- Docker preparations
sudo chmod +x /usr/local/bin/docker-compose
sudo usermod -aG docker ${USER}
// refresh group membership without logging
su - ${USER}
sudo nano /etc/environment
// edit variables
PUID=1000
PGID=140
TZ="Europe/Zagreb"
USERDIR="/home/USER"
MYSQL_ROOT_PASSWORD="passsword"
HTTP_USERNAME=username
HTTP_PASSWORD=mystrongpassword
DOMAINNAME=example.com
CLOUDFLARE_EMAIL=email@example.com
CLOUDFLARE_API_KEY=XXXXXXXXXXXX // Global API key
PLEX_CLAIM=claim-YYYYYYYYY // get from plex.tv/claim
AUTH_CLIENT_ID=sdadsad // google client id
AUTH_CLIENT_SECRET=sdasd // google client secret
KEYCLOAK_USER=username
KEYCLOAK_PASSWORD=password
SLACK_WEBHOOK_URL=dada
- PUID and PGID – the user ID of the linux user, who we want to run the home server apps as, and group ID of docker.
- Both of these can be obtained using the id command as shown below.
- TZ – the timezone that you want to set for your containers. Get your TZ from here.
- USERDIR – the path to the path to the home folder of the current user.
- You can also get this using the following command:
cd ~ ; pwd - MYSQL_ROOT_PASSWORD – MySQL administrator password for MariaDB and phpMyAdmin.
mkdir ~/docker
sudo setfacl -Rdm g:docker:rwx ~/docker
sudo chmod -R 775 ~/docker
-
Use this HTPASSWD Generator, to create a username and password and add them to the
${USERDIR}/docker/shared/.htpasswdfile as shown below:username:mystrongpassword -
Prepare Traefik Folders and Files
mkdir ${USERDIR}/docker/traefik
mkdir ${USERDIR}/docker/traefik/acme
touch ${USERDIR}/docker/traefik/acme/acme.json
chmod 600 ${USERDIR}/docker/traefik/acme/acme.json
touch ${USERDIR}/docker/traefik/traefik.toml
// traefik.toml file contents
#debug = true
logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = true
defaultEntryPoints = ["https", "http"]
# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"
# usersFile = "/shared/.htpasswd"
# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]
[entryPoints.monitor]
address = ":8081"
[file]
watch = true
filename = "/etc/traefik/rules.toml"
# Let's encrypt configuration
[acme]
email = "email@domain.com" #any email id will work
storage="/etc/traefik/acme/acme.json"
entryPoint = "https"
acmeLogging=true
onDemand = false #create certificate when container is created
[acme.dnsChallenge]
provider = "cloudflare"
delayBeforeCheck = 300
[[acme.domains]]
main = "EXAMPLE.COM"
[[acme.domains]]
main = "*.EXAMPLE.COM"
# Connection to docker host system (docker.sock)
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "EXAMPLE.COM"
watch = true
# This will hide all docker containers that don't have explicitly
# set label to "enable"
exposedbydefault = false
-
Extra config file for docker-gc image
wget -P ${USERDIR}/docker/shared/ https://raw.githubusercontent.com/clockworksoul/docker-gc-cron/master/compose/docker-gc-exclude -
Create Traefix docker network
docker network create traefik_proxy -
Start from docker-compose file
docker-compose -f ${USERDIR}/docker/docker-compose.yml up -d -
Proxying Non-Docker Host System Apps
touch ${USERDIR}/docker/traefik/rules.toml
// file contents
# Putting non-docker apps behind traefik proxy. This example shows pihole.
[backends]
[backends.backend-pihole]
[backends.backend-pihole.servers]
[backends.backend-pihole.servers.server-pihole-ext]
url = "http://192.168.100.26"
weight = 0
[frontends]
[frontends.frontend-pihole]
backend = "backend-pihole"
passHostHeader = true
# basicAuth = [
# HTTP Authentication
# "xxx:yyyyyyyyyyyy",
# ]
[frontends.frontend-pihole.routes]
[frontends.frontend-pihole.routes.route-pihole-ext]
rule = "Host:pi.example.com"
// Check logs for status
docker-compose logs -tf --tail="50" traefik
docker-compose logs --no-color --tail=1000 CONTAINER_NAME > logs.txt
// check container stats
docker stats traefik
// starting containers
docker-compose -f ~/docker/docker-compose.yml up -d
// see running containers
docker ps -a
// check container logs
docker-compose logs
// stop any running docker container
docker-compose stop CONTAINER-NAME
// go back to how it was before running docker compose file
docker-compose -f ~/docker/docker-compose.yml down
// docker cleanup
docker system prune
docker image prune
docker volume prune
# WARNING! This will remove:
# - all stopped containers
# - all networks not used by at least one container
# - all volumes not used by at least one container
# - all images without at least one container associated to them
# - all build cache
docker system prune -a --volumes
// validate docker compose file
docker-compose -f docker-compose.yml config
// check all running ports
sudo netstat -tulpn | grep LISTEN
// add non root user to sudo group
usermod -aG sudo username
// make script executable, add #!/bin/bash at top of script
chmod +x script.sh
// set folder permissions
sudo chown username:usergroup path-to-folder
// fix home directory folder permissions
DIR=/home/user
find $DIR -type d -not -path "$DIR/.ssh" -print0 | xargs -0 chmod 0775
find $DIR -type f -not -path "$DIR/.ssh/*" -print0 | xargs -0 chmod 0664
// fully update packages including dependencies
sudo apt full-upgrade
-
Docker bench for security here
-
Script to setup Traefik reverse-proxy in Docker with Compose
-
[Check the security of your private Nextcloud server](https://scan.nextcloud.com/Check the security of your private Nextcloud server)
-
install script to use:
curl -vsL https://gist.githubusercontent.com/jerkovicl/b5c6fb29ccc016cf0c43991405aa4f59/raw/923f58fe82d5f9a01e781ee6d9f8909da8fc6b17/home_server_docker_setup.sh | sudo bash -s
- usefull aliases
dup() {
docker-compose -f /home/$USER/docker/$1.yml -p $1 up -d
}
ddown() {
docker-compose -f /home/$USER/docker/$1.yml -p $1 down
}
fsize() {
du -h $1
}