Avatar
Galaxie 5000 9mo ago

Issue with Haven

I might be the only person doing this, running a Haven docker image in Portainer on Umbrel OS connecting via Tailscale.

Haven is running, I can connect remotely from devices with a web browser, Nostr client shows relay connected, but…

notes are not sent to it.

I created a GitHub issue (hopefully the right thing to do), more details there.

#asknostr

ask nostr:npub1utx00neqgqln72j22kej3ux7803c2k986henvvha4thuwfkper4s7r50e8 nostr:npub1a6we08n7zsv2na689whc9hykpq4q6sj3kaauk9c2dm8vj0adlajq7w0tyc

#haven

Reply to this note

Please Login to reply.

Discussion

Avatar
Anthony Accioly 9mo ago

Hey Galaxy. I replied to you on GitHub. Cheers.

Avatar
Dikaios1517 9mo ago

What's the reason you went with Tailscale to connect to it? Only using it as a private relay to back up your notes, or only for those within your Tailnet to be able to read your notes?

Haven is intended to be accessible by others in these scenarios:

1. Public Outbox - Only you can write to it, but everyone should be able to read from it.

2. Public Inbox - Only you can read from it, but anyone can write to it. This is where others are supposed to be able to send their replies to your notes.

3. Private Inbox - Anyone sending you encrypted DMs should be able to write to it.

4. Blossom Server - Only you can upload to it, but everyone should be able to read from it.

If the only way to access your HAVEN relay is through Tailscale, then none of the above will work for anyone who is not within your Tailnet.

Avatar
Galaxie 5000 9mo ago

Admittedly I don’t really know what I’m doing when it comes to relays just thought it would be cool to set up. My Umbrel is a BTC and lightning node, Alby Hub, mining pool for Bitaxe and some other things. So Tailscale is how I access all that from my other devices remotely. I don’t want to have to open ports through my router.

Avatar
Galaxie 5000 9mo ago

So maybe not possible?

Avatar
Dikaios1517 9mo ago

Not possible on your Umbrel if you don't want any open ports. You'll need to run it on a VPS.

Avatar
Dikaios1517 9mo ago

If you just want to have a relay for backing up your notes that is not accessible to anyone else for read or write access, you can just run the Nostr RS Relay that is in the Umbrel app store.

Avatar
Anthony Accioly 9mo ago

Haven can still be useful behind a VPN if you intend to use it as a backup relay and media server (think Citrine on steroids), as mentioned above. One thing to note: client relay connectivity status can be a bit misleading in this case. For example, a client may perform a mix of local requests from your browser or native application, but it might also implement its own backend or use a proxy to connect to the relay. Meaning that some clients will try to connect to your relay over the Internet.

This means that, depending on the client and the operation, it may happily report that it can connect to your relay (based on client-side logic), but still fail to function properly.

Before Haven, I tried Citrine with a few clients, and while most of them would happily "connect" over HTTP to a Citrine running on localhost, in practice, quite a few clients would only write to an HTTPS-enabled relay accessible over the internet.

Avatar
Dikaios1517 9mo ago

Your zapper down, sir?

Good information! That explains issues I have had with Citrine being used for local NIP-46 signing at times. 😂

If using Haven behind a VPN like Tailscale as a media server, wouldn't it be the case that only those who have access through his tailnet would be able to view the media? That is, unless he is keeping copies on other Blossom servers, too.

Avatar
Galaxie 5000 9mo ago

I dunno I wasn’t considering others accessing my relay. I wanted notes I post from clients in my devices (that are in my Tailnet) to hit the relay, then Haven should blast those notes to relays on the import list.

My zaps should be working.

Avatar
Dikaios1517 9mo ago

Ah, yes. That blastr functionality could definitely still be useful to you, even if you aren't using anything else Haven has to offer.

Avatar
Anthony Accioly 9mo ago

Hey, not sure. It's Coinos under the hood—I'm just doing some well-known/lnurlp trickery to redirect to it. I managed to zap you from the same wallet though (try again, and if it still doesn’t work, feel free to zap anthony.accioly@coinos.io or anthony.accioly@walletofsatoshi.com).

As for your second question: out of the box, yes, you're absolutely correct. There are some very clever folks doing things like syncing Haven's backup folder to a public S3 bucket and redirecting or proxying Blossom's GET /{SHA256}. So, in theory, you can expose Blossom blobs to the internet without exposing Haven itself. Having said that we don't officially support this yet (hopefully coming soon).

Avatar
Dikaios1517 9mo ago

Very clever indeed. The draw of Haven for me is that it's an all-in-one solution for outbox model, so I probably wouldn't use it for blossom without making the relay itself accessible. I'd just run a separate blossom server in that case. Cool that it is possible, though.

Avatar
Galaxie 5000 9mo ago

Oh I totally missed this reply. So using Tailscale is not ideal. Even if https is enabled, clients that use anything in between (i.e. not on my Tailnet) will fail.

Avatar
Anthony Accioly 9mo ago

Yes. There are well behaved clients though. E.g., Amethys. Also, if you are doing this for fun / learning experience, you can even run a Nostr client yourself. E.g., I'm running a private instance of nosotros.app.

Avatar
Dikaios1517 9mo ago

Yeah, and they might be using one method to connect to your relay for the purpose of displaying that it is "online" and a completely different method for actually sending it notes, such as via a proxy, etc as nostr:npub1a6we08n7zsv2na689whc9hykpq4q6sj3kaauk9c2dm8vj0adlajq7w0tyc mentioned above. So even if your client is able to connect to your Tailnet, the notes still won't publish.

I am guessing the same issue could happen with a Tor-only relay for the same reasons. Even if your client itself is connected through Orbot, if it is using a proxy to write notes to your specified relays, it will fail unless that Proxy is also connected to Tor.

Avatar
Galaxie 5000 9mo ago

Makes sense. And I don’t trust my security skills to protect my home network with holes punched through my router, unless there is some other way.

Avatar
Galaxie 5000 9mo ago

Assuming a relay from my client could reach my relay over Tailscale, the blaster feature would work, right?

Avatar
Anthony Accioly 9mo ago

Yes.

Avatar
Galaxie 5000 9mo ago

Gonna try noStrudel.

Avatar
Anthony Accioly 9mo ago

I mean. If your node has outbound Internet connectivity. Haven has to be able to connect to the other relays.

Avatar
Dikaios1517 9mo ago

That is my understanding, yes.

Avatar
Galaxie 5000 9mo ago

For troubleshooting purposes, perhaps nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qgwwaehxw309ahx7uewd3hkctcpr9mhxue69uhkscnj9e3k7unpvdkx2tnnda3kjctv9uq3wamnwvaz7tmjv4kxz7fwwpexjmtpdshxuet59uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcqyztuwzjyxe4x2dwpgken87tna2rdlhpd02va5cvvgrrywpddnr3jyz0umng could provide some insight.

tl;dr

- Haven running in Portainer

- Can connect to Haven from device over Tailscale via web browser ok

- Coracle > Relays shows connected to Haven

- Post a note, it is not sent to Haven (timeout or no connection)

Is the mechanism or route from Coracle on device to relay different from browser connection? How so?

Avatar
Anthony Accioly 9mo ago

Before going any further, since you said it's not working on noStrudel either, I’d suggest checking your setup. noStrudel should definitely be showing notes from your relay if everything was setup correctly on your end.

Here's what I see when I navigate to:

https://nostrudel.ninja/#/r/ws%3A%2F%2Flocalhost:4869 and click on Notes on my mobile:

Haven should also be able to import notes from other relays (which you haven’t confirmed as working yet), regardless of the client. So this could be a misconfiguration in Haven, Docker, your VPN, your network, as well as the clients trying to connect to the relay from outside your network. There are a lot of moving parts here, and it’s tough to pin down the issue without checking each one individually from within your network.

Since you’re doing something a bit non-standard, I think you’ll need to take a more technical approach and really dig into it. Unfortunately, it’s very hard to troubleshoot these kinds of issues without logs or direct access to your setup. Would the nostriche who helped you set up Haven’s container be willing to jump on a call with you? They could check your settings, confirm whether Haven can import notes, whether noStrudel can write to it, and whether it displays notes when you connect directly to the relay’s Outbox URL (as well as notes you’re tagged in via the Inbox URL).

Once you've confirmed all of that is working, then I would start looking at other clients that may potentially introduce their own issues i.e., by proxying requests through a backend as I wrote in another note)

Avatar
Galaxie 5000 9mo ago

Yes something is definitely not configured correctly. Per your screenshot when I look at my relay, Notes tab in noStrudel there is nothing.

I’ll have to look into importing notes, not sure how to do it.

nostr:npub1qdsjkr46urkg6vqrr3zqhgy8l7dazc5k9hlm5jmwqg0vft7hzgtqamgfw3 helped me get the docker image going in Portainer, though he hasn’t used Portainer himself, so I definitely have an oddball set up with a lot of layers. I’ll keep digging.

Avatar
Galaxie 5000 9mo ago

Regarding logs, there isn’t anything in Portainer since the connection isn’t made. I think one needs the paid version to get network traffic logs.

In noStrudel just says connection timed out.

Avatar
Anthony Accioly 9mo ago

It should for sure. Unlike Citrine, Haven splits things, your own notes are sent to Outbox (root) and notes that you are tagged in are written to /inbox (I've posted a link to my own relay on GitHub, but mine is exposed to the internet unlike Citrine). I would say that step zero is to check if you can post a pone to your relay at all, e.g., use nak (https://github.com/fiatjaf/nak) or some other local client to post a note your relay. Then check if you can query it back and that the note shows up on noStrudel.

