2·
23 days agoNo Problem!
If you want to fix the issue: That seems like the hostname for one of the databases is wrongly set in the environment file, the hostname of containers is the same as the container name which can be read using podman ps.
- 0 Posts
- 14 Comments
Joined 2 years ago
Cake day: June 30th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Sure, I set it up in nixos though this is the short form of that:
spoiler
- Install Podman and passt + slirp4netns for networking
- Setup subuid and subgid
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 johndoe - I’m using quadlet’s so we need to create those: $HOME/.config/containers/systemd/immich-database.container
[Unit] Description=Immich Database Requires=immich-redis.service immich-network.service [Container] AutoUpdate=registry EnvironmentFile=${immich-config} # add your environment variables file here Image=registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 # hash from the official docker-compose, has to be updated from time to time Label=registry Pull=newer # update to newest image, though this image is specified by hash and will never update to another version unless the hash is changed Network=immich.network # attach to the podman network UserNS=keep-id:uid=999,gid=999 # This makes uid 999 and gid 999 map to the user running the service, this is so that you can access the files in the volume without any special handling otherwise root would map to your uid and the uid 999 would map to some very high uid that you can't access without podman - This modifies the image at runtime and may make the systemd service timeout, maybe increase the timeout on low-powered machines Volume=/srv/services/immich/database:/var/lib/postgresql/data # Database persistance Volume=/etc/localtime:/etc/localtime:ro # timezone info Exec=postgres -c shared_preload_libraries=vectors.so -c 'search_path="$user", public, vectors' -c logging_collector=on -c max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on # also part of official docker-compose.....last time i checked anyways [Service] Restart=always$HOME/.config/containers/systemd/immich-ml.container
[Unit] Description=Immich Machine Learning Requires=immich-redis.service immich-database.service immich-network.service [Container] AutoUpdate=registry EnvironmentFile=${immich-config} #same config as above Image=ghcr.io/immich-app/immich-machine-learning:release Label=registry Pull=newer # auto update on startup Network=immich.network Volume=/srv/services/immich/ml-cache:/cache # machine learning cache Volume=/etc/localtime:/etc/localtime:ro [Service] Restart=always$HOME/.config/containers/systemd/immich.network
[Unit] Description=Immich network [Network] DNS=8.8.8.8 Label=app=immich $HOME/.config/containers/systemd/immich-redis.container [Unit] Description=Immich Redis Requires=immich-network.service [Container] AutoUpdate=registry Image=registry.hub.docker.com/library/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8 # should probably change this to valkey.... Label=registry Pull=newer # auto update on startup Network=immich.network Timezone=Europe/Berlin [Service] Restart=always$HOME/.config/containers/systemd/immich-server.container
[Unit] Description=Immich Server Requires=immich-redis.service immich-database.service immich-network.service immich-ml.service [Container] AutoUpdate=registry EnvironmentFile=${immich-config} #same config as above Image=ghcr.io/immich-app/immich-server:release Label=registry Pull=newer # auto update on startup Network=immich.network PublishPort=127.0.0.1:2283:2283 Volume=/srv/services/immich/upload:/usr/src/app/upload # i think you can put images here to import, though i never used it Volume=/etc/localtime:/etc/localtime:ro # timezone info Volume=/srv/services/immich/library:/imageLibrary # here the images are stored once imported [Service] Restart=always [Install] WantedBy=multi-user.target default.target- systemctl --user daemon-reload
- systemctl --user enable --now immich-server.service
- enable linger so systemd user services run even if the user is logged of
loginctl enable-linger $USER - Setup a reverse proxy like caddy so you can make access to it simple like immich.mini-pc.localnet
Can confirm, works without problems in rootless podman.
1·1 month agoSomethign I haven’t seen mentioned yet is clevis and tang, basically if you have more than one server then they can unlock each other and if they’re spatially separated then it is very unlikely they get stolen at the same time.
Though you have to make sure it stops working when a server get stolen, using a mesh VPN works just as well after the server is stolen so either use public IPS and a VPN or use a hidden raspberry pi that is unlikely to be stolen or make the other server stop tang after the first one is stolen.
The emails are unencrypted, emails in transit are in transit between the e-mail servers and relays and use secure tls channels.
They are only encrypted from your phone/notebook/browser to the server, then when send they will be encrypted till the next server.Every server/relay first decrypts everything send to it, because it has to due to the TLS terminating at each server.
See also your source:
Transport Encryption: This form of encryption is used to secure your emails while they are transmitted over the internet. Most of today’s email services, including Gmail, employ transport layer security (TLS) to protect emails in transit. While it encrypts emails between servers, it doesn’t protect the content once it reaches the recipient’s inbox.1
In practical terms, Your e-mail server, your e-mail servers relay (if it has any) and your recipients relay server/server can all read your email unless
End-to-End Encryption (E2EE): E2EE takes encryption a step further. It ensures that only the sender and the recipient can decrypt and read the emails. Even the email service provider cannot access the contents of the email. E2EE is typically achieved through third-party encryption tools or services.1
Which takes active effort from both the sender and the recipient to make work - it’s almost only possible with people you know and little else.
