QNAP TS-877 Truenas Journal

mooglestiltzkin · April 29, 2024, 7:12pm

So what does this all mean?

tested the following

nuke jailmaker and docker datasets, even the whole truenas boot pool to essentially start from scratch (backups of course). The only thing i recovered were importing the 2 dataset pools to recover my data (RAID IS NOT A BACKUP)

fyi even though this worked, i still had a backup just in case. So don’t do this if you don’t have backup. mistakes can happen.

Successfully restored pool via import. no data loss. even the encrypted dataset could be decrypted and accessed just fine
managed to recover the docker container dataset data from my ts-253D backup via RSYNC (i used qnap hybridbackupsync to recover)
managed to setup jailmaker correctly without deviating (no more crazy testing for me. that is what landed me in trouble in first place. i only did it to help you guys test what worked and what didn’t)
managed to install docker using the jailmaker docker template. I modified it to include my bindings
managed to setup working bridged networking. With static ip set for the docker. truenas is static to a different ip from that, meaning they won’t conflict for ports 80 and 443. Meaning nginx proxy manager will work without issue for my docker containers.
fixing incorrect permissions worked. i merely copy the data from one dataset to another (created for temporary storage), via shell cmdline. After done, delete the original dataset, recreate it using generic, then copy back the data same way, then delete the temp storage once i confirmed data was successfully copied.
deploy dockge using shell. browse to dockge folder where i store a compose file for it then docker compose up -d so with dockge i deploy the rest of the dockers. Most of the containers all correctly deployed, fixed previously not working dockers, and nginx proxy manager the crucial docker recovered perfectly to the point now my http://dashy.domain.duckdns.org works without me having to do anything further

hopefully this case study proves the concept for backup and recovery for truenas, how that would work (this included the recovery for docker containers running on jailmaker as well). It works in case something happens and you need to start from scratch. I did the test and proved my backup and recovery strategy works.

If you didn’t get the meme, it’s the ending scene of steins;gate the 2 characters thought they were doomed, but hyojin kyoma came to rescue them with the spanky new updated time machine from a hopeless situation

https://www.youtube.com/watch?v=eOuRw6DUTck

mooglestiltzkin · April 29, 2024, 7:31pm

short answer: yes

mooglestiltzkin · April 29, 2024, 7:41pm

going through my dockers in dockge looking at the cmdline shown, noticed sync things wasn’t working. so i did an edit, redeployed and it works with the previous setup so i didn’t have to start from scratch. it’s still syncing to smartphone just fine.

services:
  syncthing:
    image: lscr.io/linuxserver/syncthing:latest
    container_name: syncthing
    hostname: syncthing #optional
    environment:
      #      - PUID=1000
      #      - PGID=996
      - PUID=0
      - PGID=0
      - TZ=newyork
    volumes:
      - /mnt/docker/data/syncthing/appdata/config:/config
    #      - /mnt/tank/keepass/data1:/data1      
    #      - /mnt/tank//Syncthing/data2:/data2
    ports:
      - 8384:8384
      - 22000:22000/tcp
      - 22000:22000/udp
      - 21027:21027/udp
    restart: unless-stopped
networks: {}

note: don't deploy using root user if possible especially if you are doing remote access. i myself have to harden this when i have time to get around to it. i by no means am encouraging bad practise, hence the note

mooglestiltzkin · April 29, 2024, 8:29pm

still couldn’t get authentik to work x-x; no idea why. bit unfortunate but the fallback is native app basic auth. it’s local lan so not too big a deal. just dissapointing. but at least valid https letsncrypt works so i get a proper url rather than using lan ips all the time.

just no reason at this point to try traefik. i’ve used traefik for a while, and it requires doing more things to learn and setup compared the nginx proxy manager.

example, you can modify traefik config yaml for all your apps, or, you can opt instead to use traefik labels which was what i was doing before. It had a nice UI to help with troubleshoot to find where the issue was.

