2
submitted 1 year ago by usrdef@alien.top to c/main@selfhosted.forum

I have a very simple setup running Gitea which I love. However, I enabled Elastic Search because it makes searching much faster than the default method.

I have a VPS running 16GB memory. The only things running on it are Nginx, PHP, Mysql, docker, and a few other things. Very rarely I ever hit over 6GB usage.

The issue comes when I enable Elastic Search. It seems to wipe me out at 15.7GB usage out of 16GB as soon as I start it up.

I searched online and found out about the /etc/elasticsearch/jvm.options.d/jvm.options and adding

-XmxXG
-XmsXG

The question is, what should this amount be. I read that by default, Elastic uses 50%, however, when I started it up, it was wiping me out of memory and making the system almost have a stroke.

But setting it to 2GB seems to make it not as responsive on the Gitea website, sometimes even timing the website out.

So I'm not sure what "range" I should be using here. Or if I'm going to have to upgrade my VPS to 32GB in order to run this properly.

you are viewing a single comment's thread
view the rest of the comments
[-] thekrautboy@alien.top 1 points 1 year ago

If you already have Caddy running on that same Docker host then its very simple to add another proxy target to that through the Caddyfile.

I have been using Traefik for years and i am mostly happy with it but recently spend a day on trying out Caddy together with Authelia for authentication. Here is what came out of it as a very basic example to use them together. Its using a custom Docker image for Caddy that contains a few extra modules but it can easily be replaced with the basic official one, depending on what modules you need (for example, Lets Encrypt with dns01-challenge requires modules for DNS providers). My example uses www.desec.io for that but Cloudflare, DuckDNS etc. are possible too.

docker-compose.yml

version: "3.3"

networks:
  caddy:
    external: true

services:

  caddy:
    container_name: caddy
    image: l33tlamer/caddy-desec:latest
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - 0.0.0.0:80:80/tcp
      - 0.0.0.0:443:443/tcp
      - 0.0.0.0:443:443/udp
    environment:
      - TZ=Europe/Berlin
      - DESEC_TOKEN=CHANGEME
    volumes:
      - ./required/Caddyfile:/etc/caddy/Caddyfile
      - ./config:/config
      - ./data:/data

  authelia:
    container_name: authelia
    image: authelia/authelia:latest
    restart: unless-stopped
    networks:
      - caddy
    ports:
      - 9091:9091
    environment:
      - TZ=Europe/Berlin
    volumes:
      - ./required/configuration.yml:/config/configuration.yml:ro
      - ./required/users_database.yml:/config/users_database.yml:ro
      - ./required/db.sqlite3:/config/db.sqlite3

    ### use pre-defined external Docker network: docker network create caddy
    ### db.sqlite3 needs to exist before first container start, can be created with: touch ./required/db.sqlite3
    ### Caddy config can be quickly reloaded with: docker exec -w /etc/caddy caddy caddy reload
    ### changes to Authelia files require its container to be restarted

required/Caddyfile

{
        debug
        http_port 80
        https_port 443
        email mail@example.com
        # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        acme_ca https://acme-v02.api.letsencrypt.org/directory
}

*.example.com {
        tls {
                dns desec {
                        token {env.DESEC_TOKEN}
                }
                propagation_timeout -1
        }

        @authelia host auth.example.com
        handle @authelia {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy authelia:9091
        }

        ### example of a basic site entry
        @matomo host matomo.example.com
        handle @matomo {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy matomo:8080
        }

        ### example of a site entry when target is HTTPS
        @proxmox host proxmox.example.com
        handle @proxmox {
                forward_auth authelia:9091 {
                        uri /api/verify?rd=https://auth.example.com
                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }
                reverse_proxy 192.168.50.75:8006 {
                        transport http {
                                tls_insecure_skip_verify
                        }
                }
        }

        ### Fallback for otherwise unhandled domains
        handle {
                abort
        }

}

required/configuration.yml

# yamllint disable rule:comments-indentation

theme: grey

# generate with: openssl rand -hex 32
jwt_secret: CHANGEME

default_redirection_url: https://www.google.com/

default_2fa_method: ""

server:
  host: 0.0.0.0
  port: 9091
  path: ""
# asset_path: /config/assets/
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""
    client_certificates: []
  headers:
    csp_template: ""

log:
  level: debug

telemetry:
  metrics:
    enabled: false
    address: tcp://0.0.0.0:9959

totp:
  disable: false
  issuer: Authelia
  algorithm: sha1
  digits: 6
  period: 30
  skew: 1
  secret_size: 32

webauthn:
  disable: false
  timeout: 60s
  display_name: Authelia
  attestation_conveyance_preference: indirect
  user_verification: preferred

ntp:
  address: "time.cloudflare.com:123"
  version: 4
  max_desync: 3s
  disable_startup_check: false
  disable_failure: false

authentication_backend:
  password_reset:
    disable: false
    custom_url: ""
  refresh_interval: 1m

  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 1024
      parallelism: 8

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true
  zxcvbn:
    enabled: false
    min_score: 3

access_control:
  default_policy: deny
  rules:
    # authelia itself gets bypass
    - domain:
        - "auth.example.com"
      policy: bypass
    # list all your protected subdomains like this
    - domain: "matomo.example.com"
      policy: one_factor
    - domain: "proxmox.example.com"
      policy: one_factor

session:
  name: authelia_session
  domain: example.com
  same_site: lax
  # generate with: openssl rand -hex 32
  secret: CHANGEME
  expiration: 3h
  inactivity: 15m
  remember_me_duration: 1M

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 12h

storage:
  local:
    path: /config/db.sqlite3
  # generate with: openssl rand -hex 32
  encryption_key: CHANGEME

notifier:
  disable_startup_check: false
  filesystem:
    filename: /config/notification.txt

required/users_database.yml

users:

  admin:
    displayname: "Admin"
    # generate encoded password with for example https://argon2.online/
    # settings: argon2id, random salt, parallelism=8, memorycost=1024, iterations=1, hashlength=32
    # this example password = admin
    password: "$argon2id$v=19$m=1024,t=1,p=8$WnZGOU03d1lnMFRuYzZVQw$V+pcZ9KqXmsSZGuhzrv75ZPy5VQi9rfrWZnFKlJxTcI"
    email: email@example.com
    groups:
      - admins
this post was submitted on 21 Oct 2023
2 points (100.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS