiveKit&#39;s internal TURN server, since you probably have something already set up for the classic P2P calls.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">turn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># domain: matrixrtc.fariszr.com # Not needed if disabled, updated comment for consistency</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># cert_file: &#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># key_file: &#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># tls_port: 5349 # Default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># udp_port: 443 # Default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># external_tls: true # If using external certs, but disabled anyway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Keys are provided via environment variable LIVEKIT_KEYS in docker-compose.yml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># keys:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># (livekit_api_key): (livekit_api_secret)</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="caddy-reverse-proxy">Caddy reverse proxy </h2><p>I had to spend a lot of time figuring out the best reverse proxy setup. It seems that proxying the JWT service and LiveKit on different domains is the easiest solution, because I couldn&rsquo;t get it to work with a subdirectory override for JWT on the same domain.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-caddy" data-lang="caddy"><span class="line"><span class="cl"><span class="gh">matrix.fariszr.com</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">reverse_proxy</span> <span class="n">synapse</span><span class="p">:</span><span class="mi">8008</span> </span></span><span class="line"><span class="cl"> <span class="k">encode</span> <span class="s">zstd</span> <span class="s">gzip</span><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> # Serves the Matrix client .well-known JSON configuration file </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="k">respond</span> <span class="nd">/.well-known/matrix/client</span> <span class="sb">`</span><span class="s">{&#34;m.homeserver&#34;:{&#34;base_url&#34;:&#34;https://matrix.fariszr.com</span><span class="sb">&#34;},&#34;org.matrix.msc4143.rtc_foci&#34;:[</span><span class="s">{&#34;type&#34;:&#34;livekit&#34;,&#34;livekit_service_url&#34;:&#34;https://jwt.matrixrtc.fariszr.com</span><span class="sb">&#34;}]`</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="gh">jwt.matrixrtc.fariszr.com</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">encode</span> <span class="s">zstd</span> <span class="s">gzip</span> </span></span><span class="line"><span class="cl"> <span class="k">reverse_proxy</span> <span class="n">lk-jwt-service</span><span class="p">:</span><span class="mi">8080</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="gh">matrixrtc.fariszr.com</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">encode</span> <span class="s">zstd</span> <span class="s">gzip</span><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> # Route SFU WebSocket requests to the livekit container on its internal port 7880 </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="k">reverse_proxy</span> <span class="n">livekit</span><span class="p">:</span><span class="mi">7880</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><p><strong>IMPORTANT:</strong> If you are using your delegated domain on the client (i.e., fariszr.com instead of matrix.fariszr.com when logging in), then you <strong>will</strong> have to update the client well-known file served on the delegated domain too.</p> <p>And now you should have a Matrix RTC-capable home server!</p> <p>You can take a look at <a class="link" href="https://github.com/FarisZR/Server/tree/main/matrix" target="_blank" rel="noopener" >my server&rsquo;s setup</a> anytime on my GitOps repo, run with <a class="link" href="https://fariszr.com/docker-compose-gitops-github/" target="_blank" rel="noopener" >docker-compose-gitops-action</a>.</p> <h2 id="sources">Sources </h2><p><a class="link" href="https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md" target="_blank" rel="noopener" >https://github.com/element-hq/element-call/blob/livekit/docs/self-hosting.md</a></p> <p><a class="link" href="https://willlewis.co.uk/blog/posts/deploy-element-call-backend-with-synapse-and-docker-compose" target="_blank" rel="noopener" >https://willlewis.co.uk/blog/posts/deploy-element-call-backend-with-synapse-and-docker-compose</a></p>Selfhosted grammar autocorrect with languagetool and docker compose.https://fariszr.com/host-language-tool-with-docker/Mon, 31 Mar 2025 00:00:00 +0000https://fariszr.com/host-language-tool-with-docker/<img src="https://fariszr.com/host-language-tool-with-docker/thumbnail.jpeg" alt="Featured image of post Selfhosted grammar autocorrect with languagetool and docker compose." /><p>Self-hosted grammar autocorrect with LanguageTool and Docker Compose.</p> <p>LanguageTool is a great extension for correcting typos and grammar errors, it&rsquo;s basically a more advanced and useful version of autocorrect.</p> <p>However, LanguageTool watches everything you type in real time, so it&rsquo;s a real privacy risk.</p> <p>Fortunately, LanguageTool is open source, at least the core of it, and you can easily host it yourself using Docker.</p> <h2 id="setup">Setup </h2><h3 id="download-the-n-gram-language-weights">Download the N-gram language weights </h3><p>Ngrams are large datasets that help Languagetool improve context-dependent corrections, such as yours and there.</p> <p>Languagetool offers free n-gram datasets for a few languages, but AFAIK they are not the same as those used in the cloud version, and certainly not in the premium version.</p> <p><a class="link" href="https://languagetool.org/download/ngram-data/" target="_blank" rel="noopener" >https://languagetool.org/download/ngram-data/</a></p> <p>Download and extract the N-gram datasets into a language-specific folder under the N-grams directory, etc. <code>./ngrams/en, ./ngrams/de</code>.</p> <h3 id="docker-composeyml">Docker-compose.yml </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">languagetool</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">erikvl87/languagetool:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tmpfs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/tmp:exec</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_drop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_add</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CAP_SETUID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CAP_SETGID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CAP_CHOWN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">security_opt</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="kc">no</span>-<span class="l">new-privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">100.81.157.127</span><span class="p">:</span><span class="m">8010</span><span class="p">:</span><span class="m">8010</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">langtool_languageModel=/ngrams # OPTIONAL</span><span class="p">:</span><span class="w"> </span><span class="l">Using ngrams data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">Java_Xms=512m # OPTIONAL</span><span class="p">:</span><span class="w"> </span><span class="l">Setting a minimal Java heap size of 512 mib</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Java_Xmx=2g</span><span class="w"> </span><span class="c"># Max memory </span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ngrams:/ngrams</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="add-fasttext">Add Fasttext </h2><p>Contrary to its name, Fasttext is not about improving correction speed, it&rsquo;s an algorithm to improve autocorrect accuracy using an open model from Facebook.</p> <h3 id="dockerfile">Dockerfile </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="s"> erikvl87/languagetool:latest</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">USER</span><span class="s"> root</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">RUN</span> apk add fasttext<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"></span><span class="k">USER</span><span class="s"> languagetool</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="download-the-fasttext-model">download the fasttext Model </h3><p>fasttext also needs a model to work: <a class="link" href="https://fasttext.cc/docs/en/language-identification.html" target="_blank" rel="noopener" >https://fasttext.cc/docs/en/language-identification.html</a></p> <p>Save it in the same LanguageTool directory and rename it to fasttext-model.bin.</p> <h3 id="fully-featured-docker-compose">Fully featured Docker-compose </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">languagetool</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># image: erikvl87/languagetool:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build</span><span class="p">:</span><span class="w"> </span><span class="l">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">languagetool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tmpfs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/tmp:exec</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_drop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_add</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CAP_SETUID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CAP_SETGID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CAP_CHOWN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">security_opt</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="kc">no</span>-<span class="l">new-privileges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">8010</span><span class="p">:</span><span class="m">8010</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">langtool_languageModel=/ngrams # OPTIONAL</span><span class="p">:</span><span class="w"> </span><span class="l">Using ngrams data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">Java_Xms=512m # OPTIONAL</span><span class="p">:</span><span class="w"> </span><span class="l">Setting a minimal Java heap size of 512 mib</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Java_Xmx=3g</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">langtool_fasttextBinary=/usr/bin/fasttext</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">langtool_fasttextModel=/fasttext-model.bin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ngrams:/ngrams</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./fasttext-model.bin:/fasttext-model.bin</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="make-the-web-extensions-use-your-selfhosted-instance">Make the web extensions use your selfhosted instance </h2><p>Go to languagetool settings, scroll all the way down to pro settings, and then enter the URL of your instance with <code>/v2</code> appended at the end. If you are hosting it on the same machine, then it is https://127.0.0.1:8010/v2.</p> <p><img src="https://fariszr.com/host-language-tool-with-docker/language-tool-settings.jpg" width="940" height="416" srcset="https://fariszr.com/host-language-tool-with-docker/language-tool-settings_hu18226818864362390922.jpg 480w, https://fariszr.com/host-language-tool-with-docker/language-tool-settings_hu3767461070019257393.jpg 1024w" loading="lazy" class="gallery-image" data-flex-grow="225" data-flex-basis="542px" ></p> <p>BTW you can use languagetool in other applications like <a class="link" href="https://github.com/ltex-plus/vscode-ltex-plus" target="_blank" rel="noopener" >Vscode/Vscodium</a> and Libreoffice.</p> <h2 id="sources">Sources </h2><p><a class="link" href="https://github.com/Erikvl87/docker-languagetool/issues/70" target="_blank" rel="noopener" >https://github.com/Erikvl87/docker-languagetool/issues/70</a> <a class="link" href="https://github.com/Erikvl87/docker-languagetool" target="_blank" rel="noopener" >https://github.com/Erikvl87/docker-languagetool</a></p>Go Paperless with Paperless-ngx and Ai + Nextcloud Intergration.https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/Fri, 28 Feb 2025 00:00:00 +0000https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/<img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/thumbnail.jpeg" alt="Featured image of post Go Paperless with Paperless-ngx and Ai + Nextcloud Intergration." /><p>Having a scanner is the first step of going paperless, however with time you realize that keeping stuff in order and finding documents quickly becomes a challenge, even when using full text search in the cloud.</p> <p>Thats why document management Systems like Paperless-ngx exist. And in this post I&rsquo;m going to setup paperless-ngx with Nextcloud Integration, automated AI tagging and more accurate LLM-powered OCR.</p> <h2 id="docker-compose">Docker-compose </h2><p>For the docker compose setup i don&rsquo;t have to explain much, Paperless-ngx has template docker files ready to use in their Git repos and a quick guide on how to use them: <a class="link" href="https://docs.paperless-ngx.com/setup/#docker" target="_blank" rel="noopener" >https://docs.paperless-ngx.com/setup/#docker</a></p> <p>The needed changes will be mentioned in the next steps.</p> <h2 id="setting-up-separate-directories-for-each-user">setting up separate directories for each user </h2><p>unless you want every user to be able to see each others documents, you need to make sure paperless separates the resulting files into a per-user dir.</p> <p>You can do this with workflows and storage Paths, or make it the default and just use workflows to assign documents to users when importing(&ldquo;consuming&rdquo;) docs.</p> <h3 id="make-paperless-ngx-use-a-separate-directory-for-each-user">Make Paperless-ngx use a separate directory for each user. </h3><p>Using the placeholder details in the Paperless <a class="link" href="https://docs.paperless-ngx.com/advanced_usage/#filename-format-variables" target="_blank" rel="noopener" >docs</a>, you can set the default file format in Paperless using an environment variable.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl">services: </span></span><span class="line"><span class="cl"> app: </span></span><span class="line"><span class="cl"> .... </span></span><span class="line"><span class="cl"> environment: </span></span><span class="line"><span class="cl"> ..... </span></span><span class="line"><span class="cl"><span class="gi">+ PAPERLESS_FILENAME_FORMAT=&#39;{{ owner_username }}/{{ title }}&#39; </span></span></span></code></pre></td></tr></table> </div> </div><p>This will keep the filename and store the file in an owner-specific directory in the paperless archive folder</p> <h3 id="assign-ownership-based-on-subdirectory-in-consumption-directory">Assign ownership based on subdirectory in consumption directory </h3><p>By default, when importing from the consumption directory, the file is available to all users, but with workflows we can tell Paperless to assign ownership based on the file dir when importing.</p> <p>If you have a scanner/printer that supports Samba, you can have it scan directly to a user-specified SMB share. A guide to setting up an SMB share with Docker can be found <a class="link" href="https://fariszr.com/docker-smb-network-discovery/" target="_blank" rel="noopener" >here</a>.</p> <h4 id="workflow-trigger">Workflow trigger </h4><p><img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/workflow-trigger.png" width="1154" height="888" srcset="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/workflow-trigger_hu18120534033271159999.png 480w, https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/workflow-trigger_hu12432305136788749219.png 1024w" loading="lazy" alt="workflow trigger" class="gallery-image" data-flex-grow="129" data-flex-basis="311px" ></p> <p>Trigger type: Consumption started Filter Sources: Consumption folder</p> <p>Filter path: <code>/usr/src/paperless/consume/$USERNAME</code> This matches any file imported from a specific directory</p> <p>you can also use wildcards to match any file with the username in its directory by just writing <code>*$USERNAME*</code></p> <h4 id="workflow-action">Workflow action </h4><p><img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/workflow-action.png" width="1149" height="911" srcset="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/workflow-action_hu11512487003268988479.png 480w, https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/workflow-action_hu13389472495105232926.png 1024w" loading="lazy" alt="workflow action" class="gallery-image" data-flex-grow="126" data-flex-basis="302px" ></p> <p>the action should be to assign the ownership and rights to the user.</p> <h2 id="ai-with-paperless-gpt">AI with Paperless-GPT </h2><p>It&rsquo;s 2025, we need to have AI in everything right?</p> <p>It makes sense here though, with Paperless-GPT you can use it to OCR documents using vision LLM models, using cloud vision models like GPT-4o, custom services from Google and Azure or even using local open source LLMs!</p> <h3 id="install-paperless-gpt">Install paperless-GPT </h3><p><a class="link" href="https://github.com/icereed/paperless-gpt?tab=readme-ov-file#installation" target="_blank" rel="noopener" >https://github.com/icereed/paperless-gpt?tab=readme-ov-file#installation</a></p> <p>Assuming you want to use ollama, make sure you adjust the <code>LLM_PROVIDER</code> and <code>LLM_MODEL</code> variables accordingly. Also comment out the <code>OPENAI_API_KEY</code> environment variable.</p> <p>For <code>PAPERLESS_API_TOKEN</code>, you can generate a token by going to the django admin dashboard, which you can find in the settings page under your profile icon in the top right.</p> <p>(You can also use vLLM, in which case you should probably stick with openai as your provider, while setting the <code>OPENAI_BASE_URL</code> to point to vLLM).</p> <p>You can also customize the tags used to trigger processing by paperless-gpt, whether just for metadata or for OCR.</p> <p>Paperless-gpt has a webui exposed on port 8080 by default, consider setting up a reverse proxy in front of it. Example for caddy:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-caddyfile" data-lang="caddyfile"><span class="line"><span class="cl"><span class="gh">paperless-ai.yourdomain.test</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">reverse_proxy</span> <span class="n">paperless-gpt</span><span class="p">:</span><span class="mi">8080</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="ollama-setup">Ollama setup </h3><p>Ollama is the easiest way to run LLMs locally, but its support for Vision LLMs is <strong>very limited</strong>, with the latest model being <code>minicpm-v</code> 2.6, which doesn&rsquo;t work well with non-Latin languages. If you want to run better models like Qwen2.5-VL-7B-Instruct, you will have to use <strong>vLLM</strong> for that. (if you figure out how to make it run on consumer AMD GPUs [<em>not the 7900xt/x</em>], hit me up)</p> <h4 id="rocm-amd">ROCm (AMD) </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ollama</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ollama/ollama:rocm</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">devices</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/dev/kfd:/dev/kfd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/dev/dri:/dev/dri</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># environment:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - HSA_OVERRIDE_GFX_VERSION=10.3.0 # for unsupported gpus such as the 6700xt, 7800xt etc.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ollama:/root/.ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;11434:11434&#34;</span></span></span></code></pre></td></tr></table> </div> </div><h4 id="cuda-nvidia">CUDA (Nvidia) </h4><p>(If you have an Nvidia GPU, You should probably be using vLLM for this) You will need to install the nvidia container toolkit and enable it for docker, see the <a class="link" href="https://hub.docker.com/r/ollama/ollama" target="_blank" rel="noopener" >Ollama&rsquo;s docker hub page</a> for details.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ollama</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deploy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">reservations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">devices</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">nvidia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="l">all</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">gpu</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ollama:/root/.ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">11434</span><span class="p">:</span><span class="m">11434</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ollama/ollama</span></span></span></code></pre></td></tr></table> </div> </div><h4 id="pulling-the-llm-model">pulling the llm model </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker <span class="nb">exec</span> -it ollama bash </span></span><span class="line"><span class="cl">~# ollama pull minicpm-v</span></span></code></pre></td></tr></table> </div> </div><h3 id="testing-out-ocr-and-tag-suggestions-using-minicpm-v">Testing out OCR and Tag suggestions using minicpm-v </h3><p>Open the paperless-gpt dashboard (exposed on port 8080 by default) and check that everything is working correctly.</p> <p>To test OCR with a Vision LLM, go to the OCR tab and enter the ID of a document you want to test on.</p> <p>You can find the ID in the URL of each document, <code>https://paperless.yourdomain.test/documents/XXX/details</code>, XXX being the document id.</p> <p><img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/LLM-OCR-ui.png" width="1118" height="852" srcset="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/LLM-OCR-ui_hu8662153027210579218.png 480w, https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/LLM-OCR-ui_hu12075313229513319455.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="131" data-flex-basis="314px" ></p> <p>To test the metadata suggestions (based on the text extracted by teserract), you have to add one of the paperless-gpt processing tags to the document, by default <code>paperless-gpt</code> for manual processing (you have to trigger it in the UI) and <code>paperless-gpt-auto</code> for automatic processing (for OCR its <code>paperless-gpt-ocr-auto</code> by default). You can customize the tag names using environment variables in docker compose.</p> <p>When documents are tagged with <code>paperless-gpt</code>, they are displayed in the web interface. <img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/tagged-docs.png" width="931" height="580" srcset="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/tagged-docs_hu7889251094212098572.png 480w, https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/tagged-docs_hu4621918309254161030.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="160" data-flex-basis="385px" ></p> <p>You can now create better metadata based on the OCR text (from Paperless-NGX).</p> <p><img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/llm-suggested-metadata.png" width="931" height="580" srcset="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/llm-suggested-metadata_hu1540566210849222458.png 480w, https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/llm-suggested-metadata_hu6131716776095983752.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="160" data-flex-basis="385px" ></p> <h3 id="process-all-documents-with-paperless-gpt">Process all documents with Paperless-gpt </h3><p>If you want all documents to be processed by AI, you can create a workflow to add the <code>paperless-gpt-auto' and </code>paperless-gpt-ocr-auto&rsquo; tags to new documents. They will then be automatically processed by paperless-gpt and updated accordingly.</p> <p><img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/paperless-gpt-tags-workflow.png" width="912" height="996" srcset="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/paperless-gpt-tags-workflow_hu10154136427285643635.png 480w, https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/paperless-gpt-tags-workflow_hu17368616390714974341.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="91" data-flex-basis="219px" ></p> <h2 id="general-tips-on-using-paperless">General Tips on using Paperless </h2><p>I found this thread on reddit to be useful on how to get started with Paperless:</p> <p><a class="link" href="https://reddit.com/r/selfhosted/comments/sdv0rr/paperless_ng_which_tags_document_types/" target="_blank" rel="noopener" >https://reddit.com/r/selfhosted/comments/sdv0rr/paperless_ng_which_tags_document_types/</a></p> <p>And now you have an (AI-assisted) Document management System!</p> <h2 id="nextcloud-integration">Nextcloud Integration </h2><p>Now if you are setting up paperless, chances are, you are using a cloud solution like nextcloud.</p> <p>You can integrate Nextcloud with Paperless through external mounts, you can mount the user-specfic consumption directory for each user, and then the archive directory to be able to access processed pdfs.</p> <p><img src="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/nextcloud-external-mounts.png" width="1343" height="290" srcset="https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/nextcloud-external-mounts_hu323987336632972940.png 480w, https://fariszr.com/go-paperless-with-ai-and-nextcloud-integration/nextcloud-external-mounts_hu15943693618867647437.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="463" data-flex-basis="1111px" ></p> <p>/mnt/archive being a mounted directory pointing to the <code>{YOUR_DOCKER_DIR}/paperless-ngx/media/documents/archive/$USER$:/mnt/archive:ro</code> and scans pointing to a directory mounted as <code>/usr/src/paperless/consume/$USER</code> in paperless.</p> <p>Make sure to set per-user paths as the default or to create an active workflow to assign storage paths depending on the import-path.</p> <h2 id="sources">Sources </h2><p><a class="link" href="https://www.madebyagents.com/blog/paperless-ngx-nextcloud-integration" target="_blank" rel="noopener" >https://www.madebyagents.com/blog/paperless-ngx-nextcloud-integration</a></p> <p><a class="link" href="https://github.com/icereed/paperless-gpt" target="_blank" rel="noopener" >https://github.com/icereed/paperless-gpt</a></p>Setup Contact and Calendar (dav)sync using Radicale and Docker compose.https://fariszr.com/contact-calendar-dav-sync-radicale-docker/Sat, 30 Nov 2024 00:00:00 +0000https://fariszr.com/contact-calendar-dav-sync-radicale-docker/<img src="https://fariszr.com/contact-calendar-dav-sync-radicale-docker/thumbnail.jpg" alt="Featured image of post Setup Contact and Calendar (dav)sync using Radicale and Docker compose." /><p>I have been looking for a solution to sync my contacts across devices. Etesync seemed great for this, but it seems the IOS app is no longer maintained.</p> <p>And then I found Radicale, a lightweight and easy to setup server for Caldav/Cardav syncing, and in true FarisZR fashion, I&rsquo;m going to install it with docker compose.</p> <p>Now radicale doesn&rsquo;t seem to have an official docker image, but luckily for us <a class="link" href="https://github.com/tomsquest/docker-radicale" target="_blank" rel="noopener" >tomesquest</a> did the hard part for us and created a docker image for Radiacle.</p> <h2 id="docker-composeyml">docker-compose.yml </h2><p>*Note that this uses an external network called <code>web</code> to connect the service to the reverse proxy, you could just expose the ports directly.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">web</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">external</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">radicale</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">tomsquest/docker-radicale:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">radicale</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ports:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - 127.0.0.1:5232:5232</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">init</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">read_only</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">security_opt</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="kc">no</span>-<span class="l">new-privileges:true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_drop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_add</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">SETUID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">SETGID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CHOWN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">KILL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deploy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l">256M</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pids</span><span class="p">:</span><span class="w"> </span><span class="m">50</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">healthcheck</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">test</span><span class="p">:</span><span class="w"> </span><span class="l">curl -f http://127.0.0.1:5232 || exit 1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">30s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retries</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./data:/data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./config:/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">web</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="config">config </h2><p>There&rsquo;s a template config file for the docker image, we still need to change something to be able to set up htpasswd auth.</p> <p>Create a file named config inside the mounted config directory with the raw content of <a class="link" href="https://github.com/tomsquest/docker-radicale/blob/master/config" target="_blank" rel="noopener" >the config file from github</a></p> <p>and modify it to your liking, if you want to change the data directory, make sure to adjust the mount points in docker compose accordingly.</p> <h2 id="auth">Auth </h2><p>We need to adjust the auth section to enable authentication with a password, here&rsquo;s an example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[auth]</span> </span></span><span class="line"><span class="cl"><span class="na">type</span> <span class="o">=</span> <span class="s">htpasswd</span> </span></span><span class="line"><span class="cl"><span class="na">htpasswd_filename</span> <span class="o">=</span> <span class="s">/config/users</span> </span></span><span class="line"><span class="cl"><span class="na">htpasswd_encryption</span> <span class="o">=</span> <span class="s">bcrypt</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="hashing-your-password-with-bcrypt">Hashing your password with bcrypt </h3><p>Now, as you probably noticed, htpasswd encryption is set to bcrypt, which means we need to hash the password in bcrypt format.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> -n <span class="s2">&#34;your password&#34;</span> <span class="p">|</span> mkpasswd --method<span class="o">=</span>bcrypt</span></span></code></pre></td></tr></table> </div> </div><p>Then create a file called <code>users</code> in the mounted <code>config</code> directory. It should be formatted like this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">john:$2a$10$l1Se4qIaRlfOnaC1pGt32uNe/Dr61r4JrZQCNnY.kTx2KgJ70GPSm</span></span></code></pre></td></tr></table> </div> </div><p>and now it should be ready to run!</p> <h2 id="caddy-reverse-proxy">Caddy reverse proxy </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="err">sync.example.com</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="err">reverse_proxy</span> <span class="err">radicale:5232</span> </span></span><span class="line"><span class="cl"> <span class="err">encode</span> <span class="err">zstd</span> <span class="err">gzip</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="importing-data">Importing data </h2><p>For me, importing data from the web UI didn&rsquo;t work, I just re-imported my contacts on my phone and it worked.</p>Quick Fixes for Flatpak Dark Mode Detection Issueshttps://fariszr.com/flatpak-dark-mode-fix/Mon, 28 Oct 2024 00:00:00 +0000https://fariszr.com/flatpak-dark-mode-fix/<img src="https://fariszr.com/flatpak-dark-mode-fix/thumbnail.png" alt="Featured image of post Quick Fixes for Flatpak Dark Mode Detection Issues" /><p>Flatpak is the most popular universal distribution format on Linux, but I still face issues with dark mode detection in some apps.</p> <p>Luckily I found some workarounds to fix this.</p> <h2 id="make-sure-dark-mode-themes-are-installed-for-flatpak-updates">Make sure dark mode themes are installed for flatpak updates </h2><p>Technically, flatpak should automatically detect the theme you&rsquo;re using and install it, but if for some reason it doesn&rsquo;t, you can manually install the gtk3 themes you need.</p> <p>Adwaita:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flatpak install org.gtk.Gtk3theme.Adwaita-dark/x86_64/3.22</span></span></code></pre></td></tr></table> </div> </div><p>Generally for Ubuntu: dark</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flatpak install flathub org.gtk.Gtk3theme.Yaru-dark</span></span></code></pre></td></tr></table> </div> </div><p>light</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flatpak install flathub org.gtk.Gtk3theme.Yaru-light</span></span></code></pre></td></tr></table> </div> </div><p>But these are the general themes, if you&rsquo;ve changed the accent colour then you&rsquo;re using a different theme, like Yaru-Red-dark for the red accent theme.</p> <p>You can find all the available gtk3themes on Flathub using the command</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flatpak search gtk3theme</span></span></code></pre></td></tr></table> </div> </div><h2 id="switch-to-the-stock-adwaita-theme">Switch to the stock Adwaita theme </h2><p><img src="https://fariszr.com/flatpak-dark-mode-fix/stock-adwaita.png" width="1901" height="1049" srcset="https://fariszr.com/flatpak-dark-mode-fix/stock-adwaita_hu3458769970658291019.png 480w, https://fariszr.com/flatpak-dark-mode-fix/stock-adwaita_hu5103860060390400287.png 1024w" loading="lazy" alt="Testing applications with the stock Adwaita theme" class="gallery-image" data-flex-grow="181" data-flex-basis="434px" ></p> <p>Open the Gnome Tweaks application and make sure you are using the stock Adwaita theme for Gnome. The default Adwaita theme provides the best compatibility, Some applications like Proton VPN seem to only follow dark mode when using Adwaita.</p> <h2 id="manual-overrides">Manual overrides </h2><p>Some applications don&rsquo;t implement the necessary XDG standards to detect dark mode, at least not completely. These fixes will manually override the default theme, which means that dynamic switching between dark and light themes from GNOME&rsquo;s quick settings won&rsquo;t work anymore when using these overrides.</p> <h2 id="use-adw-gtk3">Use adw-gtk3 </h2><p><img src="https://fariszr.com/flatpak-dark-mode-fix/adw-gtk3-dark.png" width="1901" height="1049" srcset="https://fariszr.com/flatpak-dark-mode-fix/adw-gtk3-dark_hu5221030524894079898.png 480w, https://fariszr.com/flatpak-dark-mode-fix/adw-gtk3-dark_hu6422087505931445161.png 1024w" loading="lazy" alt="Testing apps with the adw-gtk3-dark theme" class="gallery-image" data-flex-grow="181" data-flex-basis="434px" > Adw-gtk3 is a gtk3 theme that makes applications look like gtk4. It&rsquo;s also the theme that fixes all the problems for me. Apps like Xournal++ won&rsquo;t follow the dark mode with Adwaita, even when I manually select adwaita-dark in gnome-tweaks, but with adw-gtk3-dark it works fine.</p> <p>Even applications like Motrix, which use an old version of electron that doesn&rsquo;t support automatic dark mode detection, detected dark mode when using adw-gtk3-dark.</p> <p><a class="link" href="https://github.com/lassekongo83/adw-gtk3?tab=readme-ov-file#how-to-install" target="_blank" rel="noopener" >Adw-gtk3 Installaion instructions</a></p> <h2 id="manual-override-with-flatseal">Manual override with Flatseal </h2><p>If nothing works, you can manually override the theme used by the applications using the <code>GTK_THEME</code> environment variable.</p> <p><img src="https://fariszr.com/flatpak-dark-mode-fix/Itsfoss-flatseal.png" width="1000" height="642" srcset="https://fariszr.com/flatpak-dark-mode-fix/Itsfoss-flatseal_hu3295254884043916080.png 480w, https://fariszr.com/flatpak-dark-mode-fix/Itsfoss-flatseal_hu3019096727169478077.png 1024w" loading="lazy" alt="Photo Courtesy of itsfoss.com" class="gallery-image" data-flex-grow="155" data-flex-basis="373px" ></p> <p>You can also do this at the application level.</p> <p>These are the workarounds I found, for me adw-gtk3 fixed everything and I don&rsquo;t have to worry about this anymore, however, because it is explicitly selected in gnome-tweaks, <strong>the light/dark switch in the quick settings will not work.</strong>. <img src="https://fariszr.com/flatpak-dark-mode-fix/no-dynamic-dark-mode.png" width="1901" height="1049" srcset="https://fariszr.com/flatpak-dark-mode-fix/no-dynamic-dark-mode_hu6303500083864709518.png 480w, https://fariszr.com/flatpak-dark-mode-fix/no-dynamic-dark-mode_hu3387458476960459463.png 1024w" loading="lazy" alt="The quick settings toggle has no effect with adw-gtk3-dark" class="gallery-image" data-flex-grow="181" data-flex-basis="434px" ></p> <h2 id="sources">Sources </h2><p><a class="link" href="https://ubuntuhandbook.org/index.php/2021/10/enable-dark-flatpak-apps-ubuntu-linux-mint/" target="_blank" rel="noopener" >https://ubuntuhandbook.org/index.php/2021/10/enable-dark-flatpak-apps-ubuntu-linux-mint/</a> <a class="link" href="https://itsfoss.com/flatpak-app-apply-theme/" target="_blank" rel="noopener" >https://itsfoss.com/flatpak-app-apply-theme/</a> <a class="link" href="https://github.com/lassekongo83/adw-gtk3" target="_blank" rel="noopener" >https://github.com/lassekongo83/adw-gtk3</a></p>Using Custom providers like Groq with Zed Aihttps://fariszr.com/use-custom-providers-with-zed-groq/Sun, 08 Sep 2024 00:00:00 +0000https://fariszr.com/use-custom-providers-with-zed-groq/<img src="https://fariszr.com/use-custom-providers-with-zed-groq/thumbnail.jpg" alt="Featured image of post Using Custom providers like Groq with Zed Ai" /><p><a class="link" href="https://zed.dev/" target="_blank" rel="noopener" >Zed</a> is a new open source code editor on the block, which has a top-notch Ai integration, aiming to compete with Cursor.</p> <p>You can use <a class="link" href="https://zed.dev/blog/zed-ai" target="_blank" rel="noopener" >Zed Ai for free</a>, it will use Claude 3.5 sonnet with strict rate limits, and it also may use your Inputs for training.</p> <p>However you can also run Zed AI using openAI LLMs or even any other LLM running on an openai api-compatible provider like groq!</p> <h2 id="settingsjson">settings.json </h2><p>Zed&rsquo;s settings are mainly managed through the settings.json file. Open the file using the shortcut <code>ctrl +,</code></p> <p>And paste the following:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;language_models&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;openai&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;version&#34;</span><span class="p">:</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;api_url&#34;</span><span class="p">:</span> <span class="s2">&#34;https://api.groq.com/openai/v1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;available_models&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;llama-3.1-70b-versatile&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;max_tokens&#34;</span><span class="p">:</span> <span class="mi">131072</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;max_output_tokens&#34;</span><span class="p">:</span> <span class="kc">null</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><ul> <li> <p><strong>api_url</strong>: openai compatible API url, for groq it&rsquo;s <code>https://api.groq.com/openai/v1</code></p> </li> <li> <p><strong>available_models</strong>: this is a json array of all models from this provider, the best available model on groq is LLama 3.1 70b</p> </li> </ul> <h2 id="storing-your-api-token-and-enabling-choosing-custom-llm-model">storing your API token and enabling choosing custom LLM model </h2><p><img src="https://fariszr.com/use-custom-providers-with-zed-groq/llm-config.png" width="641" height="1018" srcset="https://fariszr.com/use-custom-providers-with-zed-groq/llm-config_hu8815928345108587400.png 480w, https://fariszr.com/use-custom-providers-with-zed-groq/llm-config_hu7510324150377452327.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="62" data-flex-basis="151px" ></p> <p>Enter your API token for Groq or your preferred OpenAI-compatible platform in the OpenAI modal at the end of the zed ai configure page.</p> <p>You can generate your <a class="link" href="https://console.groq.com/keys" target="_blank" rel="noopener" >Groqcloud API token</a> by going to the groq console page and then to api keys</p> <p>then choose your custom LLM model (it&rsquo;s going to have an OpenAI logo next to it, sorry!) and now you should have a Llama-powered Zed AI assistant!