Avatar
Galaxie 5000 9mo ago

Ok local client makes sense, I’ll see what I can do. Also that file structure, makes me wonder about permissions on that.

Avatar
Galaxie 5000 9mo ago

I installed noStrudel on Umbrel, and when connected to it (via Tailscale) it indeed sends notes to my Haven relay. I can see entries in the Portainer log, and the notes in noStrudel relay window (like your screenshot above).

So, clients outside of my Tailnet I guess can’t reach the relay…like the note isn’t sent directly from my device (on the Tailnet) to the relay, routes somewhere else?

Avatar
Anthony Accioly 9mo ago

Well, at least this solves the problem! 🤣 Seriously now, hosting your own Nostr client isn't a bad idea. I honestly don't know the specifics of how noStrudel writes events to relays (this is a good question for nostr:nprofile1qqszv6q4uryjzr06xfxxew34wwc5hmjfmfpqn229d72gfegsdn2q3fgpzfmhxue69uhkummnw3e82efwvdhk6tcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhszythwden5te0dehhxarj9emkjmn99urf278z). Assuming it's just opening a WebSocket directly from the browser, it should work fine. If it's doing anything more complex (i.e. some sort of backend, proxy, etc.), then the nostrudel.ninja/ version won't have access to your relay, while your local client will as it's on the same network. I know for sure that nostrudel.ninja can read from local relays, as shown in my screenshot above. I had a strong impression that the hosted version would also be able to write to local relays, but given your observation, I might be wrong.

Avatar
Galaxie 5000 9mo ago

In my mind, all clients should send data directly from device to relays without anything in between, but hey, I’m not a dev. And not convinced perhaps there isn’t some setting in Portainer blocking the connection. Yeah it is kinda cool though to use my own hosted client and relay in my (relatively) secure Tailnet. However noStrudel is not my preferred day to day client (that and Snort, which I may try, are the only prepackaged ones on Umbrel).

Avatar
Anthony Accioly 9mo ago

Yeah, in theory, Nostr is simple enough. But once you're running a client, there are plenty of valid reasons to have a backend handling WebSocket connections, proxying, caching resources, and so on.

I'm not bad-mouthing Umbrel by any means, but you might as well deploy all of this somewhere else so you don't have to worry about your BTC / lightning stuff. Docker (or better yet, Podman), Portainer (if you really need it), and open source VPNs will run pretty much anywhere. Find one of your old PCs or laptops, rent a cheap VPS, or buy some low-cost hardware, whatever works for you. Install your favourite Linux distro and off to the races you go.

I don't use Snort, but its repo has a pretty straightforward Dockerfile, so you're likely just a couple of doocker or podman commands away from running Snort locally anyway.

https://git.v0l.io/Kieran/snort

Avatar
Galaxie 5000 9mo ago

Yeah Umbrel is not very flexible or customizable, but it's simple, plug and play (I appreciate simplicity more and more the older I get). Portainer is by far the most complex thing I've done on Umbrel. My Linux days were long ago and I'm revisiting them (other than Umbrel I'm running Linux on an old iMac) but I don't want something that needs constant maintenance and troubleshooting. Umbrel has been running solid for me with little to do keeping it going. I do appreciate all your help, this has been educational for me, thank you.

Avatar
Galaxie 5000 9mo ago

This is interesting. Umbrel has their own pre-packaged relay in their store. In the description:

"Step 1. Connect your Nostr client (e.g., Damus, Amethyst) to your private relay for seamless backup of all Nostr activity. In Damus, add your Relay URL via Menu > Relays.

Tip: Install Tailscale on your Umbrel and your devices for an uninterrupted connection between your clients and your relay, even when you're away from your home network. Enable Tailscale's MagicDNS and use ws://umbrel:4848 as your Relay URL."

This makes me think at least Damus and Amethyst should work, if not others. Which also makes me think perhaps an issue with Portainter, not Tailscale.

Avatar
Galaxie 5000 9mo ago

Confirmed I can connect to my instance of Haven with Damus over Tailscale.

Avatar
Galaxie 5000 9mo ago

Short of using someone else's front end, can this be done directly?

"You can upload images and videos to this relay and get a link to share them."

I can't seem to figure out how to connect to the blossom directory of find links.

Avatar
hodlbod 9mo ago

It could be a lot of things, likely the algorithm for relay selections deciding not to select your haven relay. How many relays do you have and what's your relay limit (app settings > Max relays per request)?

Avatar
Galaxie 5000 8mo ago

Damus iOS app works with my relay over Tailscale (sending notes to it at least). I’m guessing it connects directly to relays, whereas webapps may have something in between (i.e. not on my Tailnet).