1 https://umatechnology.org/gmails-new-encryption-can-make-email-safer-heres-why-you-should-use-it/
You can use caddy-l4 to redirect some traffic before (or after) tls and to different ports and hosts depending on FQDN.
Though that is still experimental.
Only thing I can comment on is that 99% of all E-Mails you will get are unencrypted and can be read by your relay. (There are few e2e encrypted emails being send.)
So either trust them or don’t use a relay.
Step 1: Get write access to the project you dislike.
From the mailing list I’m reading that kernel maintainers have heard a few companies looking for something like this, so yes?
Edit:
However, to be clear, the Hornet LSM proposed here seems very reasonable to me and I would have no conceptual objections to merging it upstream. Based on off-list discussions I believe there is a lot of demand for something like this, and I believe many people will be happy to have BPF signature verification in-tree.
Preventing kernel modifications to expand upon the work done for kernel lockdown. Add additional layers to system security.
Kernel_lockdown:
prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorized modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, […]
I recommend switching to NixOS only after you have a basic but broad understanding of Linux, many things in NixOS are more complicated than in “normal” Linux, which is needed to archive what it does, but is overwhelming for someone who doesn’t know the what and why and where that using Linux brings.
Yeah it works great and is very secure but every time I create a new service it’s a lot of copy paste boilerplate, maybe I’ll put most of that into a nix function at some point but until then here’s an example n8n config, as loaded from the main nixos file.
I wrote this last night for testing purposes and just added comments, the config works but n8n uses sqlite and probably needs some other stuff that I hadn’t had a chance to use yet so keep that in mind.
Podman support in home-manager is also really new and doesn’t support pods (multiple containers, one loopback) and some other stuff yet, most of it can be compensated with the extraarguments but before this existed I used pure file definitions to write quadlet/systemd configs which was even more boilerplate but also mostly copypasta.Gaze into the boilerplate
{ config, pkgs, lib, ... }: { users.users.n8n = { # calculate sub{u,g}id using uid subUidRanges = [{ startUid = 100000+65536*( config.users.users.n8n.uid - 999); count = 65536; }]; subGidRanges = [{ startGid = 100000+65536*( config.users.users.n8n.uid - 999); count = 65536; }]; isNormalUser = true; linger = true; # start user services on system start, fist time start after `nixos-switch` still has to be done manually for some reason though openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; # allows the ssh keys that can login as root to login as this user too }; home-manager.users.n8n = { pkgs, ... }: let dir = config.users.users.n8n.home; data-dir = "${dir}/${config.users.users.n8n.name}-data"; # defines the path "/home/n8n/n8n-data" using evaluated home paths, could probably remove a lot of redundant n8n definitions.... in { home.stateVersion = "24.11"; systemd.user.tmpfiles.rules = let folders = [ "${data-dir}" #"${data-dir}/data-volume-name-one" ]; formated_folders = map (folder: "d ${folder} - - - -") folders; # a function that takes a path string and formats it for systemd tmpfiles such that they get created as folders in formated_folders; services.podman = { enable = true; containers = { n8n-app = { # define a container, service name is "podman-n8n-app.service" in case you need to make multiple containers depend and run after each other image = "docker.n8n.io/n8nio/n8n"; ports = [ "${config.local.users.users.n8n.listenIp}:${toString config.local.users.users.n8n.listenPort}:5678" # I'm using a self defined option to keep track of all ports and uids in a seperate file, these values just map to "127.0.0.1:30023:5678", a caddy does a reverse proxy there with the same option as the port. ]; volumes = [ "${data-dir}:/home/node/.n8n" # the folder we created above ]; userNS = "keep-id:uid=1000,gid=1000"; # n8n stores files as non-root inside the container so they end up as some high uid outside and the user which runs these containers can't read it because of that. This maps the user 1000 inside the container to the uid of the user that's running podman. Takes a lot of time to generate the podman image for a first run though so make sure systemd doesn't time out environment = { # MYHORSE = "amazing"; }; # there's also an environmentfile option for secret management, which works with sops if you set the owner of the secret/secret template extraPodmanArgs = [ "--pull=newer" # always pull newer images when starting, I could make this declaritive but I haven't found a good way to automagically update the container hashes in my nix config at the push of a button. ]; # few more options exist that I didn't need here }; }; }; }; }
I use podman using home-manager configs, I could run the services natively but currently I have a user for each service that runs the podman containers. This way each service is securely isolated from each other and the rest of the system. Maybe if/when NixOS supports good selinux rules I’ll switch back to running it native.
Tldr:
Rootful podman with
podman run --userns=autois more secure than one rootless host user running many pods, because those pods could (theoretically) attack each other.though you still have the possibility of an exploit in the image pull
Rootless podman running one pod (as in service including database and so on) per host user with different subuid Ranges is the most secure, but you have to actually set that up which can be a lot of work depending on distribution.