I have a very simple setup running Gitea which I love. However, I enabled Elastic Search because it makes searching much faster than the default method.

I have a VPS running 16GB memory. The only things running on it are Nginx, PHP, Mysql, docker, and a few other things. Very rarely I ever hit over 6GB usage.

The issue comes when I enable Elastic Search. It seems to wipe me out at 15.7GB usage out of 16GB as soon as I start it up.

I searched online and found out about the /etc/elasticsearch/jvm.options.d/jvm.options and adding

-XmxXG
-XmsXG

The question is, what should this amount be. I read that by default, Elastic uses 50%, however, when I started it up, it was wiping me out of memory and making the system almost have a stroke.

But setting it to 2GB seems to make it not as responsive on the Gitea website, sometimes even timing the website out.

So I’m not sure what “range” I should be using here. Or if I’m going to have to upgrade my VPS to 32GB in order to run this properly.

  • usrdefOPB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Oh damn, thanks. I’ll throw this in Obsidian.

    Reverse proxy is exactly why I don’t have more things setup in docker. I haven’t quite figured out how it, nginx, and the app work together yet.

    I had to setup caddy when I installed vaultwarden, and while that was easy because I had a very good guide to assist me, I would have been completely and totally lost if I had to setup caddy2 on my own.

    So I definitely need to sit down one day and just do a full day’s read on reverse proxy, how it works with Docker and its function, and what I can do with it. Because the vaultwarden setup made it no easier to understand.

    I wanted to actually move nginx and mysql over to docker, but reverse proxy is also the reason that’s holding me back.

    • thekrautboyB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      If you already have Caddy running on that same Docker host then its very simple to add another proxy target to that through the Caddyfile.

      I have been using Traefik for years and i am mostly happy with it but recently spend a day on trying out Caddy together with Authelia for authentication. Here is what came out of it as a very basic example to use them together. Its using a custom Docker image for Caddy that contains a few extra modules but it can easily be replaced with the basic official one, depending on what modules you need (for example, Lets Encrypt with dns01-challenge requires modules for DNS providers). My example uses www.desec.io for that but Cloudflare, DuckDNS etc. are possible too.

      docker-compose.yml

      version: "3.3"
      
      networks:
        caddy:
          external: true
      
      services:
      
        caddy:
          container_name: caddy
          image: l33tlamer/caddy-desec:latest
          restart: unless-stopped
          networks:
            - caddy
          ports:
            - 0.0.0.0:80:80/tcp
            - 0.0.0.0:443:443/tcp
            - 0.0.0.0:443:443/udp
          environment:
            - TZ=Europe/Berlin
            - DESEC_TOKEN=CHANGEME
          volumes:
            - ./required/Caddyfile:/etc/caddy/Caddyfile
            - ./config:/config
            - ./data:/data
      
        authelia:
          container_name: authelia
          image: authelia/authelia:latest
          restart: unless-stopped
          networks:
            - caddy
          ports:
            - 9091:9091
          environment:
            - TZ=Europe/Berlin
          volumes:
            - ./required/configuration.yml:/config/configuration.yml:ro
            - ./required/users_database.yml:/config/users_database.yml:ro
            - ./required/db.sqlite3:/config/db.sqlite3
      
          ### use pre-defined external Docker network: docker network create caddy
          ### db.sqlite3 needs to exist before first container start, can be created with: touch ./required/db.sqlite3
          ### Caddy config can be quickly reloaded with: docker exec -w /etc/caddy caddy caddy reload
          ### changes to Authelia files require its container to be restarted
      

      required/Caddyfile

      {
              debug
              http_port 80
              https_port 443
              email mail@example.com
              # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
              acme_ca https://acme-v02.api.letsencrypt.org/directory
      }
      
      *.example.com {
              tls {
                      dns desec {
                              token {env.DESEC_TOKEN}
                      }
                      propagation_timeout -1
              }
      
