Install Pocket ID (on your Synology)

<sub>(2025/01/12)</sub> #docker #pocket-id #sqlite #synology ## Intro For a while now I have been trying to deploy and configure a proper identity provider solution for my homelab. My current solution is to use LDAP (via Synology C2 Identity) but I find LDAP in general to be obtuse and frustrating to configure as each individual application has a different LDAP configuration. I could use Active Directory (or Synology Directory Server) but not all applications have native Active Directory direct integration which means I am still utilizing and configuring LDAP. However, I found an [excellent article discussing a new application called Pocket ID](https://selfh.st/2024-favorite-new-apps/) that caught my eye. I always wanted to try replacing LDAP with OIDC in my homelab but I found many of the self-hosted solutions (Authentik and Keycloak for example) to be both overly complicated and overkill for my use. Luckily for me, Pocket ID fits my requirements as it was designed to be KISS solution and even better yet, [[I Love SQLite|uses SQLite]]. ## How To My environment consists of my Synology utilizing Portainer to manage my containers. First of all, before proceeding - due to security limitations with running Docker on a Synology, one will be need to run Pocket ID as root. Essentially, what the problem is is that Pocket ID utilizes Caddy which does not play nice with a Synology device. Even if an account has administrator permissions [or the ability to run Docker commands ](https://drfrankenstein.co.uk/step-2-setting-up-a-restricted-docker-user-and-obtaining-ids/), Caddy will not launch properly. My homelab is locked down and I have nothing externally facing so I am comfortable running Pocket ID as root but if you are not, then please do not proceed. * I will update this guide if I figure out a way to run Pocket ID without using root permissions. If you know, please let me know! If you do try running Pocket ID as a non root account, you will get an error message similar to this within your container: ``` Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: permission denied Error: caddy process exited with error: exit status 1 ``` ### Deploy Portainer I highly recommend using Portainer to manage and deploy your containers on your Synology (instead of Container Manager) but you can skip this step if you are comfortable with the command line (we will be using a docker compose file). [Here is a quick guide on how to install Portainer on your Synology. ](https://www.portainer.io/blog/how-to-install-portainer-on-a-synology-nas) ### Create New Folders (on your Synology) Secondly, make a new folder on your docker shared folder called `pocket-id` and then create a subfolder called `data`: * My path for example is `/volume1/docker/storage/pocket-id` because I like having an additional sub-folder to store all of my container data instead of putting it in the root of `docker` ![[Pocket-ID-1.png]] ### Deploy Pocket ID Finally, here is my docker compose file we will use in Portainer. Create a new stack and label it Pocket ID, and then paste the following code into the text editor (change the volumes values below based on your own `data` folder file paths that were created in the previous step): ``` services: pocket-id: image: stonith404/pocket-id # or ghcr.io/stonith404/pocket-id restart: unless-stopped env_file: - stack.env ports: - 3002:80 volumes: - "[PATH TO YOUR POCKET ID DATA FOLDER]:/app/backend/data" # Optional healthcheck healthcheck: test: "curl -f http://localhost/health" interval: 1m30s timeout: 5s retries: 2 start_period: 10s ``` ![[Pocket-ID-2.png]] Before deploying the Portainer stack what we finally need to do is add the following environmental variables used by the Pocket ID container: ![[Pocket-ID-3 .png]] To explain what each variable does: * ``PUBLIC_APP_URL`` = the URL you will be using to access Pocket ID * ``TRUST_PROXY`` = set to `true` if you are going to be using Pocket ID with a reverse proxy (I did), otherwise change to `false` * ``MAXMIND_LICENSE_KEY`` = as per the official documents: > License Key for the GeoLite2 Database. The license key is required to retrieve the geographical location of IP addresses in the audit log. If the key is not provided, IP locations will be marked as "unknown." You can obtain a license key for free [here](https://www.maxmind.com/en/geolite2/signup). * `PUID` and `PGID` = you will have to use `0` for both values (these are the values of the `root` Synology account) * `PORT` = frontend port that I changed from the default web console port from `3000` to `3002` as port `3000` was already in use on my system [Please click here for the complete list of Pocket ID environmental variables. ](https://github.com/stonith404/pocket-id?tab=readme-ov-file#environment-variables) Deploy the following compose file as a stack to Portainer (with the matching environmental variables) and then you will have a login page if successful! * The default login page for your Pocket ID container would be `http://[SYNOLOGYIP]:3002 ![[Pocket-ID-3.png]]