But for a small homelab, nginx proxy manager is more than sufficient and and far easier to setup and handle. even in regards to performance, nginx is still king. Traefik is almost comparable, you can’t go wrong with either really.

I have used all of the listed ones: would exclude synology one as just offers very few features good for learning the basis but as soon you learn the ropes you want to get something better. As far NPM is very simple to use and set up and has good number of feature the project is stuck at 3-4 years ago. Not a lot of improvements and the project v3 is in WIP since years, very often CVEs affects NPM and it takes ages to get those patched. Just to mention the few reasons why I’ve decided to drop it in favour of traefik. Traefik has a bit of steep learning curve but has a really wide community that can help to solve most of the issues you can face trying to set it up, especially if you go for the docker route. I use it in my kubernetes cluster and there are a bit less examples around but still a good number.

i guess security is one reason to go for traefik

the thing about traefik labels, looks complicated but once you have that figured out, you can more or less just copy paste to apply to the other docker container compose, and just edit the name to match the docker name.

mooglestiltzkin · April 29, 2024, 8:40pm

useful video for homelab networking planning and design. where you may consider where your truenas fits into that and how to keep it safe in the bigger picture when looking at your network as a whole and the various interactions with other devices connected to that network

Stux · April 29, 2024, 9:03pm

Generic is basically “Unix”, which is what you should be using for docker data datasets

Set permissions on the librespeed dataset

/mnt/docker/data/librespeed/appdata/config

Note: the generic datasets permissions don’t exclusively apply to children (in my video you see me set the jellyfin config and transcode permissions, per dataset, not on the jellyfin dataset.

I plan to report a bug on that.

Stux · April 29, 2024, 9:05pm

Make a different sandbox or vm for testing

TrueNAS can run TrueNAS in a Vm…

mooglestiltzkin · April 29, 2024, 9:13pm

thought so, since jailmaker also said to use generic for its dataset. using that logic i assumed it would be the same for the docker stuff as well.

at least i’m on the right track than before xd

i’m pretty much a newbie in regards to acls.

back qnap qts, all i needed to know was, create user and group then assign read/write for the share, and that was about it.

getting better at it

mooglestiltzkin · April 29, 2024, 9:15pm

was wondering why filebrowser docker container was unhealthy. apparently it wasn’t me. it was a bad release

github.com/filebrowser/filebrowser

Health check fails on v2.28.0

opened 08:10PM - 14 Apr 24 UTC

gowtham1337

**Description** The latest image (v2.28.0) of filebrowser from docker hub repor…ts an unhealthy status even though there are no errors and the container is working as expected. **Expected behaviour** Container should report healthy **What is happening instead?** Container is reporting unhealthy **Additional context** Because the container is reporting unhealthy, errors are thrown and several other things fail. For example, a reverse proxy might think this service is unavailable and failover. **How to reproduce?** Docker compose: ``` filebrowser: image: filebrowser/filebrowser:v2.27.0 #this version works #image: filebrowser/filebrowser:latest - throws unhealthy check container_name: filebrowser restart: unless-stopped ports: - "81:80" volumes: - $DOCKERDIR/filebrowser/filebrowser.db:/filebrowser.db - $DOCKERDIR/filebrowser/.filebrowser.json:/.filebrowser.json - /:/srv ``` See that the health check for the container is reported as unhealthy in portainer. There is no difference in logs and functionality. App is working perfectly as expected but still shows unhealthy.

sometimes when there is a problem, might not be your fault. check the github

Stux · April 29, 2024, 9:20pm

Nicely illustrates how to pin a version.

mooglestiltzkin · April 29, 2024, 9:21pm

also another case in point why auto update might not be the best option. if you encounter an issue like this just edit the docker compose set it to a working version, then only change back to latest or manually assign a newer version when the fix comes out.

some of these docker containers are abandoned. you have to watch out for that. if that is the case, time to move on.

trivy is a useful docker to discover vulnerabilities in the docker containers you use. this will be a red flag maybe you shouldn’t be using that container

i noticed that most often the alpine docker images tend to have little to no vulnerabilities, compared to full blown images that have a ton of them. probably why alpine is quite popular.