              @authelia host auth.example.com
              handle @authelia {
                      forward_auth authelia:9091 {
                              uri /api/verify?rd=https://auth.example.com
                              copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                      }
                      reverse_proxy authelia:9091
              }
      
              ### example of a basic site entry
              @matomo host matomo.example.com
              handle @matomo {
                      forward_auth authelia:9091 {
                              uri /api/verify?rd=https://auth.example.com
                              copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                      }
                      reverse_proxy matomo:8080
              }
      
              ### example of a site entry when target is HTTPS
              @proxmox host proxmox.example.com
              handle @proxmox {
                      forward_auth authelia:9091 {
                              uri /api/verify?rd=https://auth.example.com
                              copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                      }
                      reverse_proxy 192.168.50.75:8006 {
                              transport http {
                                      tls_insecure_skip_verify
                              }
                      }
              }
      
              ### Fallback for otherwise unhandled domains
              handle {
                      abort
              }
      
      }
      

      required/configuration.yml

      # yamllint disable rule:comments-indentation
      ---
      theme: grey
      
      # generate with: openssl rand -hex 32
      jwt_secret: CHANGEME
      
      default_redirection_url: https://www.google.com/
      
      default_2fa_method: ""
      
      server:
        host: 0.0.0.0
        port: 9091
        path: ""
      # asset_path: /config/assets/
        enable_pprof: false
        enable_expvars: false
        disable_healthcheck: false
        tls:
          key: ""
          certificate: ""
          client_certificates: []
        headers:
          csp_template: ""
      
      log:
        level: debug
      
      telemetry:
        metrics:
          enabled: false
          address: tcp://0.0.0.0:9959
      
      totp:
        disable: false
        issuer: Authelia
        algorithm: sha1
        digits: 6
        period: 30
        skew: 1
        secret_size: 32
      
      webauthn:
        disable: false
        timeout: 60s
        display_name: Authelia
        attestation_conveyance_preference: indirect
        user_verification: preferred
      
      ntp:
        address: "time.cloudflare.com:123"
        version: 4
        max_desync: 3s
        disable_startup_check: false
        disable_failure: false
      
      authentication_backend:
        password_reset:
          disable: false
          custom_url: ""
        refresh_interval: 1m
      
        file:
          path: /config/users_database.yml
          password:
            algorithm: argon2id
            iterations: 1
            key_length: 32
            salt_length: 16
            memory: 1024
            parallelism: 8
      
      password_policy:
        standard:
          enabled: false
          min_length: 8
          max_length: 0
          require_uppercase: true
          require_lowercase: true
          require_number: true
          require_special: true
        zxcvbn:
          enabled: false
          min_score: 3
      
      access_control:
        default_policy: deny
        rules:
          # authelia itself gets bypass
          - domain:
              - "auth.example.com"
            policy: bypass
          # list all your protected subdomains like this
          - domain: "matomo.example.com"
            policy: one_factor
          - domain: "proxmox.example.com"
            policy: one_factor
      
      session:
        name: authelia_session
        domain: example.com
        same_site: lax
        # generate with: openssl rand -hex 32
        secret: CHANGEME
        expiration: 3h
        inactivity: 15m
        remember_me_duration: 1M
      
      regulation:
        max_retries: 3
        find_time: 2m
        ban_time: 12h
      
      storage:
        local:
          path: /config/db.sqlite3
        # generate with: openssl rand -hex 32
        encryption_key: CHANGEME
      
      notifier:
        disable_startup_check: false
        filesystem:
          filename: /config/notification.txt
      

      required/users_database.yml

      users:
      
        admin:
          displayname: "Admin"
          # generate encoded password with for example https://argon2.online/
          # settings: argon2id, random salt, parallelism=8, memorycost=1024, iterations=1, hashlength=32
          # this example password = admin
          password: "$argon2id$v=19$m=1024,t=1,p=8$WnZGOU03d1lnMFRuYzZVQw$V+pcZ9KqXmsSZGuhzrv75ZPy5VQi9rfrWZnFKlJxTcI"
          email: email@example.com
          groups:
            - admins