</p> <p><img src="https://fariszr.com/use-custom-providers-with-zed-groq/choosing-the-custom-model.png" width="638" height="473" srcset="https://fariszr.com/use-custom-providers-with-zed-groq/choosing-the-custom-model_hu16936243595129718737.png 480w, https://fariszr.com/use-custom-providers-with-zed-groq/choosing-the-custom-model_hu2023860921985564701.png 1024w" loading="lazy" alt="Choose your custom model to make Zed use it for all ai related tasks" class="gallery-image" data-flex-grow="134" data-flex-basis="323px" ></p> <h2 id="sources">sources </h2><p><a class="link" href="https://github.com/zed-industries/zed/pull/13276" target="_blank" rel="noopener" >https://github.com/zed-industries/zed/pull/13276</a></p>How to run Brave Leo LLM locally with ollama and Docker composehttps://fariszr.com/brave-leo-with-ollama-using-docker-compose/Sat, 31 Aug 2024 00:00:00 +0000https://fariszr.com/brave-leo-with-ollama-using-docker-compose/<img src="https://fariszr.com/brave-leo-with-ollama-using-docker-compose/thumbnail.jpg" alt="Featured image of post How to run Brave Leo LLM locally with ollama and Docker compose" /><p>Brave recently introduced <a class="link" href="https://brave.com/blog/byom-nightly/" target="_blank" rel="noopener" >the ability to bring your own model</a> to use with LEO using other third party providers or a local model using Ollama!</p> <p>This is a quick guide to hosting Ollama with docker and integrating it with Leo. I&rsquo;m doing this with docker because it&rsquo;s much easier for AMD GPUs, because you don&rsquo;t need any drivers to make it work.</p> <h2 id="ollama-setup">Ollama setup </h2><h3 id="cpu">CPU </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ollama</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ollama/ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ollama:/root/.ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;11434:11434&#34;</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="rocm">ROCm </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ollama</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ollama/ollama:rocm</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">devices</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/dev/kfd:/dev/kfd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/dev/dri:/dev/dri</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># environment:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - HSA_OVERRIDE_GFX_VERSION=10.3.0 # for unsupported gpus such as 6700xt, 7800xt etc.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ollama:/root/.ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;11434:11434&#34;</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="cuda">CUDA </h3><p>You will need to install the nvidia container toolkit and enable it for docker, see the <a class="link" href="https://hub.docker.com/r/ollama/ollama" target="_blank" rel="noopener" >docker hub page</a> for Ollama for details.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ollama</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deploy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">reservations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">devices</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">nvidia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">count</span><span class="p">:</span><span class="w"> </span><span class="l">all</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">gpu</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ollama:/root/.ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">11434</span><span class="p">:</span><span class="m">11434</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ollama/ollama</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="downloading-an-llm">Downloading an LLM </h2><p>You need to choose a model that fits into your GPU&rsquo;s VRAM. Remember that there are smaller &ldquo;quantized&rdquo; versions of most LLMs, you could just scroll down the tag picker on Ollama&rsquo;s site until you see something that might fit your GPU.</p> <p>You can find the state-of-the-art models using the Lmsys&rsquo;s chatbot arena Leaderboard, which ranks most Ai models depending on how users like them. <a class="link" href="https://lmarena.ai/" target="_blank" rel="noopener" >https://lmarena.ai/</a></p> <p>Meta AI&rsquo;s LLama 3 models are currently by far the most popular models on Ollama.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker <span class="nb">exec</span> -it ollama bash </span></span><span class="line"><span class="cl">~# ollama pull llama3:YOUR_TAG</span></span></code></pre></td></tr></table> </div> </div><p>This will download the model to the mounted <code>./ollama</code> directory.</p> <h2 id="using-leo-with-ollama">Using Leo with Ollama </h2><p>Go to settings and then to the Leo page <img src="https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image.png" width="1999" height="1250" srcset="https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image_hu5960846875194798597.png 480w, https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image_hu17309402144558154161.png 1024w" loading="lazy" alt="Leo setting page" class="gallery-image" data-flex-grow="159" data-flex-basis="383px" > (pictures courtesy of brave)</p> <p>The model request name is the same as the one in Ollama, so <code>llama3:YOUR_TAG</code></p> <p>the server endpoint will always be: <code>http://localhost:11434/v1/chat/completions</code> unless you host Ollama somewhere else.</p> <p><img src="https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image-1.png" width="1999" height="1251" srcset="https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image-1_hu6685546932042350335.png 480w, https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image-1_hu15863083940895120754.png 1024w" loading="lazy" alt="local llm settings" class="gallery-image" data-flex-grow="159" data-flex-basis="383px" ></p> <p>And then select the model when using leo,</p> <p><img src="https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image-2.png" width="1999" height="1250" srcset="https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image-2_hu12997017938205712974.png 480w, https://fariszr.com/brave-leo-with-ollama-using-docker-compose/image-2_hu853866906602134135.png 1024w" loading="lazy" alt="select model model" class="gallery-image" data-flex-grow="159" data-flex-basis="383px" ></p> <p>And now you have your own local AI assistant built into your browser!</p>Setup Owncloud infinite scale with docker composehttps://fariszr.com/owncloud-infinite-scale-docker-setup/Wed, 31 Jul 2024 00:00:00 +0000https://fariszr.com/owncloud-infinite-scale-docker-setup/<img src="https://fariszr.com/owncloud-infinite-scale-docker-setup/thumbnail.jpg" alt="Featured image of post Setup Owncloud infinite scale with docker compose" /><p>ownCloud infinite scale is a complete rewrite of the classic ownCloud/Nextcloud server in go, it&rsquo;s much faster and much more efficient, to the point it doesn&rsquo;t even need a database!</p> <p>I found their docs to be a bit confusing, but I managed to figure it out and wrote this guide to save you the hassle!</p> <h2 id="setup-plan">Setup plan </h2><p>ownCloud infinite scale is, as the name says, very scalable, you could deploy multiple instances, with services separated from the main program to be able to scale depending on usage and so on.</p> <p>This guide is focused on the most common setup for Homelabs and small scale NAS&rsquo;s, local UNIX storage with one instance using the embedded supervisor. It&rsquo;s also a great starting point if you are planning a bigger deployment.</p> <h2 id="initial-owncloud-setup">Initial ownCloud setup </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ocis</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">owncloud/ocis:5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">user</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="p">:</span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">127.0.0.1</span><span class="p">:</span><span class="m">9200</span><span class="p">:</span><span class="m">9200</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/bin/sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># run ocis init to initialize a configuration file with random secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># it will fail on subsequent runs, because the config file already exists</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># therefore we ignore the error and then start the ocis server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;-c&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;ocis init || true; ocis server&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OCIS_URL</span><span class="p">:</span><span class="w"> </span><span class="l">https://owncloud.yourdomain.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OCIS_LOG_LEVEL</span><span class="p">:</span><span class="w"> </span><span class="l">error</span><span class="w"> </span><span class="c"># make oCIS less verbose</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PROXY_TLS</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># do not use SSL between reverse proxy and oCIS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OCIS_INSECURE</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PROXY_ENABLE_BASIC_AUTH</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># admin user password</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">IDM_ADMIN_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;admin&#34;</span><span class="w"> </span><span class="c"># this overrides the admin password from the configuration file</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># make settings service available to oCIS Hello</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SETTINGS_GRPC_ADDR</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">9191</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GATEWAY_GRPC_ADDR</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">9142</span><span class="w"> </span><span class="c"># make the REVA gateway accessible to the app drivers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># email server (if configured)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NOTIFICATIONS_SMTP_HOST</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;xxxxxx&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NOTIFICATIONS_SMTP_PORT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;xxxx&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NOTIFICATIONS_SMTP_SENDER</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;xxxxx&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NOTIFICATIONS_SMTP_USERNAME</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;xxxxxxxx&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NOTIFICATIONS_SMTP_INSECURE</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;xxxxxxx&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># PROXY_TLS is set to &#34;false&#34;, the download url has no https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">STORAGE_USERS_DATA_GATEWAY_URL</span><span class="p">:</span><span class="w"> </span><span class="l">http://ocis:9200/data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># separate directory for thumbnails</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">THUMBNAILS_FILESYSTEMSTORAGE_ROOT</span><span class="p">:</span><span class="w"> </span><span class="l">/var/lib/ocis-thumbnails</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ocis-config:/etc/ocis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ocis-data:/var/lib/ocis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./thumbnails:/var/lib/ocis-thumbnails</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;local&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span></span></span></code></pre></td></tr></table> </div> </div><p>This is the basic setup for OCIS running on port 9200, with a separate directory for thumbnails (useful for speeding up thumbnail loading by storing them on an SSD) and override for the admin password.</p> <p>You need a reverse proxy for this to work properly, you could use Caddy or Nginx for this.</p> <p>This includes all the basic ownCloud services, you could just continue to use it like this if you feel it&rsquo;s adequate for your use case.</p> <p>But you could add a few bells and whistles to your instance by adding a few optional services:</p> <h2 id="enable-full-text-search">Enable full text search </h2><p>By default the text search in OCIS only indexes file and folder names and the content of raw and Markdown text files. You can enable Full text search by adding Apache Tika, which will use OCR to read PDF file content and auto-detect its language (<a class="link" href="https://www.javatpoint.com/tika-language-detection" target="_blank" rel="noopener" >list of supported languages</a>) to build a search index of file contents.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ocis</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span><span class="c">#add this to your yaml file!</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># better fulltext search</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEARCH_EXTRACTOR_TYPE</span><span class="p">:</span><span class="w"> </span><span class="l">tika</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEARCH_EXTRACTOR_TIKA_TIKA_URL</span><span class="p">:</span><span class="w"> </span><span class="l">http://tika:9998</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">FRONTEND_FULL_TEXT_SEARCH_ENABLED</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># better full text search</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tika</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">apache/tika:latest-full</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># command: apt update &amp;&amp; apt install tesseract-ocr-xxx -y add additional languages (only works if Tika supports auto-detection for that language)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">local</span></span></span></code></pre></td></tr></table> </div> </div><p>This is a partial compose file, you should add the environment variables to the OCIS template at the start of the article and the Tika container.</p> <h2 id="automatic-anti-virus-scanning">Automatic anti virus scanning </h2><p>If you don&rsquo;t like viruses casually hanging up with your files on your server, you can enable the antivirus service using ClamAV as an antivirus scanner.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ocis</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enviroment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ClamAV setup</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ANTIVIRUS_SCANNER_TYPE</span><span class="p">:</span><span class="w"> </span><span class="l">clamav</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ANTIVIRUS_INFECTED_FILE_HANDLING</span><span class="p">:</span><span class="w"> </span><span class="l">delete</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ANTIVIRUS_CLAMAV_SOCKET</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/run/clamav/clamd.sock&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># enable the antivirus service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OCIS_ADD_RUN_SERVICES</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;antivirus&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># configure the antivirus service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">POSTPROCESSING_STEPS</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;virusscan&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">clamav-socket:/var/run/clamav</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">clamav</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">clamav/clamav:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">clamav</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># restart: always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ports:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - &#39;127.0.0.1:3310:3310&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./clamav:/var/lib/clamav</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">clamav-socket:/tmp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">clamav-socket:</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="online-office">Online office </h2><p>One of the latest features in OCIS 6 is the addition of support for online office suites like Collabora (Libreoffice) and OnlyOffice.</p> <p>However, OCIS 6 is a rolling release, which doesn&rsquo;t enjoy full production support and is intended for &ldquo;Early adopters&rdquo;.</p> <p>So you will have to switch to the rolling release for this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ocis</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">owncloud/ocis-rolling:latest</span><span class="w"> </span><span class="c"># use OCIS-rolling releases</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enviroment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NATS_NATS_HOST</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="w"> </span><span class="c"># make NATS accessible to ocis-collaboration</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NATS_NATS_PORT</span><span class="p">:</span><span class="w"> </span><span class="m">9233</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># make collabora the secure view app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR</span><span class="p">:</span><span class="w"> </span><span class="l">com.owncloud.api.collaboration.Collabora</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># fix CSP for collabora</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PROXY_CSP_CONFIG_FILE_LOCATION</span><span class="p">:</span><span class="w"> </span><span class="l">/etc/ocis/csp.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./csp.yaml:/etc/ocis/csp.yaml</span><span class="w"> </span><span class="c"># modifiy CSP policy to allow loading of Collabora in OCIS web ui</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># the collaboration service isn&#39;t included in the embedded supervisor and needs to be run separately</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ocis-collaboration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">owncloud/ocis-rolling:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">user</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="p">:</span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">127.0.0.1</span><span class="p">:</span><span class="m">9300</span><span class="p">:</span><span class="m">9300</span><span class="w"> </span><span class="c">#woopi server port</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">depends_on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ocis</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="l">service_started</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">collabora</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="l">service_healthy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/bin/sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">&#34;-c&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;ocis collaboration server&#34;</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">COLLABORATION_GRPC_ADDR</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">9301</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">COLLABORATION_HTTP_ADDR</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="p">:</span><span class="m">9300</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">MICRO_REGISTRY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;nats-js-kv&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">MICRO_REGISTRY_ADDRESS</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;ocis:9233&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">COLLABORATION_WOPI_SRC</span><span class="p">:</span><span class="w"> </span><span class="l">https://wopiserver.owncloud.yourdomain.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">COLLABORATION_APP_NAME</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Collabora&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">COLLABORATION_APP_ADDR</span><span class="p">:</span><span class="w"> </span><span class="l">https://collabora.owncloud.yourdomain.