TrueNAS-Compose | Your Docker Stacks for TrueNAS Scale

PapaGigas · April 1, 2025, 9:24pm

I think the issue is in the “stateless” mode of your router’s DHCPv6 server…

PS: You can set pihole’s IP address as your DNS server in your android phone and disable IPv6 on your Windows and Ubuntu systems…

Best regards,
PapaGigas

random_string · April 1, 2025, 9:28pm

Ehh, yeah. I don’t like this router.
I’ll see if I convince the rest of the flat to find a replacement at some point…

If I set the DNS of my phone to Pihole, won’t that be an issue if I’m in my mobile data or in another Wifi network?
I mean, in the future I’ll hopefully be able to solve that with Tailscale, but for now.

And I’m mostly asking in order to check my understanding.

PapaGigas · April 1, 2025, 9:35pm

IP settings on android are set per network (it will only affect the network that you’ve changed)…

Don’t worry!

Best regards,
PapaGigas

random_string · April 1, 2025, 9:37pm

#install - DNS-DHCP

40 Open Portainer’s Web interface […]

Do you mean Dockge’s web interface or is Portainer correct? I ask, because so far I’ve been dealing with Dockerge, and I was surprised to now change to Portainer.

PapaGigas · April 1, 2025, 9:40pm

Yes, it’s correct!

Dockge is used to manage the Docker stacks and Portainer to manage the Docker containers, etc…

Best regards,
PapaGigas

random_string · April 2, 2025, 6:32pm

I feel like day in day out I’m here occupying your time XD

Got a couple of questions/mentions.

.

Docker Stack: (6) Tailnet requires “Admin”, “DNS-DHCP”, “Rev-Proxy”. When going to “Rev-Proxy” it also needs “Net-Admin”. I would like when you select a Docker Stack, I would appreciate knowing all the requires, including sub-requires. (if that is easily implimented)

.

Replace ‘[email protected]’ with your Cloudflare’s email address

My first reaction was “ahhhhhhahhhhhhahhhhhhahhhhh” - I need what?!? how tf am I going to get that? Cloudflare? Making them give me an account?!? lol, in a week of Sundays.
Maybe a bit exaggerated, and I don’t know how others would react.
Maybe add a comment in the lines of: “if you don’t have an account, don’t worry, you can get one here: https://dash.cloudflare.com/sign-up”

.

echo $(htpasswd -nB admin) | sed -e s/$/$$/g

A couple of question to this one:

Does it use the password of the Kali installation as a seed or the string “admin”? Because in the second case… ehm, idk. But in the first case, I’d like there to be a comment when setting up Kali that this really should be changed to something secure - because it will later be also used for something facing the internet, not only for some internal tool.
Why double up any “$”? If I understood it correctly htpasswd -B does basically a hash, but more fancy. Does the doubling of “$” work as a way to make reversing the hash impossible (as long as noone knows the doubling trick? - security through obscurity?)

Generally a comment would be nice, something like “This uses [the password of Kali] in order to create a secure password. This needs to be this long, because of X. The first part hashes [the password of Kali], the second part doubles the “$”.”

When it comes to being told to do password “generation” I always feel more secure when I’m told the “hows” and “whys”, because anything that sounds/looks like Voodoo could be done in order to make it easily breakable. - But maybe that’s just me.

.

Edit:
Ok, I’ve been wondering for a while now, what I do with the home.arpa “domain”, as I don’t want to set up that thing, as it’s not my domain. I understand now that it is non-unique in residential home networks and basically should be made to never leak out.

What I don’t understand is why I’m involving Cloudflare here.
1.1.1.1 is (afaik) “by” cloudflare, but the DNS lookup is… doesn’t need an account (afaik).
I wanted to set up the tailnet so I don’t ever have to think about having to deal with public facing IP Adresses or similar things. What exactly do I need a tunnel to Cloudflare for?

I’ve been following the steps on creating the API token… because I’ve been reading things on acme, cloudflare, LetsEncrypt and such… And I didn’t understand much, but thought, “ok, maybe I need that to get SSL or something like that to work when I want to connect to my truenas instance from outside my network via tailscale or something.”