old video but it was the only one i saw that directly asked this question

Stux · April 29, 2024, 9:26pm

It’s a minimal distro, so less surface area for vulnerabilities AND smaller image size

mooglestiltzkin · April 29, 2024, 10:02pm

discovered another flaw in immich design

github.com/immich-app/immich

faces missing / rescanning does not help

opened 12:06PM - 28 Jan 24 UTC

closed 03:47AM - 18 Apr 24 UTC

lakemike

### The bug I am suspecting that my database has accumulated problems since my …first docker installation some months ago: While some pictures were initially correctly scanned and faces were shown, these faces have disappeared over time, e.g. after updates and rescans. A complete redetection/rerecognition with latest version 1.93.3 does not fix the issue. This is actually weird: When I take an affected pictures (including faces), apply a crop to change checksum, I can reupload it and faces will then be recognized. I don't understand why the redetection/rerecognition fails on those other pictures in my database. ### The OS that Immich Server is running on QNAP i386 Linux / Docker ### Version of Immich Server v1.93.3 ### Version of Immich Mobile App v1.93.2 build 135 ### Platform with the issue - [X] Server - [ ] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML version: "3.8" services: immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} command: ["start.sh", "immich"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - ${EXTPATH_LOCATION}:/mnt/media:ro - /etc/localtime:/etc/localtime:ro env_file: - .env ports: - 2283:3001 depends_on: - redis - database labels: - traefik.enable=true - traefik.http.routers.immich.rule=Host(`myserver.domain.tld`) - traefik.http.services.immich.loadbalancer.server.port=3001 - traefik.http.routers.immich.tls.certresolver=leresolver - traefik.http.routers.immich.entrypoints=websecure networks: - immichnet restart: always immich-microservices: container_name: immich_microservices image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} # extends: # file: hwaccel.yml # service: hwaccel command: ["start.sh", "microservices"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - ${EXTPATH_LOCATION}:/mnt/media:ro - /etc/localtime:/etc/localtime:ro env_file: - .env depends_on: - redis - database networks: - immichnet restart: always immich-machine-learning: container_name: immich_machine_learning image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} volumes: - /share/Container/immich-app/model-cache:/cache env_file: - .env networks: - immichnet restart: always redis: container_name: immich_redis image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3 networks: - immichnet restart: always database: container_name: immich_postgres image: tensorchord/pgvecto-rs:pg14-v0.1.11 env_file: - .env environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} volumes: - /share/Container/immich-app/pgdata:/var/lib/postgresql/data networks: - immichnet restart: always networks: immichnet: driver: bridge ``` ### Your .env content ```Shell # You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables # The location where your uploaded files are stored UPLOAD_LOCATION=/share/MyConfig/immich-app/upload # The location for so called external path EXTPATH_LOCATION=/share/MyConfig/immich-app/external_path # The Immich version to use. You can pin this to a specific version like "v1.71.0" #IMMICH_VERSION=release IMMICH_VERSION="v1.93.3" # Connection secrets for postgres and typesense. You should change these to random passwords TYPESENSE_API_KEY=hidden DB_PASSWORD=hidden # The values below this line do not need to be changed ################################################################################### DB_HOSTNAME=immich_postgres DB_USERNAME=postgres DB_DATABASE_NAME=immich REDIS_HOSTNAME=immich_redis LOG_LEVEL=log #LOG_LEVEL=verbose IMMICH_WEB_URL=http://immich-web:3000 IMMICH_SERVER_URL=http://immich-server:3001 ``` ### Reproduction steps ```bash 1. using docker/ iphone app since 4-5 months 2. both iphone as well as bulk uploads 3. latest version 1.93.3 installed 4. face detection ALL 5. facial recognition ALL ``` ### Additional information _No response_

apparently if you put images into say, albums, they won’t be detected for facials.

why?

immich is great but they keep making weird design choices that back themselves into a corner. hopefully they realize this oversight.

mooglestiltzkin · April 29, 2024, 10:06pm

that regardless whether they are in an album or not, or even archived, they should ALL be able to have the facial recognition to be shown under faces category.

