I have a very simple setup running Gitea which I love. However, I enabled Elastic Search because it makes searching much faster than the default method.

I have a VPS running 16GB memory. The only things running on it are Nginx, PHP, Mysql, docker, and a few other things. Very rarely I ever hit over 6GB usage.

The issue comes when I enable Elastic Search. It seems to wipe me out at 15.7GB usage out of 16GB as soon as I start it up.

I searched online and found out about the /etc/elasticsearch/jvm.options.d/jvm.options and adding

-XmxXG
-XmsXG

The question is, what should this amount be. I read that by default, Elastic uses 50%, however, when I started it up, it was wiping me out of memory and making the system almost have a stroke.

But setting it to 2GB seems to make it not as responsive on the Gitea website, sometimes even timing the website out.

So I’m not sure what “range” I should be using here. Or if I’m going to have to upgrade my VPS to 32GB in order to run this properly.

  • thekrautboyB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If you already have Caddy running on that same Docker host then its very simple to add another proxy target to that through the Caddyfile.

    I have been using Traefik for years and i am mostly happy with it but recently spend a day on trying out Caddy together with Authelia for authentication. Here is what came out of it as a very basic example to use them together. Its using a custom Docker image for Caddy that contains a few extra modules but it can easily be replaced with the basic official one, depending on what modules you need (for example, Lets Encrypt with dns01-challenge requires modules for DNS providers). My example uses www.desec.io for that but Cloudflare, DuckDNS etc. are possible too.

    docker-compose.yml

    version: "3.3"
    
    networks:
      caddy:
        external: true
    
    services:
    
      caddy:
        container_name: caddy
        image: l33tlamer/caddy-desec:latest
        restart: unless-stopped
        networks:
          - caddy
        ports:
          - 0.0.0.0:80:80/tcp
          - 0.0.0.0:443:443/tcp
          - 0.0.0.0:443:443/udp
        environment:
          - TZ=Europe/Berlin
          - DESEC_TOKEN=CHANGEME
        volumes:
          - ./required/Caddyfile:/etc/caddy/Caddyfile
          - ./config:/config
          - ./data:/data
    
      authelia:
        container_name: authelia
        image: authelia/authelia:latest
        restart: unless-stopped
        networks:
          - caddy
        ports:
          - 9091:9091
        environment:
          - TZ=Europe/Berlin
        volumes:
          - ./required/configuration.yml:/config/configuration.yml:ro
          - ./required/users_database.yml:/config/users_database.yml:ro
          - ./required/db.sqlite3:/config/db.sqlite3
    
        ### use pre-defined external Docker network: docker network create caddy
        ### db.sqlite3 needs to exist before first container start, can be created with: touch ./required/db.sqlite3
        ### Caddy config can be quickly reloaded with: docker exec -w /etc/caddy caddy caddy reload
        ### changes to Authelia files require its container to be restarted
    

    required/Caddyfile

    {
            debug
            http_port 80
            https_port 443
            email mail@example.com
            # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
            acme_ca https://acme-v02.api.letsencrypt.org/directory
    }
    
    *.example.com {
            tls {
                    dns desec {
                            token {env.DESEC_TOKEN}
                    }
                    propagation_timeout -1
            }
    
            @authelia host auth.example.com
            handle @authelia {
                    forward_auth authelia:9091 {
                            uri /api/verify?rd=https://auth.example.com
                            copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                    }
                    reverse_proxy authelia:9091
            }
    
            ### example of a basic site entry
            @matomo host matomo.example.com
            handle @matomo {
                    forward_auth authelia:9091 {
                            uri /api/verify?rd=https://auth.example.com
                            copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                    }
                    reverse_proxy matomo:8080
            }
    
            ### example of a site entry when target is HTTPS
            @proxmox host proxmox.example.com
            handle @proxmox {
                    forward_auth authelia:9091 {
                            uri /api/verify?rd=https://auth.example.com
                            copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                    }
                    reverse_proxy 192.168.50.75:8006 {
                            transport http {
                                    tls_insecure_skip_verify
                            }
                    }
            }
    
            ### Fallback for otherwise unhandled domains
            handle {
                    abort
            }
    
    }
    

    required/configuration.yml

    # yamllint disable rule:comments-indentation
    ---
    theme: grey
    
    # generate with: openssl rand -hex 32
    jwt_secret: CHANGEME
    
    default_redirection_url: https://www.google.com/
    
    default_2fa_method: ""
    
    server:
      host: 0.0.0.0
      port: 9091
      path: ""
    # asset_path: /config/assets/
      enable_pprof: false
      enable_expvars: false
      disable_healthcheck: false
      tls:
        key: ""
        certificate: ""
        client_certificates: []
      headers:
        csp_template: ""
    
    log:
      level: debug
    
    telemetry:
      metrics:
        enabled: false
        address: tcp://0.0.0.0:9959
    
    totp:
      disable: false
      issuer: Authelia
      algorithm: sha1
      digits: 6
      period: 30
      skew: 1
      secret_size: 32
    
    webauthn:
      disable: false
      timeout: 60s
      display_name: Authelia
      attestation_conveyance_preference: indirect
      user_verification: preferred
    
    ntp:
      address: "time.cloudflare.com:123"
      version: 4
      max_desync: 3s
      disable_startup_check: false
      disable_failure: false
    
    authentication_backend:
      password_reset:
        disable: false
        custom_url: ""
      refresh_interval: 1m
    
      file:
        path: /config/users_database.yml
        password:
          algorithm: argon2id
          iterations: 1
          key_length: 32
          salt_length: 16
          memory: 1024
          parallelism: 8
    
    password_policy:
      standard:
        enabled: false
        min_length: 8
        max_length: 0
        require_uppercase: true
        require_lowercase: true
        require_number: true
        require_special: true
      zxcvbn:
        enabled: false
        min_score: 3
    
    access_control:
      default_policy: deny
      rules:
        # authelia itself gets bypass
        - domain:
            - "auth.example.com"
          policy: bypass
        # list all your protected subdomains like this
        - domain: "matomo.example.com"
          policy: one_factor
        - domain: "proxmox.example.com"
          policy: one_factor
    
    session:
      name: authelia_session
      domain: example.com
      same_site: lax
      # generate with: openssl rand -hex 32
      secret: CHANGEME
      expiration: 3h
      inactivity: 15m
      remember_me_duration: 1M
    
    regulation:
      max_retries: 3
      find_time: 2m
      ban_time: 12h
    
    storage:
      local:
        path: /config/db.sqlite3
      # generate with: openssl rand -hex 32
      encryption_key: CHANGEME
    
    notifier:
      disable_startup_check: false
      filesystem:
        filename: /config/notification.txt
    

    required/users_database.yml

    users:
    
      admin:
        displayname: "Admin"
        # generate encoded password with for example https://argon2.online/
        # settings: argon2id, random salt, parallelism=8, memorycost=1024, iterations=1, hashlength=32
        # this example password = admin
        password: "$argon2id$v=19$m=1024,t=1,p=8$WnZGOU03d1lnMFRuYzZVQw$V+pcZ9KqXmsSZGuhzrv75ZPy5VQi9rfrWZnFKlJxTcI"
        email: email@example.com
        groups:
          - admins