Let’s start by talking about the project itself, in order to give some sort of more complete context:
I’m working up what I consider a “complete” home/family server for 10~20 users.
Goals:
- Replace any web-service where “you the customer are in fact the product” (gmail and other google services, etc.)
- Replace any web-service where one pays for “access” to content and thus one does not “own” content (netflix, iTunes, Audible, etc.)
- Access from anywhere
- Various work and automation services
- Maintain sufficient security while retaining decent reasonableness of maintaining and using the server as a whole
- Respect user privacy, as much as possible, even from Admin eyes
How I intend to achieve this:
- Docker
- More Docker, Compose is great
- Yet more Docker and also ZFS
- FOSS wherever possible
A partial list of Docker containers:
- Organizr for that fantastic front-end integration and organization
- Monitorr for at-a-glance awareness of whether things are running
- Jellyfin
- Ombi
- Ubooquity (probably to be replaced with something else for reasons below)
- Traefik
- Trilium Notes
- Airsonic
- Booksonic
- Komga
- bitwarden_RS
- Some sort of OpenLDAP/Keycloak solution
- Backup for user files, dropbox replacement
- Paperless document storage
- Contacts, calendars, etc
- A website or 3
- Image upload, pastebin, URL truncation
- Likely an IRC server or similar
- Game servers
- SIP is likely
- RSS server
- Financial tracking
- Some IoT/home-automation stuff
- Likely docker-mailserver, or at least some similar stack
- Etc, Etc
(General network privacy stuff like PiHole, OpenVPN, etc, is handled elsewhere. and so it’s not relevant here).
I mentioned LDAP but also Ubooquity - this is the reason I’m likely to replace Ubooquity. It doesn’t seem to support any sort of SSO implementation as far I’ve seen and that’s a problem - SSO makes life so much easier on the user side that it’s more or less essential for most services I intend the server to run.
A further problem I’ve been having is that Docker seems to like to semi-regularly corrupt or screw up the configs/userdbs from various containers. I can manually back these things up but that’s a lot of extra effort, so I’m looking to automate it. I’ve attempted to troubleshoot this for ages, and I’m not really making progress. I’m not currently looking for a solution to that, but I am certainly seeking to band-aid it at this point, at least for now.
As a result, I have three interrelated questions. The questions:
What’s my best way to implement SSO for the server as a whole, including each / nearly each service within it?
I can replace things here and there, and that’s fine for most things. For some services, such as Jellyfin for example, there are no open source alternatives. With privacy being a priority, closed-source is a terrible idea!
What can I do to go from individual dbs/configs to integrating that into a much smaller list (I’m thinking “normal” stuff and “security-sensitive” stuff as my groups here) and how can I easily automate a backup for that smaller list of files/dirs/dbs?
I’m not finding any sort of genericizable db management tutorials for Docker online, most of the stuff is specific to x or y service in a way I can’t parse through to use with anything, and I’m really not sure what my simplest and easiest backup solution for this is as well.
And lastly, what is the deal with internal vs. external volumes?
I’ve received conflicting advice here and would appreciate some sort of authoritative answer. Obviously some things need to be external (content library dirs come to mind) for automation and ease of maintenance. At the same time though, I keep being told that “docker is unreliable at handling [internal/external] volumes” as the likely cause of my config/db corruption issue.