If there is further filtering to be done, there already is the hide faces over there already.

but anyway i digress x-x; just thought i’d mention this since an app like immich would be an important part of your truenas usage especially if you are a picture hoarder like me

in case you use that app and wondered why so few faces are being shown even after running the facial scan for people.

mooglestiltzkin · April 29, 2024, 10:40pm

noticed 2 docker containers (dupeguru, qdirstat) which are similar in how they operate (both use some sort of vnc) where i had trouble accessing the datasets. Did not have this issue on qnap qts.

was reading the github manual it said this in regards to permissions. will keep investigating this

github.com

jlesage/docker-dupeguru/blob/master/README.md#usergroup-ids

# Docker container for dupeGuru
[![Release](https://img.shields.io/github/release/jlesage/docker-dupeguru.svg?logo=github&style=for-the-badge)](https://github.com/jlesage/docker-dupeguru/releases/latest)
[![Docker Image Size](https://img.shields.io/docker/image-size/jlesage/dupeguru/latest?logo=docker&style=for-the-badge)](https://hub.docker.com/r/jlesage/dupeguru/tags)
[![Docker Pulls](https://img.shields.io/docker/pulls/jlesage/dupeguru?label=Pulls&logo=docker&style=for-the-badge)](https://hub.docker.com/r/jlesage/dupeguru)
[![Docker Stars](https://img.shields.io/docker/stars/jlesage/dupeguru?label=Stars&logo=docker&style=for-the-badge)](https://hub.docker.com/r/jlesage/dupeguru)
[![Build Status](https://img.shields.io/github/actions/workflow/status/jlesage/docker-dupeguru/build-image.yml?logo=github&branch=master&style=for-the-badge)](https://github.com/jlesage/docker-dupeguru/actions/workflows/build-image.yml)
[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg?style=for-the-badge)](https://paypal.me/JocelynLeSage)

This project implements a Docker container for [dupeGuru](https://dupeguru.voltaicideas.net).

The GUI of the application is accessed through a modern web browser (no
installation or configuration needed on the client side) or via any VNC client.

---

[![dupeGuru logo](https://images.weserv.nl/?url=raw.githubusercontent.com/jlesage/docker-templates/master/jlesage/images/dupeguru-icon.png&w=110)](https://dupeguru.voltaicideas.net)[![dupeGuru](https://images.placeholders.dev/?width=256&height=110&fontFamily=monospace&fontWeight=400&fontSize=52&text=dupeGuru&bgColor=rgba(0,0,0,0.0)&textColor=rgba(121,121,121,1))](https://dupeguru.voltaicideas.net)

dupeGuru is a tool to find duplicate files on your computer. It can scan either
filenames or contents. The filename scan features a fuzzy matching algorithm
that can find duplicate filenames even when they are not exactly the same.

This file has been truncated. show original

mooglestiltzkin · April 29, 2024, 11:01pm

another docker dev issue i found. authentik passwordless broke with authentik update