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">COLLABORATION_APP_ICON</span><span class="p">:</span><span class="w"> </span><span class="l">https://collabora.owncloud.yourdomain.com/favicon.ico</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># COLLABORATION_APP_INSECURE: true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># COLLABORATION_CS3API_DATAGATEWAY_INSECURE: true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">COLLABORATION_LOG_LEVEL</span><span class="p">:</span><span class="w"> </span><span class="l">${LOG_LEVEL:-info}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./ocis-config:/etc/ocis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">local</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">collabora</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">collabora/code:24.04.5.1.1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">127.0.0.1</span><span class="p">:</span><span class="m">9980</span><span class="p">:</span><span class="m">9980</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">aliasgroup1</span><span class="p">:</span><span class="w"> </span><span class="l">https://wopiserver.owncloud.yourdomain.com:443</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">DONT_GEN_SSL_CERT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;YES&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extra_params</span><span class="p">:</span><span class="w"> </span>--<span class="l">o:ssl.enable=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=owncloud.yourdomain.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l">admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l">admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_add</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">MKNOD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">local</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;bash&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-c&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;coolconfig generate-proof-key ; /start-collabora-online.sh&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">healthcheck</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">test</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">&#34;CMD&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;curl&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-f&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;http://localhost:9980/hosting/discovery&#34;</span><span class="w"> </span><span class="p">]</span></span></span></code></pre></td></tr></table> </div> </div><p>This adds two services which need to be reverse proxied, the OCIS-collaboration service which exposes port 9300 for wopiserver and Collabora which uses port 9980.</p> <p><strong>However, this is not all</strong>, we have to also modify the content security policy of ownCloud to allow Libreoffice to load inside ownCloud&rsquo;s web interface.</p> <p>Create a csp.yaml file and use the <a class="link" href="https://github.com/owncloud/ocis/blob/master/deployments/examples/ocis_full/config/ocis/csp.yaml" target="_blank" rel="noopener" >template</a> prepared from ownCloud to modify the CSP policy accordingly, make sure to replace <code>https://${COLLABORA_DOMAIN|collabora.owncloud.test}/'</code> with the public URL of your Collabora server.</p> <p>That should be it! You now have an OCIS server ready for small production use in your Homelab!</p> <p>There are other services I didn&rsquo;t cover like the import service to make it easier to import files from other cloud providers. You can find more templates under the <a class="link" href="https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full" target="_blank" rel="noopener" >ocis_full</a> directory in ownCloud&rsquo;s OCIS repo.</p> <p>It&rsquo;s a bit oddly organized, but each yml file is a docker-compose template, named under the service it adds. You start with OCIS.yml and the other files are the things you have to add to enable the service. Under the config directory you will find all the additional files used in the docker compose templates.</p> <h2 id="sources">sources </h2><p><a class="link" href="https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full" target="_blank" rel="noopener" >https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full</a></p> <p><a class="link" href="https://doc.owncloud.com/ocis/next/deployment/services/services.html" target="_blank" rel="noopener" >https://doc.owncloud.com/ocis/next/deployment/services/services.html</a></p> <p><a class="link" href="https://doc.owncloud.com/ocis/next/deployment/general/general-info.html#infinite-scale-supervised-services" target="_blank" rel="noopener" >https://doc.owncloud.com/ocis/next/deployment/general/general-info.html#infinite-scale-supervised-services</a></p>How to Make Your Linux Home Server Accessible on the Internet Without Port Forwardinghttps://fariszr.com/home-server-access-without-port-forwarding/Tue, 28 May 2024 00:00:00 +0000https://fariszr.com/home-server-access-without-port-forwarding/<img src="https://fariszr.com/home-server-access-without-port-forwarding/thumbnail.jpg" alt="Featured image of post How to Make Your Linux Home Server Accessible on the Internet Without Port Forwarding" /><p>If you want to make your home server accessible on the Internet but can&rsquo;t use port forwarding (if you are behind CGNAT for example) or just aren&rsquo;t comfortable having your home IP public, there are a few ways to do it.</p> <p>You could just use Cloudflared, it is free, easy to set up and gives you some security protection through Cloudflare&rsquo;s WAF. However, Cloudflare is a reverse proxy, meaning that your connection is decrypted, analyzed and then re-encrypted back to its origin, it also has specific T&amp;S limits.</p> <p>Herein comes <a class="link" href="https://github.com/rapiz1/rathole" target="_blank" rel="noopener" >Rathole</a>, it&rsquo;s a small standalone program written in Rust, it&rsquo;s basically a simple TCP proxy, it doesn&rsquo;t decrypt anything, it just forwards TCP traffic from one host to another using NAT traversal to avoid the need to port-forward anything.</p> <p>You just need a server with a public IP to tunnel TCP traffic back to your home server.</p> <p>I am going to use it to proxy Caddy, the reverse proxy I use on my home server, without MITMing any connections.</p> <h2 id="installing-rathole">Installing Rathole </h2><p>Rathole is a self-contained package, just download the one that&rsquo;s compiled for your platform and run it from <a class="link" href="https://github.com/rapiz1/rathole/releases" target="_blank" rel="noopener" >GitHub</a>. You can also run it in a <a class="link" href="https://hub.docker.com/r/rapiz1/rathole" target="_blank" rel="noopener" >container</a>.</p> <p>This will be split into two parts, as Rathole needs to run on your home server and on the server with a static IP.</p> <h3 id="public-server-docker-composeyml">Public server docker-compose.yml </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rathole</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">rapiz1/rathole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stdin_open</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tty</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">8080</span><span class="p">:</span><span class="m">8080</span><span class="w"> </span><span class="c"># api port</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">443</span><span class="p">:</span><span class="m">443</span><span class="w"> </span><span class="c"># forwarded port</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./rathole/config.toml:/app/config.toml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span>--<span class="l">server /app/config.toml</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="rathole-sever-config">Rathole sever Config </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># server.toml</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">server</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">bind_addr</span> <span class="p">=</span> <span class="s2">&#34;0.0.0.0:8080&#34;</span> <span class="c"># `8080` specifies the port that rathole listens for clients</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">server</span><span class="p">.</span><span class="nx">services</span><span class="p">.</span><span class="nx">home-proxy</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">token</span> <span class="p">=</span> <span class="s2">&#34;your_very_secure_shared_token&#34;</span> <span class="c"># Shared value between the client(your home server) and the server(the VPS)</span> </span></span><span class="line"><span class="cl"><span class="nx">bind_addr</span> <span class="p">=</span> <span class="s2">&#34;0.0.0.0:443&#34;</span> <span class="c"># port on the vps routing traffic to your home server &#34;the client&#34;</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="home-server-docker-setup">Home server docker setup </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># assuming your webserver is connected to a shared docker network called web</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">web</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">external</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rathole</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stdin_open</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tty</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/home/lammah/rathole/config.toml:/app/config.toml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">rapiz1/rathole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span>--<span class="l">client /app/config.toml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">web</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="home-server-rathole-config">Home server Rathole Config </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># client.toml</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">client</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">remote_addr</span> <span class="p">=</span> <span class="s2">&#34;yourservers-ip-or-domain:8080&#34;</span> <span class="c"># The address of the server. The port must be the same with the port in `server.bind_addr`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">client</span><span class="p">.</span><span class="nx">services</span><span class="p">.</span><span class="nx">home-proxy</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">token</span> <span class="p">=</span> <span class="s2">&#34;your_very_secure_shared_token&#34;</span> <span class="c"># Must be the same one on the server to pass the validation</span> </span></span><span class="line"><span class="cl"><span class="nx">local_addr</span> <span class="p">=</span> <span class="s2">&#34;caddy:443&#34;</span> <span class="c"># The address of the service that needs to be forwarded</span></span></span></code></pre></td></tr></table> </div> </div><p>Just start them both and you should be up and running! You will also need to make sure that the domains are pointing to the VPS correctly so that HTTPS and applications work as expected.</p> <h2 id="source-ip">Source IP </h2><p>There is one caveat though, and it&rsquo;s kind of a big one, the source IP for all connections will be set to 127.0.0.1. That&rsquo;s a big problem if you want to protect your applications from DOS or endless login attempts.</p> <p>There is a solution, however, the PROXY protocol</p> <h2 id="forward-source-ip-with-proxy-protocol-in-rathole">Forward source IP with PROXY protocol in Rathole </h2><p>The proxy protocol is a protocol that allows you to forward the source IP without needing too much computation.</p> <p>Both the TCP proxy and the upstream application must support the PROXY protocol for this to work. Caddy supports the PROXY protocol, as a <a class="link" href="https://caddyserver.com/docs/json/apps/http/servers/listener_wrappers/proxy_protocol/" target="_blank" rel="noopener" >client</a> and as a <a class="link" href="https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#the-http-transport" target="_blank" rel="noopener" >proxy</a>.</p> <p>There is an open <a class="link" href="https://github.com/rapiz1/rathole/pull/352" target="_blank" rel="noopener" >PR</a> for Rathole which adds support for the PROXY protocol. You can use my <a class="link" href="https://github.com/FZR-forks/rathole-proxy_protocol/pkgs/container/rathole-proxy_protocol" target="_blank" rel="noopener" >docker image</a> to use the version with PROXY protocol support, or just build it locally.</p> <p>Just use the same Configs as before, while adding <code>enable_proxy_protocol = true</code> under the <code>[server.services.home-proxy]</code> block. Make sure that the web server/app you&rsquo;re tunneling to supports the PROXY protocol and that it&rsquo;s set up correctly.</p> <p>Now you should be able to get the correct source IP even with a TCP tunnel in between!</p>Redirect URL paths on Cloudflare pages for freehttps://fariszr.com/redirect-url-path-free-cloudflare-pages/Sat, 27 Apr 2024 00:00:00 +0000https://fariszr.com/redirect-url-path-free-cloudflare-pages/<img src="https://fariszr.com/redirect-url-path-free-cloudflare-pages/thumbnail.jpg" alt="Featured image of post Redirect URL paths on Cloudflare pages for free" /><p>If you need to do an HTTP redirect for anything while using Cloudflare the first idea that comes to mind will be just to use Redirect Rules, however, if your goal is to redirect a path, like <code>/old/*</code> to <code>/new/*</code>, you actually can&rsquo;t do that in the free plan, as <code>regex_replace</code> requires at least a PRO subscription.</p> <p>Luckily this blog is hosted on Cloudflare pages, which has its own <a class="link" href="https://developers.cloudflare.com/pages/configuration/redirects/" target="_blank" rel="noopener" >redirect mechanism</a>, and you can do such redirects without needing a pro subscription.</p> <h2 id="using-the-_redirects-file">using the _redirects file </h2><p>you just need to create file called _redirects, which needs to be included in the final directory uploaded to Cloudflare pages. There are multiple site generator dependent ways to do this, I just add it manually in GitHub Actions after the site generation step.</p> <h3 id="using-splats">Using Splats </h3><p>The easiest way to do this is just using splats, a Splat is everything that is matched when using <code>*</code> after a path.</p> <p>_redirects</p> <pre><code>/old/* /new/:splat 301</code></pre><h3 id="using-placeholders">using Placeholders </h3><p>Placeholders are another option, they do the same thing, but look cleaner I guess.</p> <p>However, they have some specific <a class="link" href="https://developers.cloudflare.com/pages/configuration/redirects/#placeholders" target="_blank" rel="noopener" >limitations</a>, so stick to splats when possible.</p> <p>_redirects</p> <pre><code>/movies/:title /media/:title 302</code></pre><h2 id="sources">sources </h2><p><a class="link" href="https://developers.cloudflare.com/pages/configuration/redirects/" target="_blank" rel="noopener" >https://developers.cloudflare.com/pages/configuration/redirects/</a></p> <p><a class="link" href="https://community.cloudflare.com/t/transform-rule-replace-part-of-url/437813" target="_blank" rel="noopener" >https://community.cloudflare.com/t/transform-rule-replace-part-of-url/437813</a></p>Deploy Projects Securely Using Tailscale SSH and GitHub Actionshttps://fariszr.com/deploy-with-tailscale-ssh-github-action/Sun, 31 Mar 2024 00:00:00 +0000https://fariszr.com/deploy-with-tailscale-ssh-github-action/<img src="https://fariszr.com/deploy-with-tailscale-ssh-github-action/thumbnail.jpg" alt="Featured image of post Deploy Projects Securely Using Tailscale SSH and GitHub Actions" /><p>If you want to deploy your project to a server without exposing it or manually managing ssh keys, you can use Tailscale SSH!</p> <p>Here is a quick guide to using my Github action <a class="link" href="https://github.com/FarisZR/tailscale-ssh-deploy" target="_blank" rel="noopener" >tailscale-ssh-deploy</a> to deploy files to a server using Tailscale SSH (not normal ssh).</p> <h3 id="deploying-a-static-site">Deploying a static site </h3><p>For example, we will deploy a Hugo static site using this action</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build-and-deploy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">build and deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">checkout</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fetch-depth</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Setup Hugo</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">peaceiris/actions-hugo@v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hugo-version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;latest&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extended</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">hugo --minify -v --gc --destination generated</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Setup Tailscale</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">tailscale/github-action@v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">Github-actions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">oauth-client-id</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.TS_OAUTH_CLIENT_ID }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">oauth-secret</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.TS_OAUTH_SECRET }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span><span class="l">tag:ci</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Start Deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">FarisZR/tailscale-ssh-deploy@v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remote_host</span><span class="p">:</span><span class="w"> </span><span class="l">USER@LOCAL-IPV4-ADDRESS-TAILSCALE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory</span><span class="p">:</span><span class="w"> </span><span class="l">generated</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remote_destination</span><span class="p">:</span><span class="w"> </span><span class="l">/var/www/html</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">post_upload_command</span><span class="p">:</span><span class="w"> </span><span class="l">systemctl restart nginx</span></span></span></code></pre></td></tr></table> </div> </div><p>The relevant part for us are the last two actions. First, we set up Tailscale using an Oauth client ID and secret that you generate in the settings page of your Tailnet <a class="link" href="https://tailscale.com/kb/1215/oauth-clients" target="_blank" rel="noopener" >more details</a>.</p> <p>Now make sure you specify the user and use the Tailscale IP address of the server, as I didn&rsquo;t find using MagicDNS hostnames to be very reliable.</p> <p>Then you just define the directory to upload to in <code>directory</code> and where it should be uploaded into <code>remote_destination</code></p> <p>You can use <code>post_upload_command</code> to specify a command to run after a successful upload, as an example I added a command to restart nginx.</p> <p>That should do it! Now you have a workflow that automatically deploys your project to a server without exposing an ssh service or managing ssh keys!</p>Add Missing Linux Packages into WordPress Docker Images Without Rebuildinghttps://fariszr.com/add-missing-packages-wordpress-docker/Thu, 29 Feb 2024 00:00:00 +0000https://fariszr.com/add-missing-packages-wordpress-docker/<img src="https://fariszr.com/add-missing-packages-wordpress-docker/thumbnail.jpg" alt="Featured image of post Add Missing Linux Packages into WordPress Docker Images Without Rebuilding" /><p>If you use WordPress in docker, sometimes you may have some plugins complaining about missing libraries / packages, like for example EWWW image optimizer, that was complaining about missing image libraries.</p> <p>You could of course just rebuild the image, but if you want to avoid that, you could modify the command that runs at start to install the packages you need, and then start the WordPress process:</p> <h2 id="wordpressapache-latest">Wordpress:apache (latest) </h2><p>the default image uses Debian as a base, so we modify the command to update packages lists and then install the packages we need, and after that WordPress Entrypoint should get triggered.