A summary of the services I host.
- All services are hosted as Docker containers, with routing handled via Traefik.
- Public website codeslikeaduck.com sits behind cloudflare proxy.
- Private services sit behind GeoIP filter and Authelia 2FA.
- Only config files in this repo are the docker-compose yaml files.
- The files for codeslikeaduck are in their own repo.
- Traefik
- Authelia
- Traefik-Geoip-Filter
- Docker-Socket-Proxy
- Jitsi
- Photoview
- Wishlist (Christmas-Community)
- DogCam (Go2rtc)
- Heimdall
- Dev Blog
- Traefik (V2) is a reverse proxy and is the backbone of the set up.
- Traefik sits between the services and the outside world (specifically http and https ports 80 and 443).
- Each service has a corresponding subdomain registered at the DNS and Traefik routes each subdomain request to the correct service.
- This allows traffic to service.example.com to access the service without opening the service external port on the network.
- As well as convenience, Traefik handles security as all traffic is routed through middlewares where requests can be filtered and modified before they reach the service.
- Main middlewares in this set up are http to https redirect, request rate limiter, a middleware applying range of http security headers and a middleware routing requests through Authelia for two factor authentication.
- A different http security header middleware is define for each service to allow future customisation.
- Authelia is an authentication server providing two factor authentication for all the services.
- Allows users to be created and access level (no auth, single factor, two factor, no access) on a per service basis.
- Supports U2F and one time passwords via Google authenticator, but currently 2FA is set up via mobile push notifications using Duo.
- Traefik-geoip-filter acts as geography based block/allowlist middleware for Traefik.
- It sets up a local Nginx webserver, that acts as an authserver for the forwardAuth middleware.
- You define the countries, counties, cities you want to allow/block traffic from, it grabs the IP addresses that match those locations from a database and makes an "IPchecklist".
- Assigning this middleware to a service's router, Traefik will route all requests to authserver first, and will only pass them on to the service if the authserver says the origin IP is/isn't in the allow/block list. Otherwise the request is returned with a 404 code.
- Useful for the services which can't be proxied through Cloudflare due to their no video/large files policy (i.e. Jitsi or CCTV).
- I think it's great, but I also made it.
- Docker-Socket-Proxy a proxy layer for between traefik and the docker socket.
- Traefik requires access to the docker socket to work and Traefik is exposed to the internet. This means an attack on traefik could grant the attacker root access on the underlying host.
- Recommended by traefik devs, docker-socket-proxy only allows access to the sections of the docker API that Traefik needs to function.
- Jitsi is a full featured video conferencing platform. Essentially host your own Zoom, but with HD video streaming, no time limits, increased security and end to end encryption support.
- Setting this up during the pandemic has been huge quality of life upgrade over Zoom, I highly recommend it.
- Jitsi consists of four services working together.
- Jitsi Meet (Jitsi_web): The frontend interface for Jitsi.
- Jitsi Videobridge (JVB): The traffic controller, a server that routes video streams between participants
- Jitsi Conference Focus (Jicofo): Conference manager, it opens and manages the sessions between participants and JVB.
- Prosody: An XMPP server where all the other components connect so they can communicate, and linked as the only component not made by the Jitsi team.
- Christmas-community is a private Amazon wishlist alternative.
- Supports separate user accounts with basic user & password auth, with all wishlists visible to all users.
- Users can add items to their wishlist with the product URL and for supported websites (30ish) the service grabs the product image, name and price.
- Otherwise image, name and price can be input manually.
- Photoview is an actively developed photo & video gallery UI that maintains your directory structure.
- Features local facial recognition for photo sorting, tiered user account access, and supports RAW files and EXIF parsing.
- This is another service I highly recommend to anyone with years of family photos languishing on a hard drive.
- Consists of two services as it requires a SQL database for caching thumbnails, parsed photo data and smaller file versions for download.
- I have a MariaDB container for this (phdb in the docker-compose yml).
- Go2rtc is a minimalist video feed streaming app.
- Supports a huge range of protocols and sources, even ffmpeg, and all with minimal configuration.
- I use it to capture the feed from an IP camera to act as a self hosted pet cam.
- For this use case, I highly recommend go2rtc over other popular CCTV services that are bloated with features you don't need.
- To make is as simple to use as possible, I added a redirectregex middleware to redirect homepage traffic directly to the video feed.
Expand for screenshot of go2rtc
- Heimdall is an application dashboard, used here as a simple homepage.
- Copy of codeslikeaduck.com separately hosted to act as a dev environment.
- Allows me to tinker with the site without risking downtime.
Icons made by Freepik from www.flaticon.com
Road Icon made by Smashicons from www.flaticon.com
Duck Icon made by me.