github.com/goauthentik/authentik

Passwordless not working on 2024.4.1

opened 02:58PM - 29 Apr 24 UTC

it-global-architect

bug

**Describe the bug** Passwordless function is returning Failed to authenticate …message. The same passkey works when used in the login > password > WebAuthn flow Passkey from both 1Password and Windows Hello fails on passwordless flow **To Reproduce** go to auth.mydomaind click on use a security key Click on sign in 1password popup or choose windows hello (both works for user > pass > WebAuth but fails for passwordless) receive the Failed to authenticate message **Expected behavior** Login success **Screenshots** ![image](https://github.com/goauthentik/authentik/assets/84394825/10ed7526-93d5-42b6-a35e-fb0b40f108cb) ![image](https://github.com/goauthentik/authentik/assets/84394825/dbc6291b-2eba-492d-b924-a3dc6eb67609) ![image](https://github.com/goauthentik/authentik/assets/84394825/0db29f82-147e-41be-ae8e-d2f107747fc7) ![image](https://github.com/goauthentik/authentik/assets/84394825/887f6a42-2968-43db-8a95-52267bcc931f) ![image](https://github.com/goauthentik/authentik/assets/84394825/0f3774e3-2582-4464-833e-56f9a45d9b67) ![image](https://github.com/goauthentik/authentik/assets/84394825/3b6a8567-4697-41d1-a80b-111ee9a157e8) ![image](https://github.com/goauthentik/authentik/assets/84394825/54a9f409-a889-4c46-a772-2c50d231a046) ![image](https://github.com/goauthentik/authentik/assets/84394825/c94ddace-e7dc-4f5d-a640-d508b2c66a7a) ![image](https://github.com/goauthentik/authentik/assets/84394825/0ae7a712-0377-4533-a55a-3cf24f6f6fec) ![image](https://github.com/goauthentik/authentik/assets/84394825/db40711a-e033-4341-93d6-1d23f19dc729) ![image](https://github.com/goauthentik/authentik/assets/84394825/270af0b5-39a7-4b44-b2b9-69e0612298bc) **Logs** ```authentik-server-1 | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "Task published", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.root.celery", "pid": 45, "request_id": "97a5951066a541a6a42fc5e8d50a2d2c", "schema_name": "public", "task_id": "cbb6c13860d446cab4dafd5266f38253", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2024-04-29T14:39:21.964816"} authentik-server-1 | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "Task published", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.root.celery", "pid": 45, "request_id": "97a5951066a541a6a42fc5e8d50a2d2c", "schema_name": "public", "task_id": "2dbc009246144425a89610eb2255cb24", "task_name": "authentik.policies.reputation.tasks.save_reputation", "timestamp": "2024-04-29T14:39:21.965867"} authentik-server-1 | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 45, "remote": "192.168.50.159", "request_id": "97a5951066a541a6a42fc5e8d50a2d2c", "runtime": 31, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-04-29T14:39:21.971079", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"} authentik-server-1 | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 45, "remote": "192.168.50.159", "request_id": "cbd6ab3060b34224bc81ae78c3069bf0", "runtime": 21, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-04-29T14:39:22.011008", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"} authentik-server-1 | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 45, "remote": "192.168.50.159", "request_id": "3658aade2d1c43ee8909fc5e6b53cb06", "runtime": 17, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-04-29T14:39:22.054367", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"} authentik-worker-1 | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "cbb6c138-60d4-46ca-b4da-fd5266f38253", "task_name": "event_notification_handler", "timestamp": "2024-04-29T14:39:22.088575"} authentik-server-1 | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 45, "remote": "192.168.50.159", "request_id": "d9781374e7ff4a6299707aeda21342ea", "runtime": 20, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-04-29T14:39:22.094649", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"} authentik-worker-1 | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "e4fd3c4f07c942d6bb5442b407131710", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.097114"} authentik-worker-1 | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fc5764d30aaf4032af7dc3a4c2060825", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.097806"} authentik-worker-1 | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fa151826cd5147c3818c41880d458a0c", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.098369"} authentik-worker-1 | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "cbb6c13860d446cab4dafd5266f38253", "task_name": "event_notification_handler", "timestamp": "2024-04-29T14:39:22.099331"} authentik-worker-1 | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "2dbc0092-4614-4425-a896-10eb2255cb24", "task_name": "save_reputation", "timestamp": "2024-04-29T14:39:22.101521"} authentik-worker-1 | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "2dbc009246144425a89610eb2255cb24", "task_name": "save_reputation", "timestamp": "2024-04-29T14:39:22.116309"} authentik-worker-1 | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "e4fd3c4f-07c9-42d6-bb54-42b407131710", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.117588"} authentik-worker-1 | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-e4fd3c4f07c942d6bb5442b407131710", "timestamp": "2024-04-29T14:39:22.129071"} authentik-worker-1 | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "e4fd3c4f07c942d6bb5442b407131710", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.130409"} authentik-worker-1 | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fc5764d3-0aaf-4032-af7d-c3a4c2060825", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.131437"} authentik-worker-1 | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fc5764d30aaf4032af7dc3a4c2060825", "timestamp": "2024-04-29T14:39:22.140819"} authentik-worker-1 | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "fc5764d30aaf4032af7dc3a4c2060825", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.142013"} authentik-worker-1 | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fa151826-cd51-47c3-818c-41880d458a0c", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.143073"} authentik-worker-1 | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fa151826cd5147c3818c41880d458a0c", "timestamp": "2024-04-29T14:39:22.152936"} authentik-worker-1 | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fa151826cd5147c3818c41880d458a0c", "timestamp": "2024-04-29T14:39:22.155335"} authentik-worker-1 | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "fa151826cd5147c3818c41880d458a0c", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.156483"} ``` **Version and Deployment (please complete the following information):** - authentik version: 2024.4.1 - Deployment: docker-compose **Additional context** ``` { "user": { "pk": 1, "email": "", "username": "AnonymousUser", "is_anonymous": true }, "action": "login_failed", "app": "authentik.events.signals", "context": { "stage": { "pk": "1e3f ... 2", "app": "authentik_stages_authenticator_validate", "name": "WebAuthn passwordless (custom stage)", "model_name": "authenticatorvalidatestage" }, "device": { "pk": 11, "app": "authentik_stages_authenticator_webauthn", "name": "1Password", "model_name": "webauthndevice" }, "username": "", "device_type": { "pk": "b ... d", "app": "authentik_stages_authenticator_webauthn", "name": "WebAuthn device type 1Password (b ... 0d)", "model_name": "webauthndevicetype" }, "device_class": "webauthn", "http_request": { "args": { "next": "/" }, "path": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/", "method": "POST", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" } }, "client_ip": "192. ....159", "expires": "2025-04-29T14:23:25.006Z", "brand": { "pk": "f0 ... 5e", "app": "authentik_brands", "name": "Default brand", "model_name": "brand" } } ```