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl">services: </span></span><span class="line"><span class="cl"> wordpress: </span></span><span class="line"><span class="cl"> image: wordpress:apache </span></span><span class="line"><span class="cl"> restart: always </span></span><span class="line"><span class="cl"><span class="gi">+ command: sh -c &#34;apt update &amp;&amp; apt install -y --no-install-recommends xxxxxxx; docker-entrypoint.sh apache2-foreground&#34; </span></span></span><span class="line"><span class="cl"><span class="gi"></span> environment: </span></span><span class="line"><span class="cl"> WORDPRESS_DB_HOST: mariadb </span></span><span class="line"><span class="cl"> WORDPRESS_DB_USER: xxxx </span></span><span class="line"><span class="cl"> WORDPRESS_DB_NAME: wordpress </span></span><span class="line"><span class="cl"> WORDPRESS_DB_PASSWORD: xxxxx </span></span><span class="line"><span class="cl"> volumes: </span></span><span class="line"><span class="cl"> - html:/var/www/html:rw </span></span></code></pre></td></tr></table> </div> </div><h2 id="wordpressfpm">Wordpress:fpm </h2><p>Basically the same as the default Apache image, with just a different entrypoint command.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl">services: </span></span><span class="line"><span class="cl"> wordpress: </span></span><span class="line"><span class="cl"> image: wordpress:fpm-alpine </span></span><span class="line"><span class="cl"> restart: always </span></span><span class="line"><span class="cl"><span class="gi">+ command: sh -c &#34;apt update &amp;&amp; apt install -y --no-install-recommends xxxxxxx; docker-entrypoint.sh php-fpm&#34; </span></span></span><span class="line"><span class="cl"><span class="gi"></span> environment: </span></span><span class="line"><span class="cl"> WORDPRESS_DB_HOST: mariadb </span></span><span class="line"><span class="cl"> WORDPRESS_DB_USER: xxxx </span></span><span class="line"><span class="cl"> WORDPRESS_DB_NAME: wordpress </span></span><span class="line"><span class="cl"> WORDPRESS_DB_PASSWORD: xxxxx </span></span><span class="line"><span class="cl"> volumes: </span></span><span class="line"><span class="cl"> - html:/var/www/html:rw </span></span></code></pre></td></tr></table> </div> </div><h2 id="wordpressfpm-alpine">Wordpress:fpm-alpine </h2><p>As the tag implies, this image uses Alpine as a base, here we have to use apk, the package manager for alpine.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl">services: </span></span><span class="line"><span class="cl"> wordpress: </span></span><span class="line"><span class="cl"> image: wordpress:fpm-alpine </span></span><span class="line"><span class="cl"> restart: always </span></span><span class="line"><span class="cl"><span class="gi">+ command: sh -c &#34;apk add xx xx xx; docker-entrypoint.sh php-fpm&#34; </span></span></span><span class="line"><span class="cl"><span class="gi"></span> environment: </span></span><span class="line"><span class="cl"> WORDPRESS_DB_HOST: mariadb </span></span><span class="line"><span class="cl"> WORDPRESS_DB_USER: xxxx </span></span><span class="line"><span class="cl"> WORDPRESS_DB_NAME: wordpress </span></span><span class="line"><span class="cl"> WORDPRESS_DB_PASSWORD: xxxxx </span></span><span class="line"><span class="cl"> volumes: </span></span><span class="line"><span class="cl"> - html:/var/www/html:rw </span></span></code></pre></td></tr></table> </div> </div><p>And now you should have the packages you need without needing to rebuild the image manually on every update!</p>Set up scheduled Debian/Ubuntu unattended upgradeshttps://fariszr.com/setup-scheduled-debian-ubuntu-unattended-upgrades/Wed, 31 Jan 2024 00:00:00 +0000https://fariszr.com/setup-scheduled-debian-ubuntu-unattended-upgrades/<img src="https://fariszr.com/setup-scheduled-debian-ubuntu-unattended-upgrades/thumbnail.jpg" alt="Featured image of post Set up scheduled Debian/Ubuntu unattended upgrades" /><p>When you run a server that relies on containers for almost everything, keeping the system up to date has almost zero chance of breaking anything.</p> <p>So here is a quick guide to setting up automatic updates on a fixed schedule + automatic reboots for kernel updates (optional)</p> <h2 id="installing-unattended-upgrades">installing unattended-upgrades </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt update </span></span><span class="line"><span class="cl">sudo apt install unattended-upgrades</span></span></code></pre></td></tr></table> </div> </div><h2 id="configuring-unattended-upgrades">Configuring Unattended-upgrades </h2><p>Depending on what kind of updates you feel comfortable applying, you can customize the source repository as you like.</p> <h3 id="allow-security-updates-only">allow security updates only </h3><p>This is actually the default configuration for unattended-upgrades</p> <p>/etc/apt/apt.conf.d/50unattended-upgrades</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">// &#34;origin=Debian,codename=${distro_codename}-updates&#34;; </span></span><span class="line"><span class="cl">// &#34;origin=Debian,codename=${distro_codename}-proposed-updates&#34;; </span></span><span class="line"><span class="cl"> &#34;origin=Debian,codename=${distro_codename},label=Debian&#34;; </span></span><span class="line"><span class="cl"> &#34;origin=Debian,codename=${distro_codename},label=Debian-Security&#34;; </span></span><span class="line"><span class="cl"> &#34;origin=Debian,codename=${distro_codename}-security,label=Debian-Security&#34;;</span></span></code></pre></td></tr></table> </div> </div><h3 id="allow-all-updates">allow all updates </h3><p>/etc/apt/apt.conf.d/50unattended-upgrades</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> &#34;origin=Debian,codename=${distro_codename}-updates&#34;; </span></span><span class="line"><span class="cl">// &#34;origin=Debian,codename=${distro_codename}-proposed-updates&#34;; </span></span><span class="line"><span class="cl"> &#34;origin=Debian,codename=${distro_codename},label=Debian&#34;; </span></span><span class="line"><span class="cl"> &#34;origin=Debian,codename=${distro_codename},label=Debian-Security&#34;; </span></span><span class="line"><span class="cl"> &#34;origin=Debian,codename=${distro_codename}-security,label=Debian-Security&#34;;</span></span></code></pre></td></tr></table> </div> </div><h3 id="additional-repositories">Additional repositories </h3><p>You can also automate the update for additional repositories such as Docker&rsquo;s official repositories.</p> <p>First, go to <code>/var/lib/apt/lists/</code> and find the Docker repos filename. In this file you should find something like</p> <pre><code>label: Docker CE Origin: Docker Suite: bookworm</code></pre><p>For us, the most important details here are <strong>origin</strong> and <strong>suite</strong>, as suite is the archive that unattended-upgrades needs to specify which version to use.</p> <p>To add the docker repository, create a new line under the Distro&rsquo;s repos in <code>/etc/apt/apt.conf.d/50unattended-upgrades' with the following format </code>&quot;<!-- raw HTML omitted -->:<!-- raw HTML omitted -->&quot;;`</p> <p>so in our case it would be <code>&quot;Docker:bookworm&quot;;</code>, but what if we don&rsquo;t want to update this every time the system is upgraded? then you use the <code>${distro_codename}</code> variable.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&#34;Docker:${distro_codename}&#34;;</span></span></code></pre></td></tr></table> </div> </div><p>and now unattended upgrades should automatically update packages from the docker repos!</p> <h2 id="enable-automatic-reboot-for-kernel-upgrades">Enable automatic reboot for kernel upgrades </h2><p>If you can tolerate a little downtime, you can also automate system reboots for kernel upgrades</p> <p>by changing the following settings</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">// Unattended-Upgrade::Automatic-Reboot &#34;false</span></span></code></pre></td></tr></table> </div> </div><p>to</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Unattended-Upgrade::Automatic-Reboot &#34;true&#34;;</span></span></code></pre></td></tr></table> </div> </div><p>And you can change the reboot time by changing the default `02:00&rsquo; to any time you like (in the local server timezone). <strong>REMEMBER TO UNCOMMENT THE SETTING (remove the // and the spaces)</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Unattended-Upgrade::Automatic-Reboot-Time &#34;22:00&#34;;</span></span></code></pre></td></tr></table> </div> </div><h2 id="setting-up-timers">Setting up timers </h2><p>We will set two timers, one to update apt&rsquo;s local repo cache and one to apply the updates.</p> <h3 id="apt-update-timer">Apt update timer </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl edit apt-daily.timer</span></span></code></pre></td></tr></table> </div> </div><p>then add the following in the space between systemd comments (assuming you want to update apt lists at 00:55 server time every day)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[Timer] </span></span><span class="line"><span class="cl">OnCalendar </span></span><span class="line"><span class="cl">OnCalendar=00:55 </span></span><span class="line"><span class="cl">RandomizedDelaySec=0</span></span></code></pre></td></tr></table> </div> </div><p>and then you should restart the service and check the status of the timer, it should show the next trigger time</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl restart apt-daily.timer </span></span><span class="line"><span class="cl">sudo systemctl status apt-daily.timer</span></span></code></pre></td></tr></table> </div> </div><h3 id="apt-upgrade-timer">Apt upgrade timer </h3><p>This is very similar to setting the update timer, we just need to make sure it&rsquo;s <strong>after</strong> the update job so we can apply the latest updates as they are released.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl edit apt-daily-upgrade.timer</span></span></code></pre></td></tr></table> </div> </div><p>Again, in the blank space, add the following timer settings (to apply updates at 01:00 server time every day)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[Timer] </span></span><span class="line"><span class="cl">OnCalendar </span></span><span class="line"><span class="cl">OnCalendar=01:00 </span></span><span class="line"><span class="cl">RandomizedDelaySec=0</span></span></code></pre></td></tr></table> </div> </div><p>and then you should restart the service and check the status of the timer, it should show the next trigger time</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl restart apt-daily-upgrade.timer </span></span><span class="line"><span class="cl">sudo systemctl status apt-daily-upgrade.timer</span></span></code></pre></td></tr></table> </div> </div><p>and now you have fully automated updates for your entire system!</p> <h2 id="sources">Sources </h2><p><a class="link" href="https://askubuntu.com/questions/87849/how-to-enable-silent-automatic-updates-for-any-repository" target="_blank" rel="noopener" >https://askubuntu.com/questions/87849/how-to-enable-silent-automatic-updates-for-any-repository</a></p> <p><a class="link" href="https://wiki.debian.org/StableProposedUpdates" target="_blank" rel="noopener" >https://wiki.debian.org/StableProposedUpdates</a></p> <p><a class="link" href="https://linuxiac.com/how-to-set-up-automatic-updates-on-debian/" target="_blank" rel="noopener" >https://linuxiac.com/how-to-set-up-automatic-updates-on-debian/</a></p>Scheduling Docker jobs without cronhttps://fariszr.com/scheduling-docker-jobs-without-cron/Wed, 27 Dec 2023 00:00:00 +0000https://fariszr.com/scheduling-docker-jobs-without-cron/<img src="https://fariszr.com/scheduling-docker-jobs-without-cron/thumbnail.jpg" alt="Featured image of post Scheduling Docker jobs without cron" /><p>Sometimes you need to automate some things in Docker containers, run a script or check a result online, and I honestly dread dealing with cron to do it.</p> <p>That&rsquo;s where <a class="link" href="https://github.com/mcuadros/ofelia" target="_blank" rel="noopener" >Ofelia</a> comes in! It&rsquo;s a modern scheduler built from the ground up for Docker, and it interacts directly with the Docker socket to run a container, run a script in a specific container, or even on the host!</p> <h2 id="usage-with-labels">Usage with labels </h2><p>I wanted to run a script to update data in a JSON file. You can configure Ofelia in several ways, but I think by far the easiest is to just use docker labels with compose.</p> <p>Labels are structured like this: <code>ofelia.&lt;JOB_TYPE&gt;.&lt;JOB_NAME&gt;.&lt;JOB_PARAMETER&gt;=&lt;PARAMETER_VALUE&gt;</code> &lt;JOB_TYPE&gt;:</p> <blockquote> <ul> <li>job-exec: this job is executed inside of a running container.</li> <li>job-run: runs a command inside of a new container, using a specific image.</li> <li>job-local: runs the command inside of the host running ofelia.</li> <li>job-service-run: runs the command inside a new &ldquo;run-once&rdquo; service, for running inside a swarm</li> </ul> </blockquote> <p>Available parameters for each job type <a class="link" href="https://github.com/mcuadros/ofelia/blob/master/docs/jobs.md" target="_blank" rel="noopener" >here</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ofelia</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">mcuadros/ofelia:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l">daemon --docker</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/var/run/docker.sock:/var/run/docker.sock:ro</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">file.json:/src/file.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">update_json_file.sh:/update_json_file.sh:ro</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ofelia.job-local.update_json_file.schedule</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;@every 24h&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ofelia.job-local.update_json_file.command</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;/bin/sh -c &#34;apk add curl jq &amp;&amp; sh /update_json_file.sh /src/file.json&#34;&#39;</span></span></span></code></pre></td></tr></table> </div> </div><p>Let me explain the setup here. First we have <code>daemon --docker</code> as command, because adding <code>--docker</code> allows us to use labels as configuration, you don&rsquo;t have to do that, you can also use an <a class="link" href="https://github.com/mcuadros/ofelia?tab=readme-ov-file#ini-style-config" target="_blank" rel="noopener" >INI structured</a> file as config.</p> <p>And since it&rsquo;s running inside a container, and it needs access to docker to start containers and run commands, in addition to reading container labels, we also mount the docker socket at <code>/var/run/docker.sock</code>.</p> <p>Then in the labels I defined a job to run every 24h, and the command is <code>/bin/sh -c &quot;apk add curl jq &amp;&amp; sh /update_json_file.sh /src/file.json&quot;</code> I had to manually open a shell with <code>/bin/sh -c</code> to use <code>&amp;&amp;</code> and run multiple commands.</p> <p>And that&rsquo;s it! You now have an automated Docker container without having to fiddle with cron!</p>Purge remote media cache in Matrix Synapsehttps://fariszr.com/clear-remote-media-cache-matrix-synapse/Thu, 28 Sep 2023 00:00:00 +0000https://fariszr.com/clear-remote-media-cache-matrix-synapse/<img src="https://fariszr.com/clear-remote-media-cache-matrix-synapse/thumbnail.jpg" alt="Featured image of post Purge remote media cache in Matrix Synapse" /><p>Using the Purge Remote Media API, we can send a POST request to delete all cached remote media before a certain time:</p> <p><strong>Your account must be a server admin for this command to work</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -X POST -H <span class="s2">&#34;Authorization: Bearer </span><span class="nv">$ADMIN_ACCESS_TOKEN</span><span class="s2">&#34;</span> <span class="s2">&#34;https://matrix.org/_synapse/admin/v1/purge_media_cache?before_ts=1672527600000&#34;</span></span></span></code></pre></td></tr></table> </div> </div><p><code>before_ts</code> takes time in UNIX epoch milliseconds, the one in the template is at 2023-01-01 00:00. You can generate one [here] (<a class="link" href="https://currentmillis.com/%29z" target="_blank" rel="noopener" >https://currentmillis.com/)z</a></p> <h2 id="generating-an-access-token">Generating an access token </h2><p>If you don&rsquo;t have an access token, you can also generate one using curl:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -XPOST <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -d <span class="s1">&#39;{&#34;type&#34;:&#34;m.login.password&#34;, &#34;user&#34;:&#34;&lt;userid&gt;&#34;, &#34;password&#34;:&#34;&lt;password&gt;&#34;}&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;https://matrix.org/_matrix/client/r0/login&#34;</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="sources">Sources </h2><p><a class="link" href="https://matrix-org.github.io/synapse/latest/admin_api/media_admin_api.html#purge-remote-media-api" target="_blank" rel="noopener" >https://matrix-org.github.io/synapse/latest/admin_api/media_admin_api.html#purge-remote-media-api</a> Bing AI.</p>Setup IPv6 properly on docker (Fix Source IPv6 propagation)https://fariszr.com/docker-ipv6-setup-with-propagation/Tue, 26 Sep 2023 00:00:00 +0000https://fariszr.com/docker-ipv6-setup-with-propagation/<img src="https://fariszr.com/docker-ipv6-setup-with-propagation/thumbnail.jpeg" alt="Featured image of post Setup IPv6 properly on docker (Fix Source IPv6 propagation)" /><p>If you&rsquo;re wondering why there are a lot of connections coming from your docker gateway right after you enabled IPv6 for your services, you&rsquo;ve come to the right place.</p> <p>Unfortunately, setting up IPv6 support for Docker isn&rsquo;t as simple as setting up a DNS record and exposing the container to all interfaces.</p> <p>If you just expose the container to an IPv6 connection without any additional setup, it will work, but without any IPv6 source propagation, you will get a lot of connections seemingly coming from the Docker gateway (usually starting with 172).</p> <p>The fix for this is to make sure all networks from the bridge network to the internal docker compose networks are IPv6 ready, one network that is IPv4 only will bring the problem back.</p> <h2 id="enable-ipv6-support">Enable IPv6 support </h2><p>/etc/docker/daemon.json</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;experimental&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;ip6tables&#34;</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><p>This will enable ipv6tables support for Docker, which allows port mapping and network isolation, but requires the experimental flag.</p> <h2 id="enabling-ipv6-on-the-default-bridge-network">Enabling IPv6 on the default bridge network </h2><p>Enabling ipv6 in the config should be enough now, but to make sure all networks are IPv6 enabled, we add IPv6 to the default bridge network.</p> <p>/etc/docker/daemon.json</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;ipv6&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;fixed-cidr-v6&#34;</span><span class="p">:</span> <span class="s2">&#34;2001:db8:1::/64&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;experimental&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;ip6tables&#34;</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="dynamic-ipv6-subnet-allocation">Dynamic IPv6 Subnet Allocation </h2><p>Now with the previous settings you should be ready to go. However, you will need to manually set a subnet for each network, either within Compose or with <code>docker network create --ipv6 --subnet=xxx $NETWORK_NAME</code>.</p> <p>If you want Docker to automatically allocate subnets, as it does with IPv4, you will need to provide it with a pool.</p> <p>/etc/docker/daemon.json</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;ipv6&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;fixed-cidr-v6&#34;</span><span class="p">:</span> <span class="s2">&#34;2001:db8:1::/64&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;experimental&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;ip6tables&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;default-address-pools&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;172.17.0.0/16&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">16</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;172.18.0.0/16&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">16</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;172.19.0.0/16&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">16</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;172.20.0.0/14&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">16</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;172.24.0.0/14&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">16</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;172.28.0.0/14&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">16</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;192.168.0.0/16&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">20</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="nt">&#34;base&#34;</span><span class="p">:</span> <span class="s2">&#34;2001:db8::/104&#34;</span><span class="p">,</span> <span class="nt">&#34;size&#34;</span><span class="p">:</span> <span class="mi">112</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></td></tr></table> </div> </div><p><code>2001:db8::/104</code> should not be used as a real subnet, it&rsquo;s for documentation purposes only. If you want a local pool, go to <a class="link" href="https://simpledns.plus/private-ipv6" target="_blank" rel="noopener" >simpledns.plus</a> and replace the first two address blocks with those generated by the site.