In my adventure to add centralized authentication to a portion of my infrastructure, I decided to add Grafana to my list of apps using LDAP. I have had a Grafana/Influx/Telegraf stack up in my infrastructure for a long time and have no intention of removing it, so its a perfect candidate for this treatment.
While Grafana includes some enterprise features for purchase, we will just be using the free features available. These can be used to setup basic authentication for login, and roles based on LDAP groups. This can provide admin, viewer, and editor capabilities. For my instance, I’ll be focusing on a basic admin user, with all other LDAP logins from my server going to the viewer role.
Continue reading “Grafana LDAP Authentication”
When I initially built the main part of my lab, I wanted to have a Domain Controller for centralized authentication. I decided upon using Univention Corporate Server as my domain controller. I never ended up using it for centralized authentication, though it has been very easy to maintain for a local DNS server to avoid DNS loopback problems with my ISP.
After working with separate accounts on all my services long enough, I decided it would be a good time to move at least some of my core services to use centralized authentication. I spin up and experiment with services often enough that I’ll never have 100% of it centralized, but the frequently used ones can at least be easier to login to without memorizing multiple passwords.
Continue reading “Univention memberOf Attribute Saga”
The Issue: The docker swarm manager node becomes useless after the tasks.db file explodes in size. This can be seen by worker nodes not being able to connect to the swarm, or manager nodes not seeing the other manager.
The Fix: Stop the docker service (service docker stop), delete or move the tasks.db file, start the docker service (service docker start). This seems too simple to be true, but it isn’t, the tasks.db file can be safely removed and regenerated by the docker swarm manager.
I have been looking around for a good VPN solution to use while traveling recently. I have a few services running at home, that I really don’t want on the internet (OctoPrint, general ssh access etc), but I want to use remotely. I also want a way to secure my connection when I don’t trust the network I’m connecting through.
I had previously set up a L2TP Remote user VPN in the UniFi controller, but it had a few issues.
- Instability on android (the VPN wouldn’t even show as ‘disconnected’, it would simply stop)
- Issues when connecting to it from ipv6 cell carriers
I had heard of Wireguard a while ago and have been keeping track of development and their status on integrating with the Linux kernel. It turns out some kind soul has created a deb package to install WireGuard on Vyatta (which is what the USG is based on).
Continue reading “WireGuard on Unifi USG”
One of the first application stacks I went to install and setup on my new Raspberry Pi docker cluster was Inspircd/qwebirc/anope. This stack was running originally on a raspberry pi 1b (256MB RAM version). I wanted to move this off the pi1 since it was out of date and would need a complete reinstall to be back to full patch status. However shortly after getting it running in my swarm, I ran into issues.
The IRC server would restart every few hours, sometimes it would restart every 10 minutes or so. I deemed that as unacceptable on my basic setup even for just using it in development of IRC bots.
Continue reading “Disabling the Aggressive Inspircd Health Check”
I wanted a simple but useful project as my first bit of home automation after getting some CloudFree smart plugs. We have fairy (christmas) lights on our banisters going upstairs that we plug in whenever we want to use them, so why not set them up on the smart plugs and setup an automation to turn them on at night, and turn them off around when we should be going to bed. This seemed like a simple enough project for a first shot at it, and something that we would use.
Continue reading “Automated Stairway Night Lights”
- Stairway lights turn on before sundown
- Stairway lights turn off around bedtime on weekdays
- Stairway lights turn off slightly later on weekends
I’ve wanted to mess about with the whole home automation craze that seems to be going on, but on a fully self-hosted installation (no alexa, no google assistant, my data staying all on my network). After the SelfHosted Podcast mentioned the CloudFree smart plugs, I knew they were the right gear to try out. The smart plugs come from CloudFree which has the plugs pre-flashed with Tasmota.
The quick start guide worked perfectly for the initial setup and getting the smart plugs on my WiFi network. I’ll have that guide below (in case its lost) and continue on with my own instructions for connecting to Home Assistant via MQTT afterwards.
Continue reading “CloudFree Tasmota Smart Plug Setup”
Adding an account to use in authenticating against the LDAP directory is a simple enough. The process is done all within the LDAP directory GUI from the Domain menu option in UCS. Navigate to the “user” container, and select the add button. Select the type of the account to be a “Simple Authentication Account”, pick a username and password and click add.
- Domain -> LDAP Directory
- User Container, Add
- Type: Simple Authentication Account
- Username: my-new-auth-account
- Click Add
This user account can now be used in a service to authenticate against the LDAP server.
Continue reading “Adding UCS Authentication Account”
I encountered some issues when connecting Anope and Inspircd on the docker swarm. When running them on a single node using docker-compose, the services were able to connect just fine to Inspircd, however running in a docker swarm, there were issues in how Inspircd was filtering IPs in the default services XML block.
In order for Inspircd and Anope to talk I had to comment out some of the link block for the services. The allowmask and expected IP address didn’t quite work as intended inside the docker swarm cluster. Since the containers use a local network available to only them, I’m not worried about a rogue services server getting in. This IRC server is also primarily used for developing and testing the IRC bots I have written over the years, so its not a core part of my infrastructure. Below shows the link block that I modified from the default included in the inspircd docker container setup.
Continue reading “Connecting Inspircd and Anope on Docker-Swarm”
Back when I setup my webserver to run wordpress and dokuwiki, all the guides that I found and the guides that I followed had apache get setup with mod_php. However, after seeing this ArsTechnica WordPress Writeup, I realized that this might not have been the best way to get things going. I decided that this would be a good time to upgrade some of my webserver, so I started working on it, while my server was already setup, and the guide was on setting up a new server, the process is nearly identical, the only differences is that I had to disable/enable modules in a certain order for everything to work.
Continue reading “Apache/PHP Update”