mooglestiltzkin · April 30, 2024, 12:29am

taking a look at jellyfin graphics card

this is the instruction for nvidia.

but it’s already asking to add the repo before u can apt the files needed. which one? and how?

then it wants to mess with user groups and stuff. this is not really critical for me, so hard to proceed.

and bunch of other stuff.

i just use jellyfin without triggering live transcoding, usually when i am unable to use my favourite mpv player with anime4k upscaling.

so i’ll have to pass on this for now

mooglestiltzkin · April 30, 2024, 12:48am

tim posted his network homelab setup, and raid owl is sharing his. he too uses truenas

@11:56 even owl doesnt need graphics to accelerate his mediaplayer same like me xd. i’m sure there is a good use case for it, but not really for me since i won’t be using it for that often

Stux · April 30, 2024, 1:52am

Did you try the linuxserver jellyfin image?

mooglestiltzkin · April 30, 2024, 2:28am

i nuked immich docker container and did it from scratch.

from time to time they update their docker compose and .env file so this is probably the case.

i sus it wasn’t fully working though it was functional.

setup was quick as long as i had my docker compose and .env which were updated to the latest

github.com

immich-app/immich/blob/main/docker/docker-compose.yml

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: ['start.sh', 'immich']
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env

This file has been truncated. show original

github.com

immich-app/immich/blob/main/docker/example.env

# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables

# The location where your uploaded files are stored
UPLOAD_LOCATION=./library
# The location where your database files are stored
DB_DATA_LOCATION=./postgres

# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release

# Connection secret for postgres. You should change it to a random password
DB_PASSWORD=postgres

# The values below this line do not need to be changed
###################################################################################
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

*update

as i suspected, doing a clean install for immich and making sure the compose and .env were correctly up to date. seems a bit more stable now