But for the tunnel token via the link in the documentation cloudflare wants my credit card information (and address and stuff) for the free plan. Meanwhile I’m being quite unsure if that is what I want/need at all.

This is probably not a question that can/needs to be answered in the guide, but something that I’m wondering and would like to understand.

Edit 2:
I have no idea what kind of API token I generated … I basically set everything to “ok, I guess” or “allow… all?” - which is kinda the same I’m doing rn trying again with the tunnel token.
Again, I assume what those are, do or how to set them up would probably exceed the scope of this guide. But maybe a link to where to best get those information, maybe a blockpost you found helpful or sthg… might be useful.

PapaGigas · April 2, 2025, 10:34pm

I’ll apply those changes to the guide ASAP… once again thanks for your feedback!

Best regards,
PapaGigas

random_string · April 2, 2025, 10:44pm

I think I just managed the cloudflare tunnel… without a credit card. \o/

Just hoping it does work. Had to run sudo docker run cloudflare/[...] tunnel --[...] bbuuuttt… I can hopefully now continue. It’s been a fun ride XD

.

Edit: (so I don’t have to spam replies)

I “learned” more about htpasswd -nB. It returns sthg. like username:$2y$<salt>$<hash>. So I guess the doubling of the $-signs is predominantly to make it easier to see which part is the hash. In your example though it also puts in the $$2y$$05$$. Shouldn’t only the bit after that be used, or am I misunderstanding something here?
Also, I understand that the |sed -e s/\$/\$\$/g ought to take any “$” in the output of the htpasswd and replace it with “$$” … but when I type that in… it seems to just add “$$” at the end of the output. The beginning only has single “$”.

If only the <hash> part of the output should be used as the TRAEFIK_PASSWORD, may I suggest changing the comment to

Copy and paste the generated secure password (the italic part starting at ‘$$’) into the .env file where it says:
TRAEFIK_PASSWORD=$$2y$$05$$6UmMkA88gn5ndU8m1iHwbebfFs7Huc9cY6iIQDuceRNOdSM.Ji3uG # The default password is: admin

PapaGigas · April 3, 2025, 10:34am

I’m sorry but I got the flu and I’m not in the mood to be looking at screens right now.

But I’ll try to solve everything over the weekend, ok?

Best regards,
PapaGigas

random_string · April 3, 2025, 11:59am

Don’t worry and get better mate!

I’ll do my best to work through steps further, and will post further question and suggestions, when they come up.

PapaGigas · April 3, 2025, 6:35pm

WARINING: I’ve removed the “int” subdomain from the guide!

I’ve added Cloudflare’s tunnel configuration to REV-PROXY stack installation instructions.

PS: I’ll take care of Cloudflare’s API configuration ASAP!

Best regards,
PapaGigas

random_string · April 3, 2025, 8:24pm

I had written a couple of notes (so I wouldn’t forget my comments till when I’d message in here again), and one of the points was:

The way the Tailscale keygen guide is set up is wonderful. If that were possible for the cloudscale ones… that would be awesome!

Soo… haven’t checked yet, but I think I can tick that off the list

For me the whole cloudflare tunnel thing isn’t working still… instead of “active” the “rev-proxy” only shows a “?” in Dockge.
I’ll try to re-do it with the new guide and let you know.

As I don’t really know what the int subdomain does… I’m not that worried about it.

.

(6) Tailnet 19, a comment that the code to be copied should be placed where it says “tagOwners”, but commented out would be helpful. I had put it in the "acls": [ part, and it of course complained. - Or maybe that’s just a weird me issue. XD
(6) Tailnet 22, key generation, “Preapproved: yes” does not seem to be an option.
(6) Tailnet 35, There does not seem to be a “save”
(6) Tailnet 38 f. “DNS > Records” does not seem to be an option. But I guess that’s more because they broke something in their dashboard, because when you try to navigate there over their page-search thing, the link that that sends you on also a kind of “internal 404” page.

.

I hope you get well soon, mate!

J

PapaGigas · April 3, 2025, 8:41pm

Now instead of https://service.int.home.arpa you access the Docker services via https://service.home.arpa ( or https://service.ts.home.arpa for tailscale).

