AnonymousDeity

AnonymousDeity, 9 months ago

Hey they promised to cut the PST though! That 1% buys me uh… uhhhhh… a whole extra coffee every so often!

AnonymousDeity, 9 months ago

Yea let’s just give a vulnerable population a free trial of a gambling addiction lol

AnonymousDeity, 10 months ago

I’m from small town VT just across the river, and while that hasn’t been my personal experience I absolutely have known people who have had that experience. Small town USA is unbelievably messed up, but everyone likes to act like its only in the cities. Felt like half my town was Section 8, and an actual full 10th of the population was from the county jail on furlough. Since I’ve left, violent crime/murder rate has gone up a lot and heavy drug use is rampant.

I’m sorry dude.

AnonymousDeity, 10 months ago (edited 10 months ago)

But, the connection is unsecured over HTTP. I’d like to take it a step further in order to make the connections go over HTTPS.

Why? You’re already VPN’d into a machine you control via tailscale. Protecting the specific application TCP traffic with TLS is kind of redundant at that point. If you really care, just use nginx not Caddy because this will never work using Tailscale DNS, self sign a cert for your Tailscale domain and use nginx to serve traffic on the Tailscale network device.

Also, use docker compose. This will feed DNS records into the containers’ /etc/hosts file as well as put the containers on their own network so the main containers won’t be exposed directly, only caddy.

docker-compose.yml

<span style="color:#323232;">version: "3.4"
</span><span style="color:#323232;">services:
</span><span style="color:#323232;">  caddy:
</span><span style="color:#323232;">    container_name: caddy
</span><span style="color:#323232;">    image: ghcr.io/authp/authp:latest  # I use authp for OAuth authentication instead of VPN-only access
</span><span style="color:#323232;">    restart: unless-stopped
</span><span style="color:#323232;">    ports:
</span><span style="color:#323232;">      - 443:443
</span><span style="color:#323232;">      - 443:443/udp
</span><span style="color:#323232;">      - 80:80
</span><span style="color:#323232;">    volumes:
</span><span style="color:#323232;">      - ${ROOT}/config/caddy/Caddyfile:/etc/caddy/Caddyfile
</span><span style="color:#323232;">      - ${ROOT}/config/caddy/data:/data/
</span><span style="color:#323232;">    dns:
</span><span style="color:#323232;">      - 1.1.1.1  # set these to your local DNS if you have one, I run pihole
</span><span style="color:#323232;">      - 8.8.8.8
</span><span style="color:#323232;">      - 8.8.4.4
</span><span style="color:#323232;">  whoami:
</span><span style="color:#323232;">    container_name: whoami
</span><span style="color:#323232;">    depends_on:
</span><span style="color:#323232;">      - caddy
</span><span style="color:#323232;">    image: containous/whoami
</span><span style="color:#323232;">    restart: unless-stopped
</span>

Caddyfile

<span style="color:#323232;">{
</span><span style="color:#323232;">	http_port 80
</span><span style="color:#323232;">	https_port 443
</span><span style="color:#323232;">}
</span><span style="color:#323232;">
</span><span style="color:#323232;">whoami.example.com{
</span><span style="color:#323232;">    reverse_proxy whoami:80
</span><span style="color:#323232;">}
</span>

As you can see the Caddyfile directs the Caddy container to reverse proxy whoami.example.com to http://whoami:80, which uses the /etc/hosts entry that docker-compose inserts for whoami to the whoami container’s Docker IP address. In this scheme, only Caddy needs to have a port listening on the host machine. Assuming Caddy can access your tailscale network, this will work - for that. (although I worry that Tailscale mounts the network device as a unix socket, which may complicate matters - I ran into this when trying some bullshit with nginx/openresty)

The issue that you’re having in your logs is that you’re trying to get Caddy to get a TLS cert for machine.domain.ts.net, which will never work, because machine.domain.ts.net is not a globally recognized DNS record - it’s a split zone DNS for within the Tailscale network exclusively. LetsEncrypt needs to be able to prove you own machine.domain.ts.net in order to issue a cert for it, meaning it needs to be able to resolve the domain and chat with Caddy. Since LetsEncrypt isn’t on your Tailscale network, it cannot do this.