</p> <p>Now restart the docker daemon:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo systemctl restart docker</span></span></code></pre></td></tr></table> </div> </div><h2 id="migrating-existing-containers--docker-compose-projects">Migrating Existing Containers / Docker Compose Projects </h2><p>Restarting the daemon alone won&rsquo;t be enough if you have containers running, especially those inside a Docker Compose project using an internal network.</p> <p>You will need to remove all containers connected to a network other than bridge.</p> <p>If you are using Compose, first delete all containers and their networks (this should&rsquo;t delete volumes):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker compose down</span></span></code></pre></td></tr></table> </div> </div><p>Add <code>enable_ipv6: true</code> to all networks, if you didn&rsquo;t define any networks, then you are using the default network, and you should define it and add the option to it:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enable_ipv6</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span></span></span></code></pre></td></tr></table> </div> </div><p>Classic docker networks need to be removed and rebuilt with the <code>--IPv6</code> option:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker network rm <span class="nv">$NETWORK</span> <span class="o">&amp;&amp;</span> docker network create --ipv6 <span class="nv">$NETWORK</span></span></span></code></pre></td></tr></table> </div> </div><p>Now you should have full IPv6 support with proper IPv6 source IP propagation.</p> <h2 id="testing-the-changes">Testing the changes </h2><p>To make sure it actually works, run a Python container connected to a network you&rsquo;ve created and see if it propagates the address or not:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker run -p 8080:8080 --rm -it --network <span class="nv">$NETWORK</span> python:latest python3 -m http.server <span class="m">8080</span> --bind ::</span></span></code></pre></td></tr></table> </div> </div><p>Now just connect to it on port 8080 and see if the IP is displayed correctly.</p> <p>If the source still shows up as a local IPv4 address, just test it with the bridge network:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker run -p 8080:8080 --rm -it python:latest python3 -m http.server <span class="m">8080</span> --bind ::</span></span></code></pre></td></tr></table> </div> </div><p>If it works, then the problem is that the network you are using doesn&rsquo;t have IPv6 enabled, if it still doesn&rsquo;t work, make sure the config changes have been applied!</p> <h2 id="sources">sources </h2><p><a class="link" href="https://docs.docker.com/config/daemon/ipv6/" target="_blank" rel="noopener" >https://docs.docker.com/config/daemon/ipv6/</a></p>setup Squid proxy with dockerhttps://fariszr.com/squid-proxy-docker-setup/Tue, 29 Aug 2023 00:00:00 +0000https://fariszr.com/squid-proxy-docker-setup/<img src="https://fariszr.com/squid-proxy-docker-setup/thumbnail.jpeg" alt="Featured image of post setup Squid proxy with docker" /><p>I use proxies very often as a way to do split tunneling on Linux, as easy split-tunneling with WireGuard or OpenVPN isn&rsquo;t there yet.</p> <p>The quickest way to set up anything IMO is with docker, and here is a quick guide for squid proxy setup using the official Ubuntu-squid image, which seems to be the only up-to-date docker image on Docker hub.</p> <h2 id="docker-composeyml">docker-compose.yml </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;3&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">proxy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu/squid</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;3128:3128&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TZ=UTC</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./squid.conf:/etc/squid/squid.conf</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">configs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="l">squid</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">/etc/squid/squid.conf</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">configs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">squid</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">file</span><span class="p">:</span><span class="w"> </span><span class="l">./squid.conf</span></span></span></code></pre></td></tr></table> </div> </div><p>I used configs to prevent any permission issues popping up.</p> <h2 id="squidconf">squid.conf </h2><pre><code>http_port 3128 http_access allow all</code></pre><p>This is a simple setup for a local transparent proxy, it allows all connections, and it doesn&rsquo;t cache or log anything.</p> <h2 id="sources">sources </h2><p><a class="link" href="https://medium.com/setup-a-web-proxy-server-with-docker-d5c6942b5575" target="_blank" rel="noopener" >https://medium.com/setup-a-web-proxy-server-with-docker-d5c6942b5575</a></p> <p><a class="link" href="https://hub.docker.com/r/ubuntu/squid" target="_blank" rel="noopener" >https://hub.docker.com/r/ubuntu/squid</a></p>How to send a matrix message using CURL and an access tokenhttps://fariszr.com/send-matrix-message-curl/Sun, 23 Jul 2023 00:00:00 +0000https://fariszr.com/send-matrix-message-curl/<img src="https://fariszr.com/send-matrix-message-curl/thumbnail.png" alt="Featured image of post How to send a matrix message using CURL and an access token" /><p>Here is a how you can send a simple matrix message with CURL:</p> <pre><code>curl 'https://matrix.org/_matrix/client/r0/rooms/!xxxxxx:example.com/send/m.room.message/?access_token=xxxxxxxx' -X PUT --data '{"msgtype":"m.text","body":"hello world"}'</code></pre><h2 id="generate-an-access-token">generate an access token </h2><p>if you don&rsquo;t have an access token, you can generate one using curl too:</p> <pre><code>curl -XPOST \ -d '{"type":"m.login.password", "user":"<userid>", "password":"<password>"}' \ "https://matrix.org/_matrix/client/r0/login"</code></pre><h2 id="sources">Sources </h2><p><a class="link" href="https://news.ycombinator.com/item?id=19227859" target="_blank" rel="noopener" >https://news.ycombinator.com/item?id=19227859</a> <a class="link" href="https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix" target="_blank" rel="noopener" >https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix</a></p>setup full text search for Nextcloud on dockerhttps://fariszr.com/nextcloud-fulltextsearch-elasticsearch-docker-setup/Thu, 08 Jun 2023 00:00:00 +0000https://fariszr.com/nextcloud-fulltextsearch-elasticsearch-docker-setup/<img src="https://fariszr.com/nextcloud-fulltextsearch-elasticsearch-docker-setup/thumbnail.jpeg" alt="Featured image of post setup full text search for Nextcloud on docker" /><p>Setting up Nextcloud <a class="link" href="https://apps.nextcloud.com/apps/fulltextsearch" target="_blank" rel="noopener" >full-text search</a> isn&rsquo;t very clear, especially with Docker, so in this post I&rsquo;ll explain how to set up full-text search with Elasticsearch and Tesseract using Nextcloud&rsquo;s official Docker images.</p> <h2 id="add-new-tesseract-to-your-nextcloud-container">add new tesseract to your Nextcloud container </h2><p>Normally we would need to create a custom image for this, but fortunately <a class="link" href="https://github.com/nextcloud/docker/issues/1414#issuecomment-884711124" target="_blank" rel="noopener" >modzilla99</a> and <a class="link" href="https://github.com/nextcloud/docker/issues/1414#issuecomment-1008915705" target="_blank" rel="noopener" >Schw3pps</a> have found a way to add additional packages without needing a custom image, by adding a custom command to the container.</p> <h3 id="latestapache-image">latest/apache image </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l">sh -c &#34;apt update &amp;&amp; apt-get install -y --no-install-recommends tesseract-ocr tesseract-ocr-eng tesseract-ocr-$(YOUR_THREE_LETTER_LANGUAGE_CODE) &amp;&amp; /entrypoint.sh apache2-foreground&#34;</span></span></span></code></pre></td></tr></table> </div> </div><p><strong>TIP:</strong> if you want to add Cron, you don&rsquo;t need a separate container, just add supervisor</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l">sh -c &#34;apt update &amp;&amp; apt-get install -y --no-install-recommends tesseract-ocr tesseract-ocr-eng tesseract-ocr-$(YOUR_THREE_LETTER_LANGUAGE_CODE) &amp;&amp; mkdir -p /var/log/supervisord &amp;&amp; mkdir -p /var/run/supervisord supervisor &amp;&amp; supervisord -c /supervisord.conf&#34;</span></span></span></code></pre></td></tr></table> </div> </div><p>make sure to mount <a class="link" href="https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/apache/supervisord.conf" target="_blank" rel="noopener" >this file</a> at <code>/supervisord.conf</code></p> <h3 id="fpm-alpine-image">fpm-alpine image </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">command</span><span class="p">:</span><span class="w"> </span>-<span class="l">c &#34;apk add --no-cache tesseract-ocr tesseract-ocr-data-eng tesseract-ocr-data-$(YOUR_THREE_LETTER_LANGUAGE_CODE); /entrypoint.sh php-fpm&#34;</span></span></span></code></pre></td></tr></table> </div> </div><p>and if you have a separate Cron container, add this to it:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">command</span><span class="p">:</span><span class="w"> </span>-<span class="l">c &#34;apk add --no-cache tesseract-ocr tesseract-ocr-data-eng tesseract-ocr-data-$(YOUR_THREE_LETTER_LANGUAGE_CODE); /cron.sh&#34;</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="elasticsearch-setup">Elasticsearch setup </h2><h3 id="docker-composeyml">docker-compose.yml </h3><p>Add this to your Nextcloud compose file</p> <p><strong>To avoid any problems, make the Nextcloud container depends on Elasticsearch, to make sure it&rsquo;s started before Nextcloud</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">elasticsearch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">docker.elastic.co/elasticsearch/elasticsearch:7.17.10</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">networks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ports:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 127.0.0.1:9200:9200 #only needed if you are connecting through a docker network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l">sh -c &#34;bin/elasticsearch-plugin install --batch ingest-attachment; /bin/tini -s /usr/local/bin/docker-entrypoint.sh eswrapper&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">discovery.type=single-node</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">bootstrap.memory_lock=true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ES_JAVA_OPTS=-Xms512m -Xmx2048m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">user</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="p">:</span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ulimits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memlock</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">soft</span><span class="p">:</span><span class="w"> </span>-<span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hard</span><span class="p">:</span><span class="w"> </span>-<span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">elasticsearch:/usr/share/elasticsearch/data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">elasticsearch:</span></span></span></code></pre></td></tr></table> </div> </div><p>Using the same trick as before, we can install the <code>ingest-attachment</code> plugin without the need for a custom image. There will be an error when the container is restarted as it tries to install the plugin again, but it should continue to work fine.</p> <h2 id="nextcloud-setup">Nextcloud setup </h2><p>Select Elasticsearch as the search platform, then add the server address. If your language requires a custom tokenizer, feel free to change it. <img src="https://fariszr.com/nextcloud-fulltextsearch-elasticsearch-docker-setup/nextcloud-settings.png" width="735" height="268" srcset="https://fariszr.com/nextcloud-fulltextsearch-elasticsearch-docker-setup/nextcloud-settings_hu5523383922916709850.png 480w, https://fariszr.com/nextcloud-fulltextsearch-elasticsearch-docker-setup/nextcloud-settings_hu18045335696046996515.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="274" data-flex-basis="658px" ></p> <p>The other options below aren&rsquo;t very important and can be configured to your liking.</p> <h2 id="start-indexing">Start indexing! </h2><p>Test setup</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./occ fulltextsearch:test</span></span></code></pre></td></tr></table> </div> </div><p>index all files</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./occ fulltextsearch:index</span></span></code></pre></td></tr></table> </div> </div><h2 id="automatic-indexing">automatic indexing </h2><p>The official wiki has a section on using cron for this: <a class="link" href="https://github.com/nextcloud/fulltextsearch/wiki/Basic-Installation#live-index-service" target="_blank" rel="noopener" >https://github.com/nextcloud/fulltextsearch/wiki/Basic-Installation#live-index-service</a></p> <p>But since we are using docker, probably with supervisord added, <a class="link" href="https://github.com/nextcloud/fulltextsearch/issues/671" target="_blank" rel="noopener" >robeatoz</a> has found a way to add <code>fulltextsearch:live</code> to the <a class="link" href="https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/cron/apache/supervisord.conf" target="_blank" rel="noopener" >supervisord.conf</a> file.</p> <h3 id="fulltextsearchsh">fulltextsearch.sh </h3><p>create a new file called <code>fulltextsearch.sh</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/sh </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="c1"># Stop all running indexes</span> </span></span><span class="line"><span class="cl">php /var/www/html/occ fulltextsearch:stop </span></span><span class="line"><span class="cl"><span class="c1"># Start live index</span> </span></span><span class="line"><span class="cl">php /var/www/html/occ fulltextsearch:live </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># More information: https://github.com/nextcloud/fulltextsearch/wiki/Commands</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="supervisordconf">supervisord.conf </h3><p>Add this to the end of the file</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[program:fulltextsearch_index_live] </span></span><span class="line"><span class="cl">stdout_logfile=/dev/stdout </span></span><span class="line"><span class="cl">stdout_logfile_maxbytes=0 </span></span><span class="line"><span class="cl">stderr_logfile=/dev/stderr </span></span><span class="line"><span class="cl">stderr_logfile_maxbytes=0 </span></span><span class="line"><span class="cl">user=www-data </span></span><span class="line"><span class="cl">command=/bin/sh /fulltextsearch.sh</span></span></code></pre></td></tr></table> </div> </div><h3 id="docker-composeyml-1">docker-compose.yml </h3><p>mount <code>fulltextsearch.sh</code> into the container</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">....</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./fulltextsearch.sh:/fulltextsearch:ro</span></span></span></code></pre></td></tr></table> </div> </div><p>And you are done!</p> <h2 id="sources">sources </h2><p><a class="link" href="https://github.com/nextcloud/docker/issues/1724" target="_blank" rel="noopener" >https://github.com/nextcloud/docker/issues/1724</a></p>Did the EU ban JSdelivr and other free CDNs?https://fariszr.com/eu-gdpr-jsdelivr-free-cdn-ban/Tue, 02 May 2023 00:00:00 +0000https://fariszr.com/eu-gdpr-jsdelivr-free-cdn-ban/<img src="https://fariszr.com/eu-gdpr-jsdelivr-free-cdn-ban/thumbnail.jpeg" alt="Featured image of post Did the EU ban JSdelivr and other free CDNs?" /><p>So while I was updating my website, I was thinking about using JSdelivr for my blogs images, the slowest part of my website since it&rsquo;s hosted on a VPS and not on Cloudflare Pages to avoid further internet centralization.</p> <p>But I remembered that a court in Germany recently ruled that using Google Fonts is illegal, does this affect JSdelivr and other public CDNs? Apparently it does.</p> <p><strong>I&rsquo;m not a lawyer, these are just my observations.</strong></p> <h2 id="data-processing-agreements-with-free-cdns">Data processing agreements with free CDNs </h2><p>According to <a class="link" href="https://legalweb.io/en/news-en/cdns-with-gdpr-in-mind/" target="_blank" rel="noopener" >legalweb.io</a>, in order to use a CDN you need to have an data processing agreement, which you don&rsquo;t have with free CDNs, and the data needs to be processed within the EU or a country that is deemed to follow GDPR standards, which is certainly not the U.S.</p> <p>So basically any CDN provider that you don&rsquo;t have an Article 28 GDPR agreement with is illegal, any of the free CDNs like Jsdelivr are banned, that should include <a class="link" href="https://fonts.bunny.net/" target="_blank" rel="noopener" >Bunny fonts</a>!, which was created as a GDPR-friendly alternative to Google Fonts, but since you don&rsquo;t have a DPA with them, it&rsquo;s still probably illegal.</p> <h2 id="legitimate-interest-and-cdns">Legitimate interest and CDNs </h2><p>In that <a class="link" href="https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/" target="_blank" rel="noopener" >LG München ruling on Google fonts</a>, it was also mentioned that the website had no legitimate interest in using X fonts (presumably Google fonts), since the website admin could easily host the fonts themselves.</p> <blockquote> <ol start="3"> <li>Es liegt auch kein Rechtfertigungsgrund für den Eingriff in das allgemeine Persönlichkeitsrecht vor. Ein berechtigtes Interesse der Beklagten i.S.d. Art. 6 Abs. 1 f) DS-GVO, wie von ihr behauptet, liegt nicht vor, denn X. Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem X.-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an X. stattfindet.</li> </ol> </blockquote> <p>What about other use cases like video hosting, which is much more bandwidth intensive and benefits a lot from CDNs? the answer won&rsquo;t really matter as all your favourite streaming providers will have their own DPAs with their CDN providers, nobody&rsquo;s giving you a free video CDN!</p> <p>Looks like I&rsquo;ll just stick to hosting my blog images on my free VPS (shout out to Oracle Free Tier), and if I really want to improve the speed of my blog, I should just move to a CDN host like Cloudflare pages.</p> <h2 id="edit-jsdelivr-doesnt-seem-to-agree">EDIT: JSdelivr doesn&rsquo;t seem to agree </h2><p>JSdelivr hired a Law firm to look into this, they don&rsquo;t seem to agree, but that doesn&rsquo;t invalidate other opinions.</p> <blockquote> <p>In conclusion, the ruling that has been so controversial recently does not seem to fully address the factual and technical circumstances of how jsDelivr works, and at this point as a single ruling should not lead to any real concerns about using CDN&rsquo;s services. The arguments for extending to other online services a single ruling strongly emphasizing Google&rsquo;s failure to adequately protect personal data are insufficient and lack substance. <a class="link" href="https://www.jsdelivr.com/blog/how-the-german-courts-ruling-on-google-fonts-affects-jsdelivr-and-why-it-is-safe-to-use/" target="_blank" rel="noopener" >https://www.jsdelivr.com/blog/how-the-german-courts-ruling-on-google-fonts-affects-jsdelivr-and-why-it-is-safe-to-use/</a></p> </blockquote> <h2 id="sources">Sources </h2><p><a class="link" href="https://reddit.com/r/gdpr/comments/sg8sll/no_legitimate_interest_for_using_google_fonts_on/" target="_blank" rel="noopener" >No legitimate interest for using Google Fonts on websites, says German court</a></p> <p><a class="link" href="https://news.ycombinator.com/item?id=35793009" target="_blank" rel="noopener" >Discuss on HN!