## DOCKER HOME SERVER SETUP ### Initial setup * Docker preparations ``` sudo chmod +x /usr/local/bin/docker-compose sudo usermod -aG docker ${USER} // refresh group membership without logging su - ${USER} sudo nano /etc/environment // edit variables PUID=1000 PGID=140 TZ="Europe/Zagreb" USERDIR="/home/USER" MYSQL_ROOT_PASSWORD="passsword" HTTP_USERNAME=username HTTP_PASSWORD=mystrongpassword DOMAINNAME=example.com CLOUDFLARE_EMAIL=email@example.com CLOUDFLARE_API_KEY=XXXXXXXXXXXX // Global API key PLEX_CLAIM=claim-YYYYYYYYY // get from plex.tv/claim ``` * PUID and PGID – the user ID of the linux user, who we want to run the home server apps as, and group ID of docker. * Both of these can be obtained using the id command as shown below. [![pic1](https://www.smarthomebeginner.com/images/2018/04/environmental-variables-for-docker.png)](https://www.smarthomebeginner.com/images/2018/04/environmental-variables-for-docker.png) * TZ – the timezone that you want to set for your containers. Get your TZ from [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). * USERDIR – the path to the path to the home folder of the current user. * You can also get this using the following command: `cd ~ ; pwd` * MYSQL_ROOT_PASSWORD – MySQL administrator password for MariaDB and phpMyAdmin. ``` mkdir ~/docker sudo setfacl -Rdm g:docker:rwx ~/docker sudo chmod -R 775 ~/docker ``` * Use this [HTPASSWD Generator](http://www.htaccesstools.com/htpasswd-generator), to create a username and password and add them to the `${USERDIR}/docker/shared/.htpasswd` file as shown below: `username:mystrongpassword` * Prepare Traefik Folders and Files ``` mkdir ${USERDIR}/docker/traefik mkdir ${USERDIR}/docker/traefik/acme touch ${USERDIR}/docker/traefik/acme/acme.json chmod 600 ${USERDIR}/docker/traefik/acme/acme.json touch ${USERDIR}/docker/traefik/traefik.toml ``` ``` // traefik.toml file contents #debug = true logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC InsecureSkipVerify = true defaultEntryPoints = ["https", "http"] # WEB interface of Traefik - it will show web page with overview of frontend and backend configurations [api] entryPoint = "traefik" dashboard = true address = ":8080" # usersFile = "/shared/.htpasswd" # Force HTTPS [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [file] watch = true filename = "/etc/traefik/rules.toml" # Let's encrypt configuration [acme] email = "email@domain.com" #any email id will work storage="/etc/traefik/acme/acme.json" entryPoint = "https" acmeLogging=true onDemand = false #create certificate when container is created [acme.dnsChallenge] provider = "cloudflare" delayBeforeCheck = 300 [[acme.domains]] main = "EXAMPLE.COM" [[acme.domains]] main = "*.EXAMPLE.COM" # Connection to docker host system (docker.sock) [docker] endpoint = "unix:///var/run/docker.sock" domain = "EXAMPLE.COM" watch = true # This will hide all docker containers that don't have explicitly # set label to "enable" exposedbydefault = false ``` * Extra config file for docker-gc image `wget -P ${USERDIR}/docker/shared/ https://raw.githubusercontent.com/clockworksoul/docker-gc-cron/master/compose/docker-gc-exclude` * Create Traefix docker network `docker network create traefik_proxy` * Start from docker-compose file `docker-compose -f ${USERDIR}/docker/docker-compose.yml up -d` * Proxying Non-Docker Host System Apps `touch ${USERDIR}/docker/traefik/rules.toml` ``` // file contents # Putting non-docker apps behind traefik proxy. This example shows pihole. [backends] [backends.backend-pihole] [backends.backend-pihole.servers] [backends.backend-pihole.servers.server-pihole-ext] url = "http://192.168.100.26" weight = 0 [frontends] [frontends.frontend-pihole] backend = "backend-pihole" passHostHeader = true # basicAuth = [ # HTTP Authentication # "xxx:yyyyyyyyyyyy", # ] [frontends.frontend-pihole.routes] [frontends.frontend-pihole.routes.route-pihole-ext] rule = "Host:pi.example.com" ``` ### some useful docker and etc commands ``` // Check logs for status docker-compose logs -tf --tail="50" traefik // starting containers docker-compose -f ~/docker/docker-compose.yml up -d // see running containers docker ps -a // check container logs docker-compose logs // stop any running docker container docker-compose stop CONTAINER-NAME // go back to how it was before running docker compose file docker-compose -f ~/docker/docker-compose.yml down // docker cleanup docker system prune docker image prune docker volume prune // check all running ports sudo netstat -tulpn | grep LISTEN // add non root user to sudo group usermod -aG sudo username // make script executable, add #!/bin/bash at top of script chmod +x script.sh ``` * Docker bench for security > https://github.com/docker/docker-bench-security * install script to use: ``