bingen
/
rpi_docker_home_server
Observar 1
Favorito 0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
99 Commits
6 Branches
Tag: bfba374152
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de bfba374152
${ noResults }
Bingen Eguzkitza bfba374152 nextcloud: fix: Memcache \OC\Memcache\APCu not available for local cache issue 5 dias atrás
images nextcloud: fix: Memcache \OC\Memcache\APCu not available for local cache issue 5 dias atrás
.gitignore First commit 8 anos atrás
LICENSE Initial commit 8 anos atrás
README.md readme: Add command to renew Let's Encrypt certificate 3 anos atrás
add_dns_entries.sh fix: Update pihole command in add dns entries command 4 meses atrás
add_users.sh Remove swarm 6 anos atrás
deploy.sh Remove swarm 6 anos atrás
docker-compose.yml fix: Add option to pihole docker to accept all connections 4 meses atrás
env.template nextcloud: Update version to 21 and PHP from 7.2 to 7.4 5 dias atrás
gitea.env.template Switch from Gogs to Gitea (with Sqlite) 6 anos atrás
haproxy.env.template Add multiple domains 6 anos atrás
hauk.env.template Add Hauk 6 anos atrás
mail.env.template Add multiple domains 6 anos atrás
mariadb.env.template Convert to multi-arch 7 anos atrás
nextcloud.env.template Add multiple domains 6 anos atrás
nextcloud_apps_after_update.sh passman to passwords 4 anos atrás
openldap.env.template Switch from Gogs to Gitea (with Sqlite) 6 anos atrás
paperless.env.template Split paperless and sftp 7 anos atrás
pihole.env.template Add Pi-Hole container 7 anos atrás
set_arch.sh Convert to multi-arch 7 anos atrás
setup.sh Add Ghost blog container 5 anos atrás
sftp.env.template Split paperless and sftp 7 anos atrás

README.md

Docker Home Server for Raspberry Pi

Flash Hypriot

You can check last images here and use flash tool to flash your RaspberryPi SD:

flash --hostname your-hostname https://github.com/hypriot/image-builder-rpi/releases/download/v1.4.0/hypriotos-rpi-v1.4.0.img.zip

SSH into each RPI:

ssh pirate@you-rpi-ip

As of version 1.4, default credentials are pirate/hypriot. You can use arp-scan to guess the IP. You can also use:

function getip() { (traceroute $1 2>&1 | head -n 1 | cut -d\( -f 2 | cut -d\) -f 1) }

Change default password:

passwd

You can also set up paswordless access with:

ssh-copy-id -i ~/.ssh/your-key_rsa.pub pirate@your-rpi -o "IdentitiesOnly yes"

And also add an entry to you ~/.ssh/config file:

Host your-rpi-1 your-rpi-2 ...
    Hostname %h.local
    User pirate
    IdentityFile ~/.ssh/your-key_rsa
    IdentitiesOnly yes
    StrictHostKeyChecking no

If you want, you can also add this config snippet to all your nodes and add your private key to each ~/.ssh folder to be able to connect from one RPI to another.

(?) Add regular user to docker group

sudo usermod -aG docker pirate

(Optional) In case you see annoying warning messages about locales from perl:

sudo dpkg-reconfigure locales

(Optional) Install some useful packages

sudo aptitude update && sudo aptitude install rsync zsh

(Optional) Encrypt external hard disk

sudo aptitude install cryptsetup
#sudo fdisk /dev/sdX
sudo parted /dev/sdX
sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
sudo cryptsetup luksOpen /dev/sdX1 volumes
sudo mkfs -t ext4 -m 1 -O dir_index,sparse_super /dev/mapper/volumes
#mount -t auto /dev/mapper/volumes /media/volumes

sudo dd if=/dev/urandom of=/root/volumes_luks_pwd bs=1024 count=4
sudo chmod 0400 /root/volumes_luks_pwd
sudo cryptsetup luksAddKey /dev/sdX1 /root/volumes_luks_pwd

Add to /etc/crypttab:

volumes      /dev/disk/by-uuid/uuid-of-your-drive  /root/volumes_luks_pwd  luks

and add to /etc/fstab:

/dev/mapper/volumes  /media/volumes     ext4    defaults        0       2

NFS

Install server on main host:

sudo aptitude install nfs-kernel-server
sudo mkdir -p /export/volumes
sudo mount --bind /media/volumes /export/volumes

And add the following line to /etc/fstab to avoid repeating it on startup:

/media/volumes       /export/volumes    none    bind            0       0

And to /etc/exports:

/export         192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/export/volumes 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async,no_root_squash)

(changing network/mask by your local values)

On the other nodes:

sudo aptitude install nfs-common

And add to /etc/fstab:

your-main-host:/export/volumes /media/volumes nfs auto,user 0 0

Swap file

http://jermsmit.com/my-raspberry-pi-needs-a-swap/

dd if=/dev/zero of=/media/volumes/swap bs=1M count=2048
chmod 600 /media/volumes/swap
mkswap /media/volumes/swap
swapon /media/volumes/swap

