19 December 2024
The Homelab Chronicles continue1! Last time I discovered the magic of the Docker Compose file. In this chapter, using the Docker Compose files accelerated the process of adding new things into my portfolio of homelab applications. In this chapter, I’ll go through adding Paperless-ngx, handling backups of my homelab files, and enhancing the reverse proxy endpoint security.
Dealing with paperwork is a pain. Enrolling in eStatements has been helpful as many of my documents are now emailed directly to me. However, searching through them is a pain because not everything is digital. Periodically, I would go through initiatives to digitize and organize my files. I’ve used the file system. After a period of extreme effort, things would get out of date as I grew undisciplined over time. One application I was intrigued by, was Paperless-ngx.
Paperless-ngx has a feature set that sounds amazing. You upload documents, tag them, and then are searchable with all text from the documents. Essentially, the documents are stored on the file system like normal but it adds an entire metadata layer. I was turned off the solution in the past because I was overwhelmed by the installation.
Understanding Docker and Docker Compose was all I needed. The installation was incredibly simple. I did the following:
All that was left was to run the docker-compose up -d.
The mount points were the hardest part for me to understand at first. It maps the folders to a local file on the file server. If I go to the media folder pointed in the docker-compose.yml on my machine, I can see the PDFs stored there.
Backups are important for me. Before I added the Mac mini to my hardware setup, my MacBook Pro had Time Machine set up with the Synology NAS for a local backup. I also have Backblaze to back up the data offsite.
Time Machine is easy to setup so when I plugged in the Mac mini and got it configured, I turned that on. At least I had a local backup. However, as more applications are being added that are storing data I needed to get an offsite backup solution in place. The easiest solution would be to sign up for Backblaze on the Mac mini. It’s reasonably priced, but when I look at the cashflow, I dropped thousands of dollars on the network and the homelab. So far I have only saved the $90/year on the Monica payment. Adding another $99 wouldn’t bankrupt me but I wanted to avoid it if at all possible.
I found a convuluted path, but one I’m ultimately happy with. The MacBook Pro has a 2 TB internal SSD that is at about 50% capacity. The Mac mini only has a 256 GB SSD. I could do a copy of the entire drive and save it internally on the MacBook Pro that would be backed up to Backblaze. I really didn’t need to have the entire drive backed up. I just need the data, primarily from my homelab folder in my local user. I thought about setting up an rsync job but wanted something with less overhead. In Chapter 1, I mentioned that I had Syncthing configured for the data on the Synology NAS. It’s been working so well, so I explored using that between the Mac mini and the MacBook Pro. Aha! It was exactly what I wanted.
Viola! It’s been working like a charm. This directory is now backed up on 2 computers, 2 Time Machine backups, and the Backblaze cloud.
Now that my data was being backed up in more places and I have Paperless-ngx involved, it was time to address the basic authentication that I had set up in Caddy in Chapter 2. Paperless-ngx would be a family application so I needed to have the authentication easier for my wife.
When I set up the basic authentication, I knew that Caddy would work with Authelia. Authelia adds a front-end UI for the login/password prompt and the ability to have a separate handling of users and groups. Setting up Authelia was pretty simple when I pulled a Docker Compose template file. I setup the configuration.yml file. I also setup a users.yml file with an account for me and my wife. Adding new users would mean I need to update the users.yml file, but once I configure Caddy it would mean I no longer have to add a record to each endpoint with the basic authentication already in there.
With Authelia running on the Homelab, I only needed to configure Caddy to work with it.
The first step is to create the endpoint that routes to Authelia and the creation of a function that each endpoint that should be protected would need to include.
auth.mysecretdomain.com {
reverse_proxy 192.168.1.2:9091
}
(secure_site) {
forward_auth {args[0]} 192.168.1.2:9091 {
uri /api/verify?rd=https://auth.mysecretdomain.com
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
On each endpoint, I changed the definition. The BEFORE is what I had with basic authentication, and the AFTER is with the Authelia endpoint protection:
BEFORE:
service.mysecretdomain.com {
reverse_proxy 192.168.1.2
basicauth / username $2a$14$0nnEzLEjSf7TAWJqntj2Tec/SWrb.u/6N1y/Eu9LyVgSiKCmhURQi
}
AFTER:
service.mysecretdomain.com {
import secure_site *
reverse_proxy 192.168.1.2
}
I’ve been quite happy with the setup. Since Authelia has a UI, it works perfectly with 1Password. It does mean that I need to sign in twice, but once I’m signed in to Authelia the rest of the endpoints recall due to the cooking/session sharing.
We’re getting closer to real-time. As of publishing this, there are still two adventures that I tackled that will get us to the present day: configuring Jellyfin for media consumption and Fail2Ban to futher protect the setup. Jellyfin was quite the ordeal. Fail2Ban was also quite a challenge. I haven’t decided on if they’ll be combined in one chapter, or I’ll split them into two.