PS: I’ve also finished the API configuration, I think REV-PROXY stack is now complete.

Best regards,
PapaGigas

PapaGigas · April 3, 2025, 8:50pm

Can you please check and see if there’s any issues with REV-PROXY?

PS: I’ll take care of the rest ASAP!

Best regards,
PapaGigas

random_string · April 3, 2025, 9:41pm

My problem is that you still clearly say that one needs a “public” domain. And although I have been considering getting one, I am… not going to do that tonight. Choosing a registrar (the tld I’d want isn’t available on cloudfare), selecting all the “addons” I might want and actually use and so on.

Could you explain why that seems necessary for rev-proxy?

Oh, and 37&38 still say “work in progress”, even after a reload just now. Did you write and just not update it, or is that actually still work in progress?

PapaGigas · April 3, 2025, 9:43pm

Use “CTRL + F5” to refresh the page… that’s probably using the Browser’s cache!

Best regards,
PapaGigas

PapaGigas · April 3, 2025, 9:45pm

To get valid SSL certificates for your Docker services!

Best regards,
PapaGigas

random_string · April 3, 2025, 10:00pm

Please correct me when I’m wrong, because this is some half-remembered stuff I half-learned some time ago.

SSL certificates are something you can create yourself whenever wherever.
Most browsers/devices/applications will not accept these certificates, because they can be used to encrypt something, but they cannot be used to prove that Alice is Alice or Bob is Bob, because anyone could just “make” a certificate claiming they are whoever they want.
in order for these certificates to be widely accepted there needs to be a trusted 3rd party (like cloudflare/letsencrypt), to whom Alice and Bob independently proof they are Alice and Bob, so they then get the private key. Anyone then who wants to check if someone claiming to be Alice can then go to cloudflare, ask them for the public key that is associated with Alice, use that to encrypt something, send that to “claimed-Alice” and know it really is her, if she can send the decrypted “something” back.

.

But as long as it is only me and people I know personally (and can communicate securely) use this infrastructure, I could generate an SSL certificate myself, give the private Key to some instance in Docker and install the public key on any device I want to use with my Truenas instance

Or is there a logic error somewhere in there?

PS: yes, ctrl+F5 worked… I didn’t think about that.
PPS: I did manage to set up a cloudflare 0 trust tunnel without choosing a plan and without giving them a credit card. Don’t ask me exactly how I did it… but I did

It was also up… for a very short time last night… again, don’t ask me how^^

Edit:
(5) rev-proxy, 34 the htpasswd thing doesn’t have further explanations still. If I changed the User name to something else, should I replace “admin” in the command? If I have set another password than “admin”, should I put that in? Which part does it actually use for the output? (- so I know which parts are important to keep consistent and/or change. Because if it just gives “admin” but in hashed out… that still isn’t a really good password.)
which part needs to actually be copied into the .env? are the $$2y$$05$$ important to keep there to tell traefik the hash and XXX that were used?

.

Also, I know the sed -e s/\$/\$\$/g code is good. I tested it with echoing strings and all that Jazz, but when I run the whole thing, even when I first output the echoed htpassed and then | sed that, it doesn’t give me the password in the form you have as an example out. Not sure why, but I assume the $-signs are considered […] and not “strings”. But some playing around with \ didn’t really do anything.
I don’t know what to say. I mean, if the $$2y$$05$$ - form is important I can just manually change that, but if it is… I don’t think that’s a good advice to give others. Also, could you try to recreate that issue? - Also also… that is why I was asking about the parts and reasons for that. If I know these kind of things, I can try to circumvent the cursed-ness of my stuff.

PapaGigas · April 3, 2025, 10:13pm

Yes, you can generate self-signed SSL certificates and add them to your trusted root authorities… but you need to do that for every certificate in every device/application.

It’s much easier to register a domain name and generate valid SSL certificates for everything all at once!

Best regards,
PapaGigas

random_string · April 3, 2025, 10:23pm

I mean… how many certificates do I really need? If I use were to use Tailscale and tell everything else to only be available over the local network, that would be one? - or is there a big logical flaw in there?

How many certificates are created automagically in your approach? one for every stack in Portainer? More?