bingen
/
rpi_docker_home_server
Obserwuj 1
Polub 0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
101 Commity
6 Gałęzie
Gałąź: master
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'master'
${ noResults }
Bingen Eguzkitza 32d533b6cc fixes from live installation 5 dni temu
images fixes from live installation 5 dni temu
.gitignore First commit 8 lat temu
LICENSE Initial commit 8 lat temu
README.md fixes from live installation 5 dni temu
add_dns_entries.sh fix: Update pihole command in add dns entries command 4 miesięcy temu
add_users.sh Remove swarm 6 lat temu
compose_parse.py fixes from live installation 5 dni temu
dependencies.dot fixes from live installation 5 dni temu
dependencies.png fixes from live installation 5 dni temu
deploy.sh Remove swarm 6 lat temu
dhs_start_on_boot.sh fixes from live installation 5 dni temu
docker-compose.yml fixes from live installation 5 dni temu
env.template nextcloud: Upgrade to version 25 5 dni temu
gitea.env.template Switch from Gogs to Gitea (with Sqlite) 6 lat temu
haproxy.env.template Add multiple domains 6 lat temu
hauk.env.template Add Hauk 6 lat temu
mail.env.template Add multiple domains 6 lat temu
mariadb.env.template Convert to multi-arch 7 lat temu
nextcloud.env.template Add multiple domains 6 lat temu
nextcloud_apps_after_update.sh passman to passwords 4 lat temu
openldap.env.template Switch from Gogs to Gitea (with Sqlite) 6 lat temu
paperless.env.template Split paperless and sftp 7 lat temu
pihole.env.template Add Pi-Hole container 7 lat temu
set_arch.sh fixes from live installation 5 dni temu
setup.sh Add Ghost blog container 5 lat temu
sftp.env.template Split paperless and sftp 7 lat temu

README.md

Docker Home Server for Raspberry Pi

Flash Hypriot

You can check last images here and use flash tool to flash your RaspberryPi SD:

flash --hostname your-hostname https://github.com/hypriot/image-builder-rpi/releases/download/v1.4.0/hypriotos-rpi-v1.4.0.img.zip

SSH into each RPI:

ssh pirate@you-rpi-ip

As of version 1.4, default credentials are pirate/hypriot. You can use arp-scan to guess the IP. You can also use:

function getip() { (traceroute $1 2>&1 | head -n 1 | cut -d\( -f 2 | cut -d\) -f 1) }

Change default password:

passwd

You can also set up paswordless access with:

ssh-copy-id -i ~/.ssh/your-key_rsa.pub pirate@your-rpi -o "IdentitiesOnly yes"

And also add an entry to you ~/.ssh/config file:

Host your-rpi-1 your-rpi-2 ...
    Hostname %h.local
    User pirate
    IdentityFile ~/.ssh/your-key_rsa
    IdentitiesOnly yes
    StrictHostKeyChecking no

If you want, you can also add this config snippet to all your nodes and add your private key to each ~/.ssh folder to be able to connect from one RPI to another.

(?) Add regular user to docker group

sudo usermod -aG docker pirate

(Optional) In case you see annoying warning messages about locales from perl:

sudo dpkg-reconfigure locales

(Optional) Install some useful packages

sudo aptitude update && sudo aptitude install rsync zsh

(Optional) Encrypt external hard disk

sudo aptitude install cryptsetup
#sudo fdisk /dev/sdX
sudo parted /dev/sdX
sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
sudo cryptsetup luksOpen /dev/sdX1 volumes
sudo mkfs -t ext4 -m 1 -O dir_index,sparse_super /dev/mapper/volumes
sudo mkdir -p /media/volumes
#sudo mount -t auto /dev/mapper/volumes /media/volumes

sudo dd if=/dev/urandom of=/root/volumes_luks_pwd bs=1024 count=4
sudo chmod 0400 /root/volumes_luks_pwd
sudo cryptsetup luksAddKey /dev/sdX1 /root/volumes_luks_pwd

Add to /etc/crypttab:

volumes      /dev/disk/by-uuid/uuid-of-your-drive  /root/volumes_luks_pwd  luks

and add to /etc/fstab:

/dev/mapper/volumes  /media/volumes     ext4    defaults        0       2

NFS

Install server on main host:

sudo aptitude install nfs-kernel-server
sudo mkdir -p /export/volumes
sudo mount --bind /media/volumes /export/volumes

And add the following line to /etc/fstab to avoid repeating it on startup:

/media/volumes       /export/volumes    none    bind            0       0

And to /etc/exports:

/export         192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/export/volumes 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async,no_root_squash)

(changing network/mask by your local values)

On the other nodes:

sudo aptitude install nfs-common

And add to /etc/fstab:

your-main-host:/export/volumes /media/volumes nfs auto,user 0 0

Swap file

http://jermsmit.com/my-raspberry-pi-needs-a-swap/

dd if=/dev/zero of=/media/volumes/swap bs=1M count=2048
chmod 600 /media/volumes/swap
mkswap /media/volumes/swap
swapon /media/volumes/swap