</a></p>Free Discourse S3 object storage and CDN with Cloudflare R2https://fariszr.com/discourse-s3-object-storage-cdn-cloudflare-r2/Mon, 01 May 2023 00:00:00 +0000https://fariszr.com/discourse-s3-object-storage-cdn-cloudflare-r2/<img src="https://fariszr.com/discourse-s3-object-storage-cdn-cloudflare-r2/thumbnail.jpeg" alt="Featured image of post Free Discourse S3 object storage and CDN with Cloudflare R2" /><p>In the official <a class="link" href="https://meta.discourse.org/t/configure-an-s3-compatible-object-storage-provider-for-uploads/148916" target="_blank" rel="noopener" >discourse S3-compatible object storage setup guide</a>, it mentions that Cloudflare R2 is not supported, because it doesn&rsquo;t handle gzipped files correctly. But Cloudflare fixed this in the <a class="link" href="https://developers.cloudflare.com/r2/reference/changelog/#2023-03-16" target="_blank" rel="noopener" >2023-03-16</a> update, and I tested it, and it works great on <a class="link" href="https://discourse.aosus.org" target="_blank" rel="noopener" >discourse.aosus.org</a>. Even <a class="link" href="https://gist.github.com/csuhta/0001d1bb74200412bc1d7f9e11ec4ea5" target="_blank" rel="noopener" >old broken gzip handling tests</a> work now, so it looks like the problem is solved!</p> <p><del>EDIT: Discourse doesn&rsquo;t use the <a class="link" href="https://meta.discourse.org/t/s3-cdn-url-not-being-used-on-non-image-uploads/175332" target="_blank" rel="noopener" >CDN URL for direct downloads</a>, rather it uses the S3 API link, which doesn&rsquo;t work for Cloudflare R2, so any attachments not embedded in the post won&rsquo;t work</del> You have to enable <strong>Use S3 CDN for all uploads</strong> in the settings.</p> <p>And Cloudflare R2 is free for up to 10GB! (10,000,000 reads, 1,000,000 writes), so for your average discourse forum, its probably not going to cost you anything!</p> <h2 id="setup">setup </h2><p>Follow any pre-environment step in <a class="link" href="https://meta.discourse.org/t/configure-an-s3-compatible-object-storage-provider-for-uploads/148916" target="_blank" rel="noopener" >the official setup guide</a></p> <h2 id="environment-setup">environment setup </h2><pre><code> DISCOURSE_USE_S3: true DISCOURSE_S3_REGION: "us-east-1" #alias to auto #DISCOURSE_S3_INSTALL_CORS_RULE: true #it should be supported DISCOURSE_S3_ENDPOINT: S3_API_URL DISCOURSE_S3_ACCESS_KEY_ID: xxx DISCOURSE_S3_SECRET_ACCESS_KEY: xxxx DISCOURSE_S3_CDN_URL: your cdn url DISCOURSE_S3_BUCKET: BUCKET_NAME DISCOURSE_S3_BACKUP_BUCKET: other-private-bucket #optional DISCOURSE_BACKUP_LOCATION: s3 #optional</code></pre><p>I&rsquo;ve been using it for a month now, and it&rsquo;s working great, no problems and fantastic speed when viewing images. There is one caveat though, you can&rsquo;t configure a separate S3 host for backups and the CF R2 isn&rsquo;t the cheapest for storage.</p>Docker compose Gitops using Github Actionshttps://fariszr.com/docker-compose-gitops-github/Thu, 09 Mar 2023 00:00:00 +0000https://fariszr.com/docker-compose-gitops-github/<img src="https://fariszr.com/docker-compose-gitops-github/thumbnail.jpg" alt="Featured image of post Docker compose Gitops using Github Actions" /><p>So you have heard about how good GitOps is, and how much better it is than having to manage your containers by hand. But almost every time GitOps is mentioned, it means using K8S. But what about the rest of us mere mortals who are still using Docker Compose?</p> <p>That&rsquo;s why I started working on <a class="link" href="https://github.com/FarisZR/docker-compose-gitops-action" target="_blank" rel="noopener" >docker-compose-gitops-action</a>, a GitHub action to do GitOps with Docker compose!, it should cover most edge cases for Docker compose CI deployments, swarm, uploading sidecar files, post-upload shell commands, non-exposed servers like Homelabs and more.</p> <h2 id="server-side-setup">Server side setup </h2><p>The action supports two access modes, SSH and Tailscale SSH. Tailscale SSH is particularly useful for servers behind NAT or without an exposed SSH demon, allowing you to grant SSH access without manually generating keys or exposing the server. Both Tailscale SSH and SSH require a user with access to the Docker socket <strong><a class="link" href="https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user" target="_blank" rel="noopener" >i.e. without the need for sudo</a></strong>. This user can be different from the main user.</p> <h2 id="repo-setup">Repo Setup </h2><p>This action can be used in two ways</p> <h3 id="per-project-directories">Per-project directories </h3><p>In this case, each project/service will have its own directory with sidecar files and docker-compose.yml.</p> <p>This gives you more flexibility in configuring actions for deploying specific directories, so I think this is the way to go. And if there&rsquo;s a small update, you don&rsquo;t have to redeploy the whole repo.</p> <h3 id="single-compose-file">Single compose file </h3><p>If the server is only running a single project, you can put the docker-compose.yml file in the root of the repo and have the action run on every push.</p> <h2 id="setting-up-the-github-action">Setting up the GitHub action </h2><p>Before we can do anything, we need to set up the GitHub secrets for authentication. Mainly SSH private key (PEM format) + public key, or an ephemeral Tailscale API key.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deploy-project</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;project/**&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;.github/**&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">workflow_dispatch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deploy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">github.event_name != &#39;pull_request&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">checkout</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fetch-depth</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Tailscale</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">tailscale/github-action@ce41a99162202a647a4b24c30c558a567b926709</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authkey</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.TAILSCALE_AUTHKEY }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">Github-actions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aosus/docker-compose-gitops-action@v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Remote Deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remote_docker_host</span><span class="p">:</span><span class="w"> </span><span class="l">root@100.107.201.124</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"> </span>-<span class="l">p project up -d</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tailscale_ssh</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">compose_file_path</span><span class="p">:</span><span class="w"> </span><span class="l">project/docker-compose.yml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">upload_directory</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c">#post_upload_command: touch &#34;upload_command.txt&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">docker_compose_directory</span><span class="p">:</span><span class="w"> </span><span class="l">project</span></span></span></code></pre></td></tr></table> </div> </div><p>Whenever the action file is edited or the project folder is changed on the main branch, this action is triggered. I&rsquo;m using Tailscale SSH, so I need to have the official Tailscale action as a pre-deploy step, to not have to specify any ssh keys or actually open any ports.</p> <p>Just replace <code>tailscale_ssh</code> with this if you want to use pure ssh:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ssh_public_key</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.SSH_KEY }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ssh_private_key</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.SSH_PRIVATE_KEY }}</span></span></span></code></pre></td></tr></table> </div> </div><p>Be sure to set up these secrets before running the action!</p> <p>I also enabled <code>upload_directory</code> and set <code>docker_compose_directory</code> as <code>project</code>. The <code>project</code> directory will be uploaded to the server. This is useful if a container needs extra config files, and you don&rsquo;t want to rebuild a custom image with the config files on every image update. It will also upload the docker-compose file since it is included in the directory.</p> <p>If you need to change file permissions after uploading, you can use <code>post_upload_command</code> to <code>chmod</code> or <code>chown</code> files, although in most cases you will need to use sudo.</p> <h3 id="managing-secrets-in-compose-files">managing secrets in compose files </h3><p>But what about secrets, you don&rsquo;t want to upload your secret plain text into the repo right?, well you can just use GitHub secrets with environment variables!</p> <p>Don&rsquo;t set a value for the variable in the compose file:</p> <pre><code>environment: - VAR</code></pre><p>set the variable in GitHub actions</p> <pre><code>- name: Start Deployment uses: FarisZR/docker-compose-gitops-action@v1 env: MARIADB_PASSWORD: ${{ secrets.gnulinuxsa_wordpress_mariadb_password }} with: remote_docker_host: ${{ secrets.server_address }}</code></pre><p>That should do the trick, just create an action for each of your projects, and you should have your very own Compose-powered Gitops workflow!</p> <h2 id="credits">Credits </h2><p>Photo generated by Lexica AI, and no Lexica, you can&rsquo;t copyright <a class="link" href="https://www.theverge.com/2022/2/21/22944335/us-copyright-office-reject-ai-generated-art-recent-entrance-to-paradise" target="_blank" rel="noopener" >AI generated images</a>.</p>Enable Video hardware acceleration on Fedora 36+/RHEL/CentOShttps://fariszr.com/enable-video-acceleration-fedora/Tue, 31 Jan 2023 00:00:00 +0000https://fariszr.com/enable-video-acceleration-fedora/<img src="https://fariszr.com/enable-video-acceleration-fedora/thumbnail.jpg" alt="Featured image of post Enable Video hardware acceleration on Fedora 36+/RHEL/CentOS" /><p><strong>(This only affects MESA, so only people using open source drivers)</strong></p> <p>Shortly before Fedora 37 release, Fedora <a class="link" href="https://src.fedoraproject.org/rpms/mesa/c/94ef544b3f2125912dfbff4c6ef373fe49806b52?branch=rawhide" target="_blank" rel="noopener" >dropped support</a> for closed Codecs like H264, HEVC, VC1, this also includes other Red Hat distros like RHEL and CentOS stream, and probably clones like Rocky and Almalinux.</p> <p>The reason is mainly to avoid <a class="link" href="https://www.phoronix.com/news/Mesa-Optional-Video-Codecs" target="_blank" rel="noopener" >Closed source software patents</a>, Not every Distribution is affected though, as it depends on their legal jurisdiction, Ubuntu for example still includes Closed source codecs and Closed source drivers(when needed).</p> <h2 id="enable-rpmfusion">Enable RPMfusion </h2><p>MESA Packages with closed source codecs aren&rsquo;t available on the Official repos, but in RPMFusion, which is totally separate from Fedora and Red Hat, that&rsquo;s why they can upload such packages.</p> <h3 id="using-the-gui">Using the GUi </h3><p>Click on the link below, and install the Free then the non-free repository matching your distribution.</p> <p><a class="link" href="https://rpmfusion.org/Configuration" target="_blank" rel="noopener" >https://rpmfusion.org/Configuration</a></p> <h3 id="using-the-terminal">using the terminal </h3><h4 id="workstation">Workstation </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-<span class="k">$(</span>rpm -E %fedora<span class="k">)</span>.noarch.rpm https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-<span class="k">$(</span>rpm -E %fedora<span class="k">)</span>.noarch.rpm</span></span></code></pre></td></tr></table> </div> </div><h4 id="silverblue">Silverblue </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo rpm-ostree install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-<span class="k">$(</span>rpm -E %fedora<span class="k">)</span>.noarch.rpm https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-<span class="k">$(</span>rpm -E %fedora<span class="k">)</span>.noarch.rpm</span></span></code></pre></td></tr></table> </div> </div><h4 id="rhel--centos">RHEL / CentOS </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-<span class="k">$(</span>rpm -E %rhel<span class="k">)</span>.noarch.rpm </span></span><span class="line"><span class="cl">sudo dnf install --nogpgcheck https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-<span class="k">$(</span>rpm -E %rhel<span class="k">)</span>.noarch.rpm https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-<span class="k">$(</span>rpm -E %rhel<span class="k">)</span>.noarch.rpm</span></span></code></pre></td></tr></table> </div> </div><p>CentOS Steam 8 requires an additional step</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf config-manager --enable powertools</span></span></code></pre></td></tr></table> </div> </div><p>RHEL 8 also requires an additional step</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo subscription-manager repos --enable <span class="s2">&#34;codeready-builder-for-rhel-8-</span><span class="k">$(</span>uname -m<span class="k">)</span><span class="s2">-rpms&#34;</span></span></span></code></pre></td></tr></table> </div> </div><h2 id="install-drivers-with-closed-source-codecs-included">Install Drivers with closed source codecs included </h2><h3 id="amd">AMD </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld </span></span><span class="line"><span class="cl">sudo dnf swap mesa-vdpau-drivers mesa-vdpau-drivers-freeworld</span></span></code></pre></td></tr></table> </div> </div><p>If using i686 compat libraries (for steam or alike):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf swap mesa-va-drivers.i686 mesa-va-drivers-freeworld.i686 </span></span><span class="line"><span class="cl">sudo dnf swap mesa-vdpau-drivers.i686 mesa-vdpau-drivers-freeworld.i686</span></span></code></pre></td></tr></table> </div> </div><h3 id="intel">Intel </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf install intel-media-driver</span></span></code></pre></td></tr></table> </div> </div><h4 id="not-so-recent-hardware">not so recent hardware </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf install libva-intel-driver</span></span></code></pre></td></tr></table> </div> </div><h3 id="nvidia">Nvidia </h3><p>Nvidia&rsquo;s driver doesn&rsquo;t support VAAPI, so we need to use a bridge to translate VAAPI calls into NVDEC/NVENC</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dnf install nvidia-vaapi-driver</span></span></code></pre></td></tr></table> </div> </div><h2 id="credits">Credits </h2><p><a class="link" href="https://ask.fedoraproject.org/t/proprietary-video-codecs-are-no-longer-hardware-accelerated-by-default-on-amd-gpus-on-fedora-37/28965" target="_blank" rel="noopener" >https://ask.fedoraproject.org/t/proprietary-video-codecs-are-no-longer-hardware-accelerated-by-default-on-amd-gpus-on-fedora-37/28965</a></p> <p><a class="link" href="https://rpmfusion.org/Howto/Multimedia" target="_blank" rel="noopener" >https://rpmfusion.org/Howto/Multimedia</a></p> <p>Photo by <a class="link" href="https://unsplash.com/it/@thomasfos?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" target="_blank" rel="noopener" >Thomas Foster</a><!-- raw HTML omitted --> on <a class="link" href="https://unsplash.com/photos/vWgoeEYdtIY?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" target="_blank" rel="noopener" >Unsplash</a></p>setup a Samba share with network discovery using docker-composehttps://fariszr.com/docker-smb-network-discovery/Sat, 31 Dec 2022 00:00:00 +0000https://fariszr.com/docker-smb-network-discovery/<img src="https://fariszr.com/docker-smb-network-discovery/thumbnail.jpg" alt="Featured image of post setup a Samba share with network discovery using docker-compose" /><p>I am going to show you how to quickly set up a discoverable SMB share, it&rsquo;s much easier than you think! Massive thanks to <a class="link" href="https://crazymax.dev/" target="_blank" rel="noopener" >crazymax</a> for his awesome docker containers that make this possible.</p> <h2 id="set-up-the-smb-share">set up the SMB share </h2><p>we&rsquo;re going to use crazymax&rsquo;s smb container, pretty easy to setup and docker native. its recommended to use host networking for it.</p> <h3 id="docker-composeyml">docker-compose.yml </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c">## https://fariszr.com/en/docker-smb-network-discovery/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;3.5&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">samba</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">crazymax/samba</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">samba</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">network_mode</span><span class="p">:</span><span class="w"> </span><span class="l">host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./smb:/data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./downloads:/downloads</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;TZ=$TIMEZONE&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;SAMBA_LOG_LEVEL=0&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span></span></span></code></pre></td></tr></table> </div> </div><p>don&rsquo;t forget to change $TIMEZONE to your local timezone, <a class="link" href="https://wikipedia.org/wiki/List_of_tz_database_time_zones" target="_blank" rel="noopener" >list of tz time zones</a></p> <h3 id="configuration">Configuration </h3><p>Unlike normal SMBd, the container uses YAML for configuration.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">auth</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">user</span><span class="p">:</span><span class="w"> </span><span class="l">root</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="l">root</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uid</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gid</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l">bar</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">global</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;force user = root&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;force group = root&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">share</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">downloads</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/downloads</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">browsable</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readonly</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">guestok</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">veto</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">recycle</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Here is a basic config for an open local share. All my files are owned by root, that&rsquo;s why i need to force root as the default user.</p> <p>Put the config in the mounted data folder, so in the case of compose file above, its <code>./smb/config.yml</code></p> <p>You can add more shares or more users and far more in the config. More details about docker-smb&rsquo;s configuration options are in the project&rsquo;s <a class="link" href="https://github.com/crazy-max/docker-samba" target="_blank" rel="noopener" >GitHub repo</a></p> <p>After this you should be able to use the SMB share, though not discoverable.</p> <h2 id="wsdd-smb-network-discovery-for-windows">WSDD, SMB network discovery for Windows </h2><p>Add this to the <code>docker-compose.yml</code> file</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">wsdd</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">jonasped/wsdd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">network_mode</span><span class="p">:</span><span class="w"> </span><span class="l">host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;HOSTNAME=$HOSTNAME&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span></span></span></code></pre></td></tr></table> </div> </div><p>just replace <code>$HOSTNAME</code> with your hostname and then start the container</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker compose up -d</span></span></code></pre></td></tr></table> </div> </div><p>Now you should see the share with the <code>$HOSTNAME</code> as its name in the network tab (if local device discovery is enabled) in Windows file explorer.