Background
I have not yet gotten around to writing a proper description of what I am running at home these days, but now I am having a brief unscheduled interlude to rant about how modern software is configured and deployed, and how it applies to hobbyist or not so enterprise setups.
Example software of note in my home
This list isn’t comprehensive, but I am trying to get to a point by picking few examples from my home setup, roughly in the order of appearance to the environment.
Software 1: Home Assistant
I have been running Home Assistant for years ever since I gave up on my own home automation platform.
Software 2: Jellyfin
I also like having my media library - for the last couple of years, Jellyfin: The Free Software Media System .
Software 3: Grafana
I am also running Grafana to handle visualisation of my observability needs - more about that later too if I get around to writing about it.
Software 4: Frigate
I started using Frigate NVR to monitor my cameras a while ago.
The installation experience is great.. until it is not
All four of the containers run fine as podman containers (after the Moby madness, I don’t particularly want to run Docker unless I must). Notably:
- Jellyfin wants to be rootful container
- Without it, hardware acceleration (
—device /dev/dri/renderD128) and service discovery for DLNA do not work (—network=host)
- Without it, hardware acceleration (
- Frigate also requires root
- Again hardware acceleration
- Grafana has some funky uid in their default Docker image which requires overriding:
--userns=keep-id:uid=472 - Home Assistant just worked
User handling
All of the software except Frigate have their own user database. Unfortunately Home Assistant and Jellyfin do not support SSO out of the box (as of 202404, there seems to be some relatively hacky solutions for both but nothing bundled in).
Frigate is even sadder; it does not have concept of users (and this is by design, c.f. [FR] Authentication! · Issue #1074 · blakeblackshear/frigate ), or even trusted IP ranges. It exposes (among other things) even configuration file in its web UI, which contains secrets on how to access cameras in addition to all other things you would like to keep private (e.g. video recordings for however long you choose to store them, or live view from the cameras).
Configuring user authentication to Frigate
As I am running Frigate in a container, by default anything can reach its UI (on exposed port 5000). While I need the port exposed so that I can access it from ‘somewhere’, I definitely do not want the plaintext HTTP to be available. So first step was figuring how to block it in my setup.
The actual implementation of exposed ports in podman 4 is quite lovely, as they are inserted into the nat/PREFILTER chain and due to that the normal firewalling on the host is also omitted. To prevent access to the raw UI, I had to insert blocking rule to the mangle/PREFILTER chain (to prevent potential ordering issues in the future) as the order of Linux netfilter chains (on input) is mangle -> nat -> filter :
/sbin/iptables -t mangle -A PREROUTING \
-p tcp --dport 5000 \
--src <subnet>/24 \
--dst <myip> \
-j DROP
As REJECT target is not available in PREROUTING, so we just silently drop the packets that go from the local subnet to the local ip on TCP port 5000.
Having blocked that gaping hole, I needed to come up with some way to authenticate access to it when accessing it from outside the host running the container. I am using Caddy ( https://caddyserver.com/ ) as reverse proxy which provides automatically enrolled https certificates (and much more), so configuring Frigate to be accessed through that was trivial.
Unfortunately configuring basic auth in Caddy was miserable user experience failure: The browsers’ ‘remember me’ button sometimes worked only very briefly, so it was back to drawing board with that.
So one more container to the rescue: Authelia ( Authelia ). I integrated that to have user database, and pointed Caddy to use that to handle authz for accessing Frigate.
.. and there was much rejoicing. And hours of wasted time getting all this done.
So what do I have now, after using couple of hours?
- Grafana with its own user database: ok, I could configure SSO to Authelia if I wanted to ( c.f. Authelia+Grafana integration information at Authelia documentation ) , but then I would probably need separate access tokens for scripts which backup and update its contents and it does not feel worth it
- Jellyfin with its own user database: no built-in way to get SSO, and the third-party plugin ( allegedly ‘alpha quality’ 9p4/jellyfin-plugin-sso ) works only for web UI + clients with quick connect, but probably not with apps or devices we have
- Home Assistant with its own user database: no built-in SSO either, and third-party steps (e.g. Example SSO with Authelia and Home Assistant | X-Ryl669 personal blog ) are unlikely to work with the native clients
- I attempted to start a discussion about how to make the configuration bit simpler in Allow passwordless access via proxy only - we shall see where it goes
- Frigate using Authelia SSO
Overall I feel quite sad about the lack of built-in support (and in general pain of starting to use SSO) for the various things. Using random third-party ‘alpha quality’ plugins of choice would probably let me get all of these working via SSO, but then the odds of them breaking in some scary way in some future upgrade would also go up.
Morale of the story?
- please don’t make unauthenticated web UIs without any access controls (Frigate)
- please add some sort of SSO by default to whatever you have IF you want to have user database