Add to /etc/fstab:

/media/volumes/swap               swap                    swap    defaults        0 0

Repeat for worker nodes (changing name of swap file)

Avahi

When the dockers are running, some service users (e.g. dovecot or mysqld) can have conflicting ids with the one of avahi, making it fail. To avoid that, we can just increase its uid, e.g.:

sudo systemctl stop avahi-daemon
sudo usermod -u 205 avahi
sudo systemctl restart dbus
sudo systemctl start avahi-daemon

Install missing libnss-mdns package (see explanation here):

sudo aptitude install libnss-mdns

Also make sure avahi-daemon works, and otherwise restart it. See this issue.

Data and volumes

If you have existing data, create folders (otherwise setup script will do it) and copy it data:

sudo mkdir -p /media/volumes/mail/
sudo mkdir -p /media/volumes/nextcloud

sudo chown -R pirate:pirate /media/volumes/*

sudo mkdir -p /media/volumes/openldap/data
sudo mkdir -p /media/volumes/openldap/config
sudo mkdir -p /media/volumes/openldap/certs
sudo chown -R 999 /media/volumes/openldap*

From your current installation:

rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /var/www/nextcloud/data your-main-host:/media/volumes/nextcloud/
mysqldump --lock-tables -u nextcloud -p -h localhost nextcloud > /var/www/nextcloud/nextcloud_db_backup.sql
scp -i ~/.ssh/your-key_rsa /var/www/nextcloud/nextcloud_db_backup.sql your-main-host:/media/volumes/nextcloud/data/
rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /srv/vmail/ your-main-host:/media/volumes/mail

Configuration and deployment

If it’s a restart, clean first previous containers:

for i in $(docker ps -a | grep Exited | grep dhs | cut -f 1 -d ' '); do docker rm $i; done;

Optionally build:

docker-compose build

And then restart:

docker-compose --compatibility -p dhs up -d

Note: dhs is just a custom prefix to easily identify containers, you can use your own.

Add users:

./add_users.sh

Add DNS entries:

./add_dns_entries.sh

Add Nextcloud apps:

./nextcloud_apps_after_update.sh

If you add or modify a service, you can update it running:

docker-compose build && docker-compose -p dhs up -d <your-service>

If you want to re-create an image and restart the service you can run:

docker-compose --compatibility -p dhs up -d --no-deps --build <your-service>

Openldap

ldapsearch -x -w your-admin-ldap-password -D cn=admin,dc=your-domain,dc=com -b dc=your-domain,dc=com -LLL

To reset a user’s password: Copy this into a file, user_pwd.ldif:

dn: uniqueIdentifier=your-user,ou=people,dc=your-domain,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}Djpd2d+kbQm4ftHupSaS65wl8l8EbDot

And the run:

ldapadd -W -D "cn=admin,dc=your-domain,dc=com" -f user_pwd.ldif

You can generate the password with:

slappasswd -s your-password

You can use the following script to add users if you have previously created ldif files:

./add_users.sh <your-stack-name>

MariaDB

If you have existing data, make sure root password matches and access from outside (‘%’) is allowed.

Nextcloud

After first run, set DATA_CHOWN=0. Otherwise every time you deploy the whole folder with all your data will be recursed to change ownership, and it can take long when it’s only needed for the first time.

Need to log in as admin for the first time and enable Apps manually.

Let’s Encrypt

If you want to add more domains after deployment, you can run this command manually from HAProxy docker instance (see this):

sudo certbot certonly --standalone -d nextcloud.example.com -d git.example.com \
    --non-interactive --agree-tos --email admin@example.com \
    --http-01-port=8888

Notice that when updating your certificate, you will need to restart haproxy container, due to this issue

You can do it with:

docker exec -ti dhs_haproxy_1 /etc/cron.daily/letsencrypt && docker stop dhs_haproxy_1  &&  docker-compose -p dhs up -d haproxy

Own registry

Follow the instructions here to set up your own registry:

docker service create --name registry --publish published=5000,target=5000 registry:2

Dynamic DNS

Check your domain registration provider

Fail2ban

Install fail2ban in you docker swarm master node if you want to allow ssh connections from outside.

sudo aptitude install fail2ban

Have a look at the documentation for configuration.

Port mapping

Get into your router admin page and redirect ports:

  • 80, 443 for Web (Nextcloud and eventually other through HaProxy)
  • 25, 143, 587, 993 for mail server
  • 22 for ssh

to your docker swarm master node IP.

TODO

  • Install and enable Nextcloud apps automatically
  • XMPP
  • Wordpress
  • VPN
  • Open social networks (GNU social, Diaspora)
  • Transmission
  • Sia storage
  • Alternative: run your own registry for images.