Adding Wizarr to my Stack
Why Wizarr?
Wizarr is a user invitation / user auto-enrollment system for Jellyfin/ Emby/ Jellyseer. On the long run I plan to open my homeserver to my family&friends, therefore anything which can help me to make this adminsitration easier is welcome.
So what did I need to do? The containers I run are managed by systemd. My server is generally off, and in order to have my services up and running when I turn on the server systemd provides the possibility to auto-start and auto-update rootless containers.
First let's create the needed container file in the user directory ( we want rootless).
~/.config/systemd/wizarr.container:
[Container]
Image=ghcr.io/wizarrrr/wizarr:4.0.0-beta.9
AutoUpdate=registry
PublishPort=5690:5690/tcp
Volume=/path/to/wizarr/database:/data/database:Z
[Service]
Restart=always
[Install]
WantedBy=default.target
then we can add the firewall exception:
sudo firewall-cmd --add-port 5690/tcp -- permanent
for starting the container run these commands:
systemctl --user daemon-reload
systemctl --user start wizarr
Then in the Podman containers view we should see the container up and running. We can try reaching also the webserver of wizarr at our.own.ip.address:5690, however this will not be reachable (yet). Why? SELinux prevents user services to open http ports. This we can work around by:
- elevating restriction of the port
- using a reverse proxy running as root:
I went on with the second option. I created a simple http server configuration (https to be added):
/path/to/the/volume/mounted/in/the/nginx/container/etc/nginx/conf.d/wizarr.conf:
server {
listen 80;
listen [::]:80;
server_name subdomain.domain.tld;
location /{
proxy_pass http://server.ip.address.and:port;
}
}
or if you already have your ssl certs:
server {
listen 80;
listen [::]:80;
server_name subdomain.domain.tld;
location /{
add_header alt-svc 'h3=":443"; ma=86400';
return 301 https://subdomain.domain.tld$request_uri;
}
}
server {
http3 on;
http3_hq on;
listen 443 ssl http2;
listen 443 quic;
include conf.d/http3.conf;
server_name subdomain.domain.tld;
# Specify SSL
ssl_certificate /etc/ssl/subdomain.domain.tld/subdomain.domain.tld.crt;
ssl_certificate_key /etc/ssl/subdomain.domain.tld/subdomain.domain.tld.key;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location /{
# Add Alt-Svc headers to negotiate HTTP/3
add_header Alt-Svc 'h3=":443"; ma=3600';
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass server.ip.address.and:port;
}
}
after adding this we need to be aware that the selinux context shoud be updated, so that nginx may reach the file we have created, and reloaded before restarting nginx service.
sudo semanage fcontext -a -t httpd_sys_content_t '/path/to/nginx/stuff/nginx/etc/nginx(/.*)?'
sudo restorecon -Rv /path/to/nginx/stuff/nginx/etc/nginx/
then restart nginx:
sudo systemctl restart nginx
Once the container is up and running, it should be possible to reach it under the subdomain.domain.tld (whatever we have chosen here).