Add to /etc/fstab:

/media/volumes/swap               swap                    swap    defaults        0 0

Repeat for worker nodes (changing name of swap file)

Avahi

When the dockers are running, some service users (e.g. dovecot or mysqld) can have conflicting ids with the one of avahi, making it fail. To avoid that, we can just increase its uid, e.g.:

sudo systemctl stop avahi-daemon
sudo usermod -u 205 avahi
sudo systemctl restart dbus
sudo systemctl start avahi-daemon

Install missing libnss-mdns package (see explanation here):

sudo aptitude install libnss-mdns

Also make sure avahi-daemon works, and otherwise restart it. See this issue.

Data and volumes

If you have existing data, create folders (otherwise setup script will do it) and copy it data:

sudo mkdir -p /media/volumes/mail/
sudo mkdir -p /media/volumes/nextcloud

sudo chown -R pirate:pirate /media/volumes/*

sudo mkdir -p /media/volumes/openldap/data
sudo mkdir -p /media/volumes/openldap/config
sudo mkdir -p /media/volumes/openldap/certs
sudo chown -R 999 /media/volumes/openldap*

From your current installation:

rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /var/www/nextcloud/data your-main-host:/media/volumes/nextcloud/
mysqldump --lock-tables -u nextcloud -p -h localhost nextcloud > /var/www/nextcloud/nextcloud_db_backup.sql
scp -i ~/.ssh/your-key_rsa /var/www/nextcloud/nextcloud_db_backup.sql your-main-host:/media/volumes/nextcloud/data/
rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /srv/vmail/ your-main-host:/media/volumes/mail

Configuration and deployment

If it’s a restart, clean first previous containers:

for i in $(docker ps -a | grep Exited | grep dhs | cut -f 1 -d ' '); do docker rm $i; done;

Optionally build:

docker-compose build

And then restart:

docker-compose --compatibility -p dhs up -d

Note: dhs is just a custom prefix to easily identify containers, you can use your own.

Add users:

./add_users.sh

Add DNS entries:

./add_dns_entries.sh

Add Nextcloud apps:

./nextcloud_apps_after_update.sh

If you add or modify a service, you can update it running:

docker-compose build && docker-compose -p dhs up -d <your-service>

If you want to re-create an image and restart the service you can run:

docker-compose --compatibility -p dhs up -d --no-deps --build <your-service>

Openldap

ldapsearch -x -w your-admin-ldap-password -D cn=admin,dc=your-domain,dc=com -b dc=your-domain,dc=com -LLL

To reset a user’s password: Copy this into a file, user_pwd.ldif:

dn: uniqueIdentifier=your-user,ou=people,dc=your-domain,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}Djpd2d+kbQm4ftHupSaS65wl8l8EbDot

And the run:

ldapadd -W -D "cn=admin,dc=your-domain,dc=com" -f user_pwd.ldif

You can generate the password with:

slappasswd -s your-password

You can use the following script to add users if you have previously created ldif files:

./add_users.sh <your-stack-name>

MariaDB

If you have existing data, make sure root password matches and access from outside (‘%’) is allowed.

Nextcloud

After first run, set DATA_CHOWN=0. Otherwise every time you deploy the whole folder with all your data will be recursed to change ownership, and it can take long when it’s only needed for the first time.

Need to log in as admin for the first time and enable Apps manually.

Let’s Encrypt

If you want to add more domains after deployment, you can run this command manually from HAProxy docker instance (see this):

sudo certbot certonly --standalone -d nextcloud.example.com -d git.example.com \
    --non-interactive --agree-tos --email admin@example.com \
    --http-01-port=8888

Notice that when updating your certificate, you will need to restart haproxy container, due to this issue

You can do it with:

docker exec -ti dhs_haproxy_1 /etc/cron.daily/letsencrypt && docker stop dhs_haproxy_1  &&  docker-compose -p dhs up -d haproxy

Own registry

Follow the instructions here to set up your own registry:

docker service create --name registry --publish published=5000,target=5000 registry:2

Dynamic DNS

Check your domain registration provider

Fail2ban

Install fail2ban in you docker swarm master node if you want to allow ssh connections from outside.

sudo aptitude install fail2ban

Have a look at the documentation for configuration.

Port mapping

Get into your router admin page and redirect ports:

  • 80, 443 for Web (Nextcloud and eventually other through HaProxy)
  • 25, 143, 587, 993 for mail server
  • 22 for ssh

to your docker swarm master node IP.

TODO

  • Install and enable Nextcloud apps automatically
  • XMPP
  • Wordpress
  • VPN
  • Open social networks (GNU social, Diaspora)
  • Transmission
  • Sia storage
  • Alternative: run your own registry for images.