A very odd issue someone pointed out with people weren’t being generated for a zfs

github.com/immich-app/immich

People "No people" despite images having People assigned

opened 04:04AM - 20 Jan 24 UTC

closed 07:53PM - 20 Jan 24 UTC

othyn

### The bug So this is a really weird one. I've just imported around ~13k …photos using the CLI tool within the Docker container, just mounting the old Nextcloud path and importing via localhost, not really important but just fyi. I noticed that the Face Detection/Grouping cut off around 2018, not relevant to this, but may as well be said. The main problem was; - I was going through People and adding names/birthdays, all seemed to be going well. - I wanted to change the featured photo of each person to something else, so I went through and did so. There was a success toast confirming the change on each user. Despite that, none of the images changed after a cache refresh. - Searching for information about this problem online, [this thread](https://github.com/immich-app/immich/discussions/3357) came up under this repo's discussions board. They suggested to re-run the 'all' face detection. - I was a bit annoyed as it will reset all the names/birthday's I'd added, but followed the instructions anyway and started an 'All' job via the Admin Jobs GUI for Face Detection, then Facial Recognition. - It went through all the images/videos in the library and finished, then did all the grouping and it finished. Both successfully. However, heading over to the People tab, it just says 'No people', despite the container logs for the ML container saying that its detected and created loads of People. - Going into an individual image with a face in it however, it shows People attached but with broken image URL's (the little browser icon for a broken image is shown): <img width="343" alt="Screenshot 2024-01-20 at 04 07 34" src="https://github.com/immich-app/immich/assets/7256684/1b94845f-23ba-4e58-bed4-a587462be424"> ... and clicking on those broken People goes through to the asset page for that Person, with a broken image URL and no name: <img width="407" alt="Screenshot 2024-01-20 at 03 45 44" src="https://github.com/immich-app/immich/assets/7256684/b304cbf5-ed19-4029-9828-cb57d361e265"> - Setting a name does not fix the issue, they still don't appear under the 'People' tab. There are also no people or anything under the 'hidden' option, as I double checked. - However, setting a new featured image for the Person makes them appear under the 'People' tab, and appears to be the only way I can make them appear under the Person tab I've tried rebooting the container instances, didn't make any difference. Is there a way I can reset all this and start again for the Facial Recognition/Grouping / People in general? It seems something has got borked somewhere. This is my first foray into Immich debugging, so please point me in the right direction for providing the relevant logs. Stupidly, as above, I rebooted the instance so have lost the logs from that session. ### The OS that Immich Server is running on Alpine (Official Docker Container) ### Version of Immich Server 1.93.2 ### Version of Immich Mobile App 1.93.0 build.134 ### Platform with the issue - [X] Server - [ ] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML version: "3.8" networks: oxnet: external: true volumes: model-cache: services: photos: container_name: photos image: ghcr.io/immich-app/immich-server:v1.93.2 command: ["start.sh", "immich"] restart: unless-stopped depends_on: - photos-redis volumes: - /mnt/user/photos:/usr/src/app/upload - /etc/localtime:/etc/localtime:ro networks: oxnet: ipv4_address: 172.18.111.1 dns: - 172.18.3.141 env_file: - /mnt/user/appdata/_env/all.env - /mnt/user/appdata/_env/photos.env labels: traefik.enable: true traefik.docker.network: oxnet traefik.http.routers.photos.service: photos traefik.http.routers.photos.entrypoints: https traefik.http.services.photos.loadbalancer.server.port: 3001 photos-microservices: container_name: photos-microservices image: ghcr.io/immich-app/immich-server:v1.93.2 command: ["start.sh", "microservices"] restart: unless-stopped depends_on: - photos-redis volumes: - /mnt/user/photos:/usr/src/app/upload - /etc/localtime:/etc/localtime:ro networks: oxnet: ipv4_address: 172.18.111.2 dns: - 172.18.3.141 env_file: - /mnt/user/appdata/_env/all.env - /mnt/user/appdata/_env/photos.env photos-machine-learning: