Tailscale is using "being opensource" as a marketing term and it's working. The coordination server is a center piece of the architecture, the client being open is meaningless
Another example of this is Plex, many people don't actually know the fact that it went closed and that only the client is open source
You can, not all feature will work thought because with traefik, if you use labels based routes you won't be able to chain proxies
Yep it was a huge pain in the ass!
Thanks!
On syno a simple docker run will do it, there's nothing "Specific" to syno AFAIK
Aside from freeing the ports 80/443 if you want to use them
link: https://github.com/azukaar/Cosmos-Server/
Hello everyone!
December is upon us and it is time for me to hibernate. But before, let me introduce you the last update of the year: the holiday QoL update!
Before I do that, I have started a product hunt profile, if you have a second please take a moment to support the projet: https://www.producthunt.com/posts/cosmos-7 :)
As a reminder, and for newcomers, Cosmos is a:
- App Store π¦π± To easily install and manage your applications, with simple installers, automatic updates and security checks. This works alongside manual installation methods, such as importing docker-compose files, or the docker CLI
- Customizable Homepage π πΌ To access all your applications from a single place, with a beautiful and customizable UI
- Reverse-Proxy ππ Targeting containers, other servers, or serving static folders / SPA with automatic HTTPS, and a nice UI
- Authentication Server π¦π© With strong security, multi-factor authentication and multiple strategies (OpenId, forward headers, HTML)
- Container manager ππ§ To easily manage your containers and their settings, keep them up to date as well as audit their security. Includes docker-compose support!
- VPN ππ To securely access your applications from anywhere, without having to open ports on your router.
- Monitoring ππ Fully persisting and real-time monitoring with customizable alerts and notifications, so you can be notified of any issue.
- Identity Provider π¦π© To easily manage your users, invite your friends and family to your applications without awkardly sharing credentials. Let them request a password change with an email rather than having you unlock their account manually!
- SmartShield technology π§ π‘ Automatically secure your applications without manual adjustments (see below for more details). Includes anti-bot and anti-DDOS strategies.
β
ANYWAY! In this holiday update, I came back on the most demanded quality of life features on Cosmos, and finally got around to implementing them!
First: Stacks. Cosmos now supports cosmos stacks AND docker-compose stacks, so it will pick up your existing docker-compose stacks, and display them together in the UI:
β
Click on one of them and you will get the details of the containers. You can start, stop restart and destroy the entire stack all at once as well!
Which brings me to my second points, deletion. Isn't it annoying to delete a container, THEN delete the volumes, THEN delete the networks, then the routes? Well now you don't have to anymore, as deleting a container brings up the delete wizard:
β
Few other improvements went into this release but I cannot finish without mentionning, ICON EDITION! I cannot count how many times people asked me how to edit their icons... Well now you can actually do it!
β
https://preview.redd.it/l3u8hfqych2c1.png?width=600&format=png&auto=webp&s=a7317b24fa271a17498ee4376c8b24cfd0fcbcc5
OK! This wraps up the year nicely. Next year is full of exciting things and challenges, both for Cosmos and the selfhosting community, and I am very excited about it! I hope you are too!
Next year is going to be a big year, first the next update is the one where I will finally solve some existential crisis about Cosmos, where a few things are not what they shoud be because of the form factor. I might even end up take Cosmos out of Docker, in order to simplify many of the processes. Lots of work ahead.
But for now, I wish you all great holidays, whichever ones you celebrate, enjoy some nice xmas movies on Jellyfin, music with navidrome, and keep your holidays memory safe on Immich, I will see you next year with some exciting stuff!
β
complete changelog:
- Display container stacks as a group in the UI
- New Delete modal to delete services entirely
- Upload custom icons to containers
- improve backup file, by splitting cosmos out to a separate docker-compose.yml file
- Cosmos-networks now have specific names instead for generic names
- Fix issue where search bar reset when deleting volume/network
- Fix breadcrumbs in subpaths
- Remove graphs from non-admin UI to prevent errors
- Rewrite the overwriting container logic to fix race conditions
- Edit container user and devices from UI
- Fix bug where Cosmos Constellation's UDP ports by a TCP one
- Fix a bug with URL screen, where you can't delete a URL when there is a search
- Fix issue where negative network rate are reported
- Support array command and single device in docker-compose import
- Add default alerts... by default (was missing from the default config)
- disable few features liks Constellation, Backup and Monitoring when in install mode to reduce logs and prevent issues with the DB
My point of vue is CasaOS / Unraid / Umbrel / ... serve a good "first base" with selfhosting. Kind of like a gateway drug: gives you the candy to see how nice it could be but really under the hood, they are lacking a lot of substance.
I would never advise someone to limit their experience to those tools thought, as they lack so many things that are required for a proper long term selfhosting setup (monitoring, backups, encryptions, reverse-proxy, etc..............). It's a decent start thought.
Finally one criticism I could make is, unlike what you often read, I think it's ok to abstract things. But the issue is, if you're going to abstract away Docker completely you better make sure to offer everything the user needs to deal with their apps, and as far as I can tell, not only it's not the case, but also those tools kind of tend to be opiniated in questionable ways. I have never used CasaOS thought, so it's only 3rd party observation
Using an outdated version of a container (including DBs!) that have known vulnerabilities that will be very easy to exploits including by bots, is so much worse than the risk of a container breaking after an update. Just monitor your server properly and you'll be good
You need to setup the hostname in the Cosmos installer if that's what you are asking. You can put your IP or something if you dont have your domaoin yet
- I think domain is preferable for home servers because then you get subdomains for apps, which are easier and can also share the auth cookies for SSO
- you probably had a cached certificate
You dont need to do anything to migrate, Cosmos will just work with Portainer, including just picking up your existing containers
You are correct, and Sab is due to be added
Docker is an important ingredient in the mix, to isolate the applications completely, and make things much more streamlined than traditional VM, but I understand if it's not for everyone
Truenas
Haven't used it, but it looks like there are overlap.
