docker selfhosted services

with docker-compose and traefik

This repo contains my production docker services accessible from anywhere over HTTPS using traefik. These services (and others) run on a single server. It used to be rootless-mode but slirp4net was too slow and too much of the docker advanced configuration (permissions flags, mostly) were missing.

• Jellyfin
• Sonarr, Radarr, Prowlarr
• Calibre Web
• Kobo book downloader (kobodl)
• Transmission torrent server
• AdGuard Home DNS
• Drone CI and runner
• Duplicati
• Watchtower
• Cloudflare DNS Automation
• Portainer

Documentation

I've also written some intermediate to advanced generic usage docs for traefik, docker, pihole, and home networking. These articles are generally applicable, but some may be more useful than others.

• Configuring Wildcard Certs for Traefik
• LAN-only Traefik Routing with ACME SSL
• Configuring PiHole with dnsmasq
• EdgeRouter Backups over SSH (SCP)
• Expand LVM to fill remaining disk

More great documentation.

• https://www.smarthomebeginner.com/traefik-2-docker-tutorial/
• isaacrlevin/HomeNetworkSetup
• htpcBeginner/docker-traefik

Prerequisites

• A recent version of ubuntu server with Docker CE installed (see below)
• A router or firewall capable of dnsmasq. I use a Ubiquiti EdgeRouter X.
• A domain name.
• A cloudflare account.

Home network prep

• You need to make sure that ports 80 and 443 are port-forwarded through your router to whatever host this will be on.
• Your server should be assigned a static private IP by DNS. ifconfig will list your interfaces.
• Refer to the docker-pi-hole docs and my docs for further network setup related to that service. Even though I use AdGuard Home, those docs are relevant.

DNS Configuration

UPDATE: This is now done automatically with Docker Traefik Cloudflare Companion. Instructions below are left as an explanation of how this works.

In this setup, each container's service will serve from a different subdomain of your Cloudflare hosted zone dyndns subdomain.

• Create an A record for core.mydomain.com to point to your public IP.
• For each service, you'll need to create CNAME records for each service.mydomain.com to point to core.mydomain.com because all of your services are running on the same host but the host needs to be able to do virtual host routing based on domain name.
• Your services will be publically available on https://servicename.mydomain.com.

Dynamic DNS (recommended)

Resolving the IP address of your home network is annoying because most DNS providers change your IP every now and again. Services like No-IP combat this, but they aren't the most reliable. However, setting DNS programatically is pretty easy with Cloudflare API.

• Follow the instructions in Configuring Wildcard Certs for Traefik to get this part set up.
• You'll need to modify .env with your domain info, ACME email, and cloudflare API tokens.

Installation

1. start with ubuntu lts
2. Enable Unattended Upgrades
3. clone this repo
4. Sign into any private docker registries
5. install docker a Understanding UID remapping a. ignore the env exports it says to set, see below
6. make sure UsePAM yes is set in /etc/ssh/sshd_config read more

cd selfhosted
cp .env.example .env # edit this

# make mount points
mkdir /media/local /media/primary /media/secondary

# install mounts
systemctl link media-primary.mount
systemctl link media-secondary.mount

# install logrotate
systenctl --user link $HOME/selfhosted/logrotate.timer
systenctl --user link $HOME/selfhosted/logrotate.service
systemctl --user enable logrotate.timer --now

# enable traefik logrotate
cp etc/traefik-logrotate.conf /etc/logrotate.d/traefik

# Add to .profile
# export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
nano .profile

Set up docker daemon.json. Otherwise, you may end up with subnet ranges inside your containers that overlap with the real LAN and make hosts unreachable.

{
    "default-address-pools": [
        {"base":"172.16.0.0/16","size":24},
        {"base":"172.20.0.0/16","size":24}
    ]
}

Edit /lib/systemd/system/[email protected] to include dependencies on mounts

[Unit]
[email protected]%i.service media-primary.mount media-secondary.mount

Automatic deployments and drone

• Create a github api app. Follow drone setup instructions.
• Make sure the user filtering config is set correctly so other users can't log in
• Add secrets ssh_key, ssh_host, ssh_user for your deploy user.
• Open drone.yourdomain.com and finish configuring your repo.

Adguard DNS

You may need to disable ubuntu's default dns service and remove resolf.conf read more.

After disabling systemd-resolved.service, I ususally set a different DNS server in /etc/resolv.conf so that DNS doesn't break when I screw up the stack.

systemd-resolve --help is your friend.

WireGurad and subnet overlap

• use wg-quick for simplicity

• May need to install or symlink resolvconf

• Need to avoid overlapping subnets.

• Set MTU down to 1280 for issues with cellular networks, on BOTH sides of the connection.

  • Update: As of September 19, had to drop to 1250 for TMobile LTE to work....

• My subnet is 192.168.48.0/20

• The mask is 255.255.240.0

• The default LAN will be 192.168.52.0

• The gateway is 192.168.52.1

Gateway: 11000000.10101000.0011 | 0100.00000001
Mask:    11111111.11111111.1111 | 0000.00000000

• The upper 4 bits will be used for VLANs (16).
• The lower 8 shoud belong to a single VLAN.

Using wireguard:

sudo systemctl enable [email protected] --now

I have aliases wgup and wgdown for this in my .bashrc.

IPv6

Some references I encountered while rolling out ipv6.

My full edgerouter config

• Docker IPV6
• Kernel modules lazy-load ip6tables
  • SYS_MODULE capability doesn't seemt to do it. issuing an ip6tables dummy rule worked
• IPv6 Firewall Rules
• Must Block LAN to WLAN Multicast and Broadcast Data for ipv6 over wifi
• You might have to disable some firewall stuff on the upstream ISP gateway
• Disable ISP IPv6 DNS
  • no-dns in interface config for rdnss
• I have not been able to get wireguard to route ipv6 traffic under slirp4netns (rootlesss). As a result, it is not possible to connect to wireguard via an ipv6 endpoint. Wireguard for ios prefers ipv4, but the desktop client prefers ipv6. Recommend creating an ipv4-only DNS record such as wireguard4.domain.com to force ipv4.

Other useful nonsense

# set own IP, delete set
ifconfig eth0 192.168.1.5 netmask 255.255.255.0 up
ifconfig en1 delete 192.168.1.5