container_name: photos-machine-learning image: ghcr.io/immich-app/immich-machine-learning:release restart: unless-stopped volumes: - model-cache:/cache networks: oxnet: ipv4_address: 172.18.111.3 dns: - 172.18.3.141 env_file: - /mnt/user/appdata/_env/all.env - /mnt/user/appdata/_env/photos.env photos-redis: container_name: photos-redis image: redis:6.2-alpine@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc restart: unless-stopped networks: oxnet: ipv4_address: 172.18.111.4 dns: - 172.18.3.141 photos-postgresdb: container_name: photos-postgresdb image: tensorchord/pgvecto-rs:pg14-v0.1.11@sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee restart: unless-stopped volumes: - /mnt/user/appdata/photos-postgresdb:/var/lib/postgresql/data:rw networks: oxnet: ipv4_address: 172.18.111.5 dns: - 172.18.3.141 ports: - "5433:5432" env_file: - /mnt/user/appdata/_env/all.env - /mnt/user/appdata/_env/photos.env ``` ### Your .env content ```Shell HOST_CONTAINERNAME=photos REDIS_HOSTNAME=photos-redis DB_HOSTNAME=photos-postgresdb DB_DATABASE_NAME=immich DB_USERNAME=<user> DB_PASSWORD=<pass> POSTGRES_DB=immich POSTGRES_USER=<user> POSTGRES_PASSWORD=<pass> ``` ### Reproduction steps ```bash 1. I was going through People and adding names/birthdays, all seemed to be going well. 2. I wanted to change the featured photo of each person to something else, so I went through and did so. There was a success toast confirming the change on each user. Despite that, none of the images changed, even after a cache refresh. 3. Searching for information about this problem online, [this thread](https://github.com/immich-app/immich/discussions/3357) came up under this repo's discussions board. They suggested to re-run the 'all' face detection. 4. I was a bit annoyed as it will reset all the names/birthday's I'd added, but followed the instructions anyway and started an 'All' job via the Admin Jobs GUI for Face Detection, then Facial Recognition. 5. It went through all the images/videos in the library and finished successfully on both jobs. However, heading over to the People tab, it just says 'No people', despite the container logs for the ML container saying that its detected and created loads of People successfully. 6. Tried cache refreshes and redeployed the containers just as sometimes things can get stuck, no dice. 7. Going into QA mode and thinking of other entrypoints, going into an individual image with a face in it however, it shows the relevant and correct People attached - but all with broken image icons in place of the Person's face/name, and clicking on those broken People icons goes through to the asset page for that Person, with a broken image URL (the browsers little broken image URL icon) and no name. 8. Continuing with the debugging mentality, setting a name does not fix the issue, they still don't appear under the 'People' tab. There are also no people or anything under the 'hidden' option, as I double checked. 9. However, continuing along that path, setting a new featured image for the Person makes them appear under the 'People' tab with that new featured image (instantly), and appears to be the only way I can make them appear under the Person tab. No other method will get them to appear on the Person tab. ``` ### Additional information The machine learning URL is configured correctly: ```json { "machineLearning": { "url": "http://photos-machine-learning:3003", } } ``` All other features work flawlessly, this is the only one. And it was working perfectly fine, until I did the second 'All' run.

solution: more ram

*update

figured it out. under machine learning - facial recognition

MIN RECOGNIZED FACES
3

set that to 1. then go to jobs > facial recognition > missing

then go back to people, show all. NOW it shows all the persons you asked it to create but it didn’t. this was why.

If that person is not recognized in multiple counts as specified, they get ignored.

This is why on immich they simply just say add more pics for that person. Alternatively set it to value 1.

So my earlier criticism on immich in regards to the adding persons was simply my lack of understand that you needed to change that setting.

But the gallery creation based on existing folders still remains a valid criticism. For that there is a temporary solution

I don’t know how safe that script is, i’m not a coder, so do your own diligence. I assume it’s ok but you never know.