Not OP but I use headscale and have it configured using Authentik for SSO. Works flawlessly once its up and running. I also use headplane for the UI. It has SSO integration as well which makes everything a breeze.

Edit: Forgot to mention, all running in docker with traefik as the reverse proxy.

Its not as cut and dry as everyone here is making it out to be. This is an organization of people, rules are bent and broken CONSTANTLY.

Each branch has a form of peer-mentoring. In some form or another you’re graded on your ability to do your job and those grades get looked at for your promotion.

It starts off as a negative counseling. Sometimes written, most times just verbal. These are the “oh man I forgot to do this duty at the end of the day” type offenses. More than likely someone is just gonna tell you to pull you’re head out of your ass and fix it.

Get enough of these and eventually you will get whats called a “non-judical punishment”. These are punishments handed out by commanding officers. See “UCMJ Article 15”. These are offenses under the rest of the UCMJ. Some things like adultery are still chargeable offenses. If they cant find something to charge you with “UCMJ Article 134” is a general offense. Basically “hey we didnt like what you did, its not illegal, but were gonna charge you anyway”

Think of NJPs as a misdemeanor, smaller but still serious infraction. When you leave the military, nobody will know that you got charged with something. But these do come with punishments. You basically get “grounded” cant leave your barracks room / get put on restriction. Also loss of pay.

Decide to commit a serous crime defined in the UCMJ? Well thats what a court-martial is. That is equivalent to a felony and will show up on any criminal background check. These often include jail time and reductions in rank.

Its all incredibly suggestive and depends on all the parties involved.

Thank you for the laugh (⁀ᗢ⁀)

You can use Authentik to setup an LDAP outpost then use a jellyfin LDAP plug-in to sync everything up.

https://github.com/jellyfin/jellyfin-plugin-ldapauth?tab=readme-ov-file

Course, feel free to DM if you have questions.

This is a common setup. Have a firewall block all traffic. Use docker to punch a hole through the firewall and expose only 443 to the reverse proxy. Now any container can be routed through the reverse proxy as long as the container is on the same docker network.

If you define no network, the containers are put into a default bridge network, use docker inspect to see the container ips.

Here is an example of how to define a custom docker network called “proxy_net” and statically set each container ip.

networks:
  proxy_net:
    driver: bridge
    ipam:
      config:
        - subnet: 172.28.0.0/16

services:
  app1:
    image: nginx:latest
    container_name: app1
    networks:
      proxy_net:
        ipv4_address: 172.28.0.10
    ports:
      - "8080:80"

  whoami:
    image: containous/whoami:latest
    container_name: whoami
    networks:
      proxy_net:
        ipv4_address: 172.28.0.11

Notice how “who am I” is not exposed at all. The nginx container can now serve the whoami container with the proper config, pointing at 172.28.0.11.

Well if your reverse proxy is also inside of a container, you dont need to expose the port at all. As long as the containers are in the same docker network then they can communicate.

If your reverse proxy is not inside a docker container, then yes this method would work to prevent clients from connecting to a docker container.

Something like this. This is a compose.yml that only allows ips from the local host 8080 to connect to the container port 80.

services:
  webapp:
    image: nginx:latest
    container_name: local_nginx
    ports:
      - "127.0.0.1:8080:80"

Ooo I do love me some Nix modules. Any particular options to look out for in order to configure something like that?

Edit:

It’s programs.chromium.extraOpts isnt it? Lol

You can setup wild card certs with a DNS challenge using traefik. No plug-ins needed, works right out the box.

Personally, I quite prefer traefik. Its harder to use than Caddy but offers more features. Also, it uses yaml or docker labels for config. I’m not a fan of the nginx .conf format.

Did you watch ‘I am Legend’? This is exactly what starts the apocalypse lol

Side note, book was waaaayyyyy better

The routers or computers you are using for this have to support forwarding traffic. With Linux this is pretty straight forward for other OSes I’m not sure how easy it is.

You can get around this by having tailscale installed on the default gateway (router) of each network. It might be quite a pain for OP to change routers at each location. On the plus side, OpenWRT has some other cool features like PXE booting.

Here is an article about tailscale on an OpenWRT router.

Ahhh interesting video! I appreciate the post. I see the mTLS is more about authenticating who the client is outside the application.

Don’t worry, Im not just exposing thing willy nilly 🤣 For client-side authentication I use Authentik combined with 2FA, Duo, and fail2ban. Authentik provides identity management through LDAP to jellyfin and any sign in request goes to MFA and you get a Duo notification to approve. You can do other MFA, i just havent set it up.

Ive got a lot of family who use my server. Asking them to install a TSL cert on every machine would be impossible. My method also monitors all sign in requests. Setting up Authentik was a hugggeee game changer for me.

Well ya know this is a forum and I was trying to engage in a friendly conversation to learn about something you brought up.

But yeah I know how to fucking Google lol

Oooo ya know I actually don’t know about these. I’ve done both A and B for my homelab and C for work.

Any good resources / insight into mTLS? I appreciate the response btw!

Ya got three options.

Option A is to create your own certificate that is self-signed. You will then have to load the certificate into any client you want to use. Easier than people realize, just a couple terminal commands. Give this a go if you want to learn how they work.

Option B is to generate a certificate with Let’s Encrypt via an application like certbot. I suggest you use a DNS challenge to create a wildcard certificate.

Option C is to buy a certificate from your DNS provider aka something like cloudflare.

IMO the best is Option B. Takes a bit to figure it out but its free and rotates automatically which I like.

I like helping and fixing stuff, if you’d like to know anything just ask :D

I wish I had setup an identity management system sooner. Been self-hosting for years and about a year ago took the full plunge into setting up all my services behind Authentik. Its a game changer not having to deal with all the usernames and passwords.

In a similar vein, before Authentik, I used Vaultwarden to manage all my credentials. That was also a huge game changer with my significant other. Being able to have them setup their own account and then share credentials as an organization is super handy.

O.o I had no idea the specs had improved so much on these things. Range of over 80 miles? That’s insane.

Thank you for the sauce, I really appreciate it! (°▽°)/

Whhhaaattt?? 60mph?! What brand, I must know!

Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!