-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Pi-hole service #2628
base: next
Are you sure you want to change the base?
Added Pi-hole service #2628
Conversation
87bdf18
to
f05ba14
Compare
I would suggest to let Traefik handle the reverse proxy. You can then make a service "publicly available" within Coolify to expose the public port. I can agree on port 53 though. |
ports: | ||
- '53:53/tcp' | ||
- '53:53/udp' | ||
- '8080:80' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be removed, and instead, let reverse proxy handle it.
add the key SERVICE_FQDN_PIHOLE_80
in environment, and coolify will automatically handle it.
example:
environment:
- SERVICE_FQDN_PIHOLE_80
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. Line 7 should be removed.
It is also safer to not expose the application port directly. Traefik can put some security in front of it if someone needs it.
@@ -0,0 +1,15 @@ | |||
services: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You forgot to add the metadata that is mentioned here: https://coolify.io/docs/knowledge-base/add-a-service#metadata
The port part will tell Coolify which port to use when configuring the proxy.
Now you can skip the postfix_80
when using SERVICE_FQDN_PIHOLE
If you want to test your service you can do it in the dev mode mentioned here: https://github.com/coollabsio/coolify/blob/main/CONTRIBUTION.md#1-setup-your-development-environment
When the Coolify container is running you can generate a new service-templates.json. More info here: #2375 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just tested this locally. And the traefik proxy is still using port 53 when trying to reach the WEB UI.
This is because traefik defaults to automatically proxy to exposed ports and Coolify doesn't override this.
I even tried using the postfix _80
but it did not help.
I also tried to remove the ports:
part from the docker-compose file. But traefik still sees the exposed ports that are hard coded into the original docker image. I.e. traefik will proxy to port 53.
I have to add labels manually to configure traefik. But that requires me to use the generated UID.
labels:
- traefik.http.routers.http-0-t4wgc4w-pihole.service=pi-hole
- traefik.http.services.pi-hole.loadbalancer.server.port=80
I thought I knew how Coolify did its magic. But it seems that I was wrong :(
Since you managed to get pi-hole working, could a similar template for adguard be a possibility? |
|
GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
---|---|---|---|---|---|
- | - | GitHub App Keys | ccbbfd8 | database/seeders/GithubAppSeeder.php | View secret |
- | - | Generic Password | e1bcae7 | templates/compose/resend.yaml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
@cjnewbs This template does not really work in its current state, could you please update it with a domain and the Coolify magic https://coolify.io/docs/contribute/service ? Thank you so much. |
Summary
Questions:
ip:53
from the links section as it's not something directly accessed by users,ip:8080
link from the public-facing IP of coolify to the LAN IP as this should only really need to be accessed locally,