</p> <h2 id="avahi-smb-network-discovery-for-macos-and-linux">Avahi, SMB network discovery for MacOS and Linux </h2><p>Add this to <code>docker-compose.yml</code>, make sure to change <code>$HOSTNAME</code> to whatever you want the share&rsquo;s name to be.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">avahi</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ydkn/avahi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">$HOSTNAME</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">network_mode</span><span class="p">:</span><span class="w"> </span><span class="l">host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./avahi-services:/etc/avahi/services:ro</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span></span></span></code></pre></td></tr></table> </div> </div><h3 id="avahi-servicessmbservice">avahi-services/smb.service </h3><p>create the file <code>smb.service</code> with the following content:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="cp">&lt;?xml version=&#34;1.0&#34; standalone=&#39;no&#39;?&gt;</span> </span></span><span class="line"><span class="cl"><span class="cp">&lt;!DOCTYPE service-group SYSTEM &#34;avahi-service.dtd&#34;&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;service-group&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;name</span> <span class="na">replace-wildcards=</span><span class="s">&#34;yes&#34;</span><span class="nt">&gt;</span>%h<span class="nt">&lt;/name&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;service&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;type&gt;</span>_smb._tcp<span class="nt">&lt;/type&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;port&gt;</span>445<span class="nt">&lt;/port&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;/service&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/service-group&gt;</span></span></span></code></pre></td></tr></table> </div> </div><p>save it and start the container</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker compose up -d</span></span></code></pre></td></tr></table> </div> </div><p>You should now have Network discovery working on almost every OS!</p> <h2 id="sources">Sources </h2><p><a class="link" href="https://github.com/crazy-max/docker-samba/issues/1" target="_blank" rel="noopener" >https://github.com/crazy-max/docker-samba/issues/1</a></p> <p><a class="link" href="https://github.com/crazy-max/docker-samba" target="_blank" rel="noopener" >https://github.com/crazy-max/docker-samba</a></p>Setup Cloudflared using Docker without the ZT dashboardhttps://fariszr.com/cloudflared-docker-setup/Fri, 28 Oct 2022 00:00:00 +0000https://fariszr.com/cloudflared-docker-setup/<img src="https://fariszr.com/cloudflared-docker-setup/thumbnail-en.jpg" alt="Featured image of post Setup Cloudflared using Docker without the ZT dashboard" /><p>I wanted to set up Cloudflared, but I couldn&rsquo;t find anything about setting it up in docker, especially without the Zero Trust dashboard (because it kept refusing my credit card for some reason). So here it is!</p> <p>I am aiming to set up one tunnel per container, which I think is better and easier to manage than multiple tunnels in one Cloudflared instance.</p> <h2 id="docker-composeyaml">docker-compose.yaml </h2><pre><code>version: '3.1' services: cloudflared: image: cloudflare/cloudflared restart: always environment: - TUNNEL_ORIGIN_CERT=/etc/cloudflared/cert.pem - TUNNEL_EDGE_IP_VERSION=auto #use IPv4 and IPv6 volumes: - ./cloudflared:/etc/cloudflared command: tunnel run YOUR_TUNNEL_NAME</code></pre><h2 id="linking-cloudflared-with-your-domain">Linking Cloudflared with your domain </h2><h3 id="create-cloudflared-dir">Create <code>cloudflared</code> dir </h3><p>firstly you need to create the <code>./cloudflared</code> directory before running any docker commands, because on container start up It&rsquo;s going to create the directory as root, and Cloudflared runs as the distroless <code>nonroot</code>(id 65532) user, so you will just end up with permission problems.</p> <pre><code>mkdir ./cloudflared</code></pre><h4 id="rootful">Rootful </h4><pre><code>sudo chown -R 65532:65532 ./cloudflared</code></pre><h4 id="rootless">Rootless </h4><p>this is assuming your subid and subgid ranges are <code>100000:65536</code></p> <pre><code>sudo chown -R 165531:165531 ./cloudflared</code></pre><h4 id="user-name-spaces-remapping">User name spaces remapping </h4><p>for some reason, docker in UserNS mode uses different IDs, even though I am using the same subuid/subgid.</p> <pre><code>sudo chown -R 165532:165532 ./cloudflared</code></pre><h3 id="login">Login </h3><pre><code>docker run -v $PWD/cloudflared:/home/nonroot/.cloudflared cloudflare/cloudflared login</code></pre><p>Open the link in your browser and select which domain you would like to use, and then it will generate the origin certificate.</p> <h2 id="create-a-new-cloudflared-tunnel">Create a new cloudflared tunnel </h2><pre><code>docker run -v $PWD/cloudflared:/etc/cloudflared cloudflare/cloudflared tunnel create YOUR_TUNNEL_NAME</code></pre><p>We switched from <code>/home/nonroot/.cloudflared</code> to <code>/etc/cloudflared</code> because tunnel files are generated in the <code>/etc</code> directory. We overrode the default certificate location in the compose file using the <code>TUNNEL_ORIGIN_CERT</code> variable.</p> <p>Now you will find in <code>./cloudflared</code> a <code>cert.pem</code> file and a <code>.json</code> file, the name of the file is your Tunnel ID. Copy the tunnels ID and replace <code>YOUR_TUNNEL_ID</code> with it in the following steps.</p> <h2 id="configuring-the-tunnel">Configuring the tunnel </h2><p>create a <code>config.yml</code> file inside the <code>./cloudflared</code> directory</p> <p>This is a basic configuration for a WordPress site inside the same docker network as Cloudflared, running on port 80.</p> <pre><code>tunnel: YOUR_TUNNEL_ID credentials-file: /etc/cloudflared/YOUR_TUNNEL_ID.json ingress: - hostname: domain.tld service: http://wordpress:80 - hostname: www.domain.tld # otherwise its going to end up in a 404 service: http://wordpress:80 - service: http_status:404 # any other domain will result in a 404</code></pre><p>You could further customize the configuration to your liking.</p> <p><a class="link" href="https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/local-management/" target="_blank" rel="noopener" >here</a> are the details about it.</p> <p>But this would be enough for most setups.</p> <h2 id="start-it-up">Start it up! </h2><p>Make sure cloudflared is running in the same network as your other container if you are using DNS hostnames, and it should just work!</p> <pre><code>docker compose up -d</code></pre><h2 id="dns-records">DNS Records </h2><p>Add a <code>CNAME</code> record to your domains pointing to <code>YOUR_TUNNEL_ID.cfargotunnel.com</code>, and make sure to enable Cloudflares proxy (the cloud needs to be orange).</p> <h2 id="rootlessuserns-note">Rootless/UserNs note </h2><p>if you see this error</p> <pre><code>WRN The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network error="Group ID 65532 is not between ping group 65534 to 65534" WRN ICMP proxy feature is disabled error="cannot create ICMPv4 proxy: Group ID 65532 is not between ping group 65534 to 65534 nor ICMPv6 proxy: socket: permission denied"</code></pre><p>Currently, This has no effect, as Cloudflared <a class="link" href="https://github.com/cloudflare/cloudflared/issues/726" target="_blank" rel="noopener" >still doesn&rsquo;t support</a> ICMP over QUIC anyway. I tried fixing it by setting <code>net.ipv4.ping_group_range = 0 2147483647</code>, but it still didn&rsquo;t work, so just ignore it for now.</p> <p>If you have a solution, write it in the comments!</p>How to set "Cache-Control" Header for static files in Caddyhttps://fariszr.com/set-cache-header-caddy-files/Fri, 30 Sep 2022 00:00:00 +0000https://fariszr.com/set-cache-header-caddy-files/<img src="https://fariszr.com/set-cache-header-caddy-files/thumbnail.jpg" alt="Featured image of post How to set "Cache-Control" Header for static files in Caddy" /><p>If you are seeing the &ldquo;Serve static assets with an efficient cache policy&rdquo; notice in PageSpeed, you need to add the <code>Cache-Control</code> header to your website.</p> <p><img src="https://fariszr.com/set-cache-header-caddy-files/pagespeed.webp" width="970" height="179" srcset="https://fariszr.com/set-cache-header-caddy-files/pagespeed_hu7928366471381843467.webp 480w, https://fariszr.com/set-cache-header-caddy-files/pagespeed_hu6402851554976940738.webp 1024w" loading="lazy" class="gallery-image" data-flex-grow="541" data-flex-basis="1300px" ></p> <p>Here is how to do it if you are using Caddy.</p> <h2 id="cache-control">Cache-Control </h2><p>To set a <code>Cache-Control</code> header only for your static files like, .js, .jpg, and others, just add this to the relevant part of your Caddyfile(under the site block if the Caddyfile includes multiple websites)</p> <pre><code>@static { file path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2 } header @static Cache-Control max-age=5184000</code></pre><p>The files are going to be cached for <code>5184000</code> seconds, so 60 days, you can change it if you want.</p> <h2 id="source">Source </h2><p><a class="link" href="https://caddy.community/t/correct-way-to-set-expires-on-caddy-2/7914/13" target="_blank" rel="noopener" >https://caddy.community/t/correct-way-to-set-expires-on-caddy-2/7914/13</a></p>How to compress static site to Brotli and Gziphttps://fariszr.com/compress-static-site-brotli-gzip/Wed, 14 Sep 2022 00:00:00 +0000https://fariszr.com/compress-static-site-brotli-gzip/<img src="https://fariszr.com/compress-static-site-brotli-gzip/thumbnail.jpg" alt="Featured image of post How to compress static site to Brotli and Gzip" /><p>If you deploy your static site to a Web server like <a class="link" href="https://caddyserver.com" target="_blank" rel="noopener" >Caddy</a>, you might need to pre-compress it, especially if you want to use Brotli with Caddy as it&rsquo;s only supported for pre-compressed assets.</p> <h2 id="brotli">Brotli </h2><pre><code>find www.new -type f \( -name '*.html' -o -name '*.js' -o -name '*.css' -o -name '*.xml' -o -name '*.svg' \) \ -exec /bin/sh -c 'brotli -q 11 -o "$1.br" "$1"' /bin/sh {} \;</code></pre><h2 id="gzip">Gzip </h2><pre><code>find www.new -type f \( -name '*.html' -o -name '*.js' -o -name '*.css' -o -name '*.xml' -o -name '*.svg' \) \ -exec /bin/sh -c 'gzip -v -f -9 -c "$1" > "$1.gz"' /bin/sh {} \;</code></pre><h2 id="source">Source </h2><p><a class="link" href="https://github.com/maruel/hugo-tidy/blob/main/docker-entrypoint.sh#L49" target="_blank" rel="noopener" >https://github.com/maruel/hugo-tidy/blob/main/docker-entrypoint.sh#L49</a></p>how to fix screen sharing in Chromium browsers on Waylandhttps://fariszr.com/fix-screensharing-wayland-chromium/Fri, 02 Sep 2022 00:00:00 +0000https://fariszr.com/fix-screensharing-wayland-chromium/<img src="https://fariszr.com/fix-screensharing-wayland-chromium/image.jpg" alt="Featured image of post how to fix screen sharing in Chromium browsers on Wayland" /><p>If you use a distro with Wayland, you might have noticed, that screen sharing might not work, it will probably show a black screen, instead of your display</p> <h2 id="why">Why </h2><p>This is because Wayland doesn&rsquo;t give the permission for a program to capture the screen the same way X.ORG does.</p> <p>Since your distro/Desktop environment uses Wayland, it probably uses Pipwire too, we will use it to share our screen.</p> <h2 id="make-chromium-use-pipewire">Make Chromium use Pipewire </h2><p>open your chromium browser and open this link <code>chrome://flags/#enable-webrtc-pipewire-capturer</code></p> <p><img src="https://fariszr.com/fix-screensharing-wayland-chromium/screenshot.png" width="729" height="127" srcset="https://fariszr.com/fix-screensharing-wayland-chromium/screenshot_hu8326686255490983097.png 480w, https://fariszr.com/fix-screensharing-wayland-chromium/screenshot_hu17094801134711137821.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="574" data-flex-basis="1377px" ></p> <p>And Then just restart your browser from the restart option, and you should be OK.</p> <h2 id="notes">Notes </h2><p>It&rsquo;s still not seamless though, when you share your screen, there will be two pop-ups instead of only one. One from the browser and then one from Pipewire.</p> <p>And when you select your screen, It&rsquo;s going to prompt you to select it again when its actually going to share it to the application, and not just preview it.</p> <p>As for Electron apps, this Option should be enabled by default on new version, however on old ones, you might need to find a way to enable it manually.</p> <p>But most electron apps have a web version anyway, so just use it instead of the app!</p>Archiveshttps://fariszr.com/archives/Sun, 24 Apr 2022 00:00:00 +0000https://fariszr.com/archives/<link>https://fariszr.com/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://fariszr.com/</guid><description/></item><item><title>Abouthttps://fariszr.com/about/Mon, 01 Jan 0001 00:00:00 +0000https://fariszr.com/about/<p>Hi, I am Faris, passionate about Free and Open source software, and Cloud computing. I work on <a class="link" href="https://fariszr.com/projects/" >the Aosus Community</a>, the biggest Arabic community for FOSS, and I created <a class="link" href="https://fariszr.com/projects/" >ARhackintosh</a>, a place where you found anything hackintosh related in Arabic.</p> <p>I spend my time experimenting with FOSS and cloud computing as I like to learn by doing.</p>My Projectshttps://fariszr.com/projects/Mon, 01 Jan 0001 00:00:00 +0000https://fariszr.com/projects/<h2 id="the-aosus-community">The Aosus Community </h2><p><a class="link" href="https://aosus.org" target="_blank" rel="noopener" >Aosus</a> is the biggest Arabic community for FOSS, we want to spread Free and open source software in the Arab world, and spread the culture around contributing to FOSS.</p> <p><a class="link" href="https://aosus.org" target="_blank" rel="noopener" ><img src="https://aosus.org/wp-content/uploads/2022/07/aosus-preview.jpg" loading="lazy" ></a></p> <p>I Joined Aosus in 2021 to work on a new re-launch for the project, first by merging it with another Linux telegram chat group that had more than 3000 members.</p> <p>Then I worked on redesigned the community page, and launching the new official website and blog, of course all of this came with a complete overhaul of Aosus&rsquo;s Technical infrastructure, now fully dockerized.</p> <p>I also launched <a class="link" href="https://aosus.org/services" target="_blank" rel="noopener" >Aosus services</a>, where aosus hosts Privacy focused interfaces/proxies for popular websites, like YouTube, Twitter, Reddit etc. without tracking or Ads.</p> <p>I also managed <a class="link" href="https://aosus.org/writing-contest" target="_blank" rel="noopener" >The Aosus Writing Contest</a> <a class="link" href="https://opencollective.com/aosus/projects/aosus-writing-contest" target="_blank" rel="noopener" >summary in English</a>, the first Contest of its kind in the Arabic world to support writers that write about FOSS in Arabic. You can find ways to support Aosus <a class="link" href="https://aosus.org/en/support-us" target="_blank" rel="noopener" >here</a>, you can also contribute to Aosus&rsquo;s <a class="link" href="https://github.com/aosus" target="_blank" rel="noopener" >projects</a></p> <h3 id="my-achievements-in-aosus">my Achievements in Aosus </h3><p>(unfortunately most links are only in Arabic, it&rsquo;s an Arabic focused project after all)</p> <ul> <li><a class="link" href="https://aosus.org/en" target="_blank" rel="noopener" >Create a page about the Community ant its projects</a> (partially translated)</li> <li><a class="link" href="https://aosus.org/931" target="_blank" rel="noopener" >Creating a Matrix server for aosus</a></li> <li>Redesign the Discourse forum, you can see the old designs on <a class="link" href="https://web.archive.org/web/*/aosus.org" target="_blank" rel="noopener" >the Internet Archive</a></li> <li>launching the <a class="link" href="https://aosus.org/924" target="_blank" rel="noopener" >Aosus writing contest</a>, the first Contest of its kind in the Arabic world.</li> <li><a class="link" href="https://aosus.org/1359" target="_blank" rel="noopener" >Aosus joining Open Collective</a>, Aosus was one of the first Arabic to join the platform, to have financial transparency and independence.</li> <li>Launch <a class="link" href="https://aosus.org/services" target="_blank" rel="noopener" >Aosus services</a>, to protect user&rsquo;s digital privacy</li> <li>create a plan for the upcoming project, <a class="link" href="https://github.com/aosus/torjoman" target="_blank" rel="noopener" >Torjoman</a>, a new way to crowdsource translations directly from the users favorite apps. (English description available)</li> <li>Add Aosus <a class="link" href="https://twitter.com/Aosusorg/status/1556269856546250753" target="_blank" rel="noopener" >to new social media platforms</a></li> <li>Join <a class="link" href="https://aosus.org/1847" target="_blank" rel="noopener" >Discord</a> using matrix bridges</li> <li><a class="link" href="https://aosus.org/en/1901" target="_blank" rel="noopener" >Getting non-profit 501(c)(3) status in the U.S.</a> with Aosus&rsquo;s new fiscal sponsor, HCB from Hack club.</li> </ul> <h2 id="arhackintosh">ARhackintosh </h2><p><a class="link" href="https://%d9%87%d8%a7%d9%83%d9%86%d8%aa%d9%88%d8%b4.com" target="_blank" rel="noopener" >ARhackintosh</a>, is the first complete Arabic community for Hackintosh, with an Open source guide, based on dortania, and a Kext archive.</p> <p><strong>If you know Arabic, ARhackintosh needs new maintainers, if you&rsquo;re interested more details <a class="link" href="https://%d9%87%d8%a7%d9%83%d9%86%d8%aa%d9%88%d8%b4.com/%d9%87%d8%a7%d9%83%d9%86%d8%aa%d9%88%d8%b4-%d8%a8%d8%a7%d9%84%d8%b9%d8%b1%d8%a8%d9%8a-%d9%8a%d8%a8%d8%ad%d8%ab-%d8%b9%d9%86-%d9%85%d8%b3%d8%a7%d9%87%d9%85%d9%8a%d9%86-%d8%ac%d8%af%d8%af/" target="_blank" rel="noopener" >here</a></strong></p> <p><a class="link" href="https://%d9%87%d8%a7%d9%83%d9%86%d8%aa%d9%88%d8%b4.com" target="_blank" rel="noopener" ><img src="https://xn--mgbg4a8cpdl.com/wp-content/uploads/2022/09/link-preview.jpeg" loading="lazy" ></a> (Yes that&rsquo;s an actual word mark, people can read it)</p> <p>I started ARhackintosh in 2020, to create a dedicated place for All things Hackintosh in Arabic.</p> <p>It helped massively in discovering my passion and love for Linux and technical infrastructure, and got me into the world of git and FOSS.</p> <h3 id="artutorial">ARtutorial </h3><p>the biggest part of the project, and the one where I spent most of the dev time is <a class="link" href="https://tutorial.%d9%87%d8%a7%d9%83%d9%86%d8%aa%d9%88%d8%b4.com" target="_blank" rel="noopener" >ARtutorial</a>. More than 4000 words, and 1250+ commits, the biggest Arabic guide for how to install Hackintosh. Its completely <a class="link" href="https://github.com/ARhackintosh/ARtutorial" target="_blank" rel="noopener" >open source</a></p> <p>I tried to keep the guide simple, but also not hide any real complexities of installing a Hackintosh. Because its actually Complex, hiding it from the user always ends up in lost data, or lost time.</p> <h3 id="kext-archive">Kext Archive </h3><p>Kext archive aims to collect all crucial Kexts(Kernel extensions/basically macOS Drivers), with direct links to developers repo and downloads, with handwritten descriptions in Arabic, and clear categories for kexts.</p> <p><a class="link" href="https://xn--mgbg4a8cpdl.com/kextarchive/" target="_blank" rel="noopener" ><img src="https://xn--mgbg4a8cpdl.com/wp-content/uploads/2021/08/image-1536x870.jpg.webp" loading="lazy" ></a></p> <p>to my knowledge, It&rsquo;s still somewhat unique, as I haven&rsquo;t seen anything similar in English.</p> <p>The archive aims to fix the hassle of finding drivers, and finding an up-to-date version of it. Most Hackintosh guides in Arabic are outdated video guides, with no updates or any kind of edits from the creator. Kext archive aims to create a simple place where users can find advanced driver/kexts for their devices. It now has more than 50 drivers listed.</p>Searchhttps://fariszr.com/search/Mon, 01 Jan 0001 00:00:00 +0000https://fariszr.com/search/