Cosmos does not yet have storage management (but soon) and uses Docker instead of VM
I am considering Podman support but probably more next year when Cosmos is feature-complete for 1.0
Keep in mind it might be a challenge to do everything rootless but I will see what I can do
You need root access to manage docker containers that's (almost) unavoidable. Also Cosmos does not support managing remote docker instances. On the other hand, a good (and secure) pattern is to use Constellation (the integrated VPN) on 2 servers with cosmos installed on each. you can connect them together. One of the servers (the seedbox) is the main server running services but it is not exposed on the internet and the only way to access it is to connect to the VPN on the other VPS
Docker is an important ingredient in the mix, to isolate the applications completely, and make things much more streamlined than traditional VM, but I understand if it's not for everyone!
Don't get me wrong, I am fully aware that you need to reduce as much as possible the amount of access something has but as you said:
you should never have permissions to things you don't need
well Cosmos needs to see your files if you want Cosmos to manage your files. It's that simple. By default its on because it is needed for Cosmos to function. You can remove it, but at the expense of some of the functionalities of the server.
By the way Cosmos, as a Docker management software, has access to your docker socket. Which mean, you can remove anything you want from the container, technically, it can add it back itself. Having access to the socket means being able to manage the containers, including itself. In other words, having this mount in the docker run command is just a comfort thing, but in term of privilege, whether it's Cosmos or Portainer or any other docker manager, they have full root access to your system and that's unavoidable.
why not have -v /CasaFolder:/mnt/host or something similar
Because it would require users to always update their Cosmos containers to add additional folders all the time, giving a terrible and very error prone user experience.
If there is a solution out there, that solves that problem (as in allows Cosmos to continue to work the same without that mount) then I will gladly implement it. But as far as I can see there isn't such solution
Another way of seeing it is, if Cosmos wasn't a container it would see `/` anyway. It's not extra access, it's just a workaround for Docker
Thank you!
Yes keeping your containers updated is a huge step toward preserving the server's security
Cosmos is a fully fledged server management platform, as such it requires those access to the host server in order to operate.
"--privileged -v /:/mnt/host" is not as bad of a thing as you would think in that context, in fact it is equivalent to running a daemon like you would with any other alternative (CasaOS, Umbrel, etc..) those are just requirement for Cosmos to run with the same level of exposure as those alternatives who are not docker containers.
My only alternative would have been to make Cosmos a daemon and not a container, but then it would make install and maintenance harder
I understand your point, and yes ideally it would run as an isolated container, but it's just not possible to have a supervisor software managing your server running in an isolated container with no container, it is contradictory
I propose as alternative to run Cosmos with lower privilege, in which case some features will not work but the default is to run cosmos with the privileges it requires for all features to work as expected.
And the bottom line, the security benefits behind Cosmos for your average home-server outweigh by far this "--privileged -v /:/mnt/host". Slight reminder than a very large portion of people running alternatives like Casa, Umbrel, etc... Also expose those root daemon without even HTTPS or anything!
Link: github.com/azukaar/cosmos-Server/
Cosmos 0.11.0 is out with a new backup system to export all your docker containers! The Linux and Mac clients are also out for some early testing, please share your feedback!
https://preview.redd.it/htjbg0ze5rvb1.jpg?width=1695&format=pjpg&auto=webp&s=944ae33ae00c67159eddecf4ff923a1a0141e106
The new backup system works by reading the list of containers on your server and exporting a single compose file, with all the setup you need to recreate (in case of crash) or migrate your server.
The backup system triggers on every docker change, including changes you've made outside of Cosmos (ex. Portainer, etc...).
It outputs to a single file in your config folder, which you can backup with various strategy to keep a history of your docker containers state!
As a reminder, this exists alongside the existing features:
- App Store π¦π± To easily install and manage your applications, with simple installers, automatic updates and security checks
- Customizable Homepage π πΌ To access all your applications from a single place, with a beautiful and customizable UI
- Reverse-Proxy ππ Targeting containers, other servers, or serving static folders / SPA with automatic HTTPS, and a nice UI
- VPN ππ To securely access your applications from anywhere, without having to open ports on your router.
- Authentication Server π¦π© With strong security, multi-factor authentication and multiple strategies (OpenId, forward headers, HTML)
- Container manager ππ§ To easily manage your containers and their settings, keep them up to date as well as audit their security. Includes docker-compose support!
- Identity Provider π¦π© To easily manage your users, invite your friends and family to your applications without awkardly sharing credentials. Let them request a password change with an email rather than having you unlock their account manually!
- SmartShield technology π§ π‘ Automatically secure your applications without manual adjustments (see below for more details). Includes anti-bot and anti-DDOS strategies.
β
As always, eager to get some feedback on this release, here's the rest of the changelog:
\- Docker export feature for backups on every docker event \- Disable support for X-FORWARDED-FOR incoming header (needs further testing) \- Compose Import feature now supports skipping creating existing resources \- Compose Import now overwrite containers if they are differents \- Added support for cosmos-persistent-env, to persist password when overwriting containers (useful for encrypted or password protected volumes, like databases use) \- Fixed bug where import compose would try to revert a previously created volume when errors occurs \- Terminal for import now has colours \- Fix a bug where ARM CPU would not be able to start Constellation
β
happy hosting!