AnonymousDeity, 10 months ago (edited 10 months ago)

I read your comment in more detail, you’re going down the wrong path. What you’re looking for cannot function the way you want the way you want to achieve it, and may not even make sense to want. I am wrong, I didn’t realize Caddy could just serve their cert over the socket. What user is the caddy process on your VM being run as?

If you want to use Tailscale DNS, you can use their TLS cert (assuming it gives a valid cert for machine.domain.ts.net) and just reverse proxy HTTP traffic with nginx on the VPS/VM (assuming nginx can listen on their network device. I’ve fought with that with openresty before, but that may be because I was trying to host it in another docker container lol).

AnonymousDeity, 10 months ago

{“level”:“error”,“ts”:1691499478.2793655,“logger”:“tls.handshake”,“msg”:“getting certificate from external certificate manager”,“remote_ip”:“100

.125.48.40”,“remote_port”:“60140”,“sni”:“machine.domain.ts.net”,“cert_manager”:0,“error”:“Get "local-tailscaled.sock/localapi/v0/…/vaulty.tail

a5148.ts.net?type=pair": dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory”}

This is your main issue - looks like Caddy can’t access the tailscale socket in order to serve their TLS cert. check you’re running caddy>2.5, check the socket exists and check the user running the caddy process has access to it. docs

Are you running Caddy with docker?

AnonymousDeity, 10 months ago

nginx just has a lower barrier to entry (imo) if you’re not looking to sign your own certs. Caddy is great for that.

That said, I didn’t know Caddy had a beta feature for serving Tailscale certs automatically. So I incorrectly thought you were barking up the completely wrong tree, which you apparently are not. I’ll look at your tech details more.

AnonymousDeity, 10 months ago

ah, yeah, that’s why. You need to mount the unix socket into Caddy’s container as a volume. Docker uses overlayfs by default to create a layered filesystem, and then launches a distinct user, process, network, etc. namespace for the container’s process, which is why everything is isolated inside the container. You’ll need to make sure the unix socket is available to Caddy’s process inside the container, so you’ll have to mount it using -v or the volume key in the yaml.

sudo is actually entirely unnecessary with Docker, because most containers will run as the container’s root. Part of containers having their own user and process namespace means their root user is not your root user (technically we can have a debate about semantics for overlayfs and mounted files), and almost all images will ship with the default user as their root. Therefore, almost all processes will be “run as root” from within their container by default, meaning sudo does nothing except elevate the perms for the user calling docker. It would really only get around an issue with your user account not having access to docker or the docker daemon (also via socket btw). That said, because of the user namespace thing, running sudo docker run or sudo docker compose up doesn’t actually guarantee the process in the container is run as root… just that the container was created as root with perms over the host’s system.

The important part is that Caddy inside the container will be run by a user that has permissions over the mounted socket.

AnonymousDeity, 11 months ago

I mean I’m sure Lemmy’s server process is stateless, I’m sure it could use CloudRun/ECS pretty efficiently and that wouldn’t really require a rewrite.

AnonymousDeity, 11 months ago

… you’re the one that invented the “chaser” angle though, speculation you “felt” was true with no real basis for that. The commentor was genuinely not being transphobic, nor did they “group” post op and pre op as “the same”. Those two groups of people made it onto their list of “people I could be attracted to” when they were directly asked if those two groups were physically attractive to them. Please stop inventing drama, that commentor doesn’t deserve to be witch hunted across unrelated threads.

Fuck transphobes tho. Trans rights are human rights.

AnonymousDeity, 11 months ago

they’ll what now?

AnonymousDeity, 11 months ago

Every day we stray further from gods light

AnonymousDeity, 11 months ago

it’s a meme you dip

AnonymousDeity, 11 months ago

bruh

you don’t need to evangelize your lack of a religion to me. Evangelicals are so annoying.

AnonymousDeity, 11 months ago

Oh I’m quite aware, all Abrahamic religions have the same base of messed up morality. I’m not religious. I just find the sort of militant atheist that would make a point of “fiction” annoying.

AnonymousDeity, 11 months ago

Yes, the old testament has some ethically bad things in it, all Abrahamic religions share that. I’m also atheist. I just don’t make a point of commenting “fictional character” on a meme that happens to use the word “god”, not even capitalized lmao. Perhaps you aren’t aware of how much of a militant atheist you come off as. Out of curiosity, have you ever put the bible in the fiction section?

I would never read an innocuous meme comment condemning slavery and think “ah yes, time to make a point about religion being fake and bad”.