updated readme and restructure project

2025-02-28 20:04:52 +02:00
parent 8e8d1a65e2
commit efdaba6169
60 changed files with 109 additions and 120 deletions
--- a/docker/README.md
+++ b/docker/README.md
@ -0,0 +1,246 @@
+Homeserver Notes
+================
+
+# Future Plan
+
+  - Add authentication frontend like Authentik which will handle the authentication
+  - Add Nextcloud
+  - Add Gitea
+
+# List of Service Running on Homeserver
+
+    - Adguard
+    - Plex
+    - Sonarr
+    - Radarr
+    - qbittorrent
+    - Portainer
+    - Jackett
+    - Jellyfin
+    - Wireguard
+
+# List of Basic CLI tools installed on server
+
+    - ca-certificates
+    - curl
+    - gnupg
+    - lsb-release
+    - ntp
+    - ncdu
+    - net-tools
+    - apache2-utils
+    - apt-transport-https
+    - htop
+
+
+# Firewall Rules (Currently Disabled)
+
+I am using ufw to set different firewall rules. As I go I will update the rules
+
+    ```
+    sudo ufw default allow outgoing
+    sudo ufw default allow incoming
+    sudo ufw allow from 192.168.1.0/24
+    sudo ufw allow 443
+    sudo ufw allow 80
+    sudo ufw enable
+    ```
+
+# Hardware Transcoding for Jellyfin
+
+The media stream applications such as Jellyfin and Plex uses transcoding to
+convert video format which might be necessary if the end user device does not
+support some video formats or resolution. If hardware transcoding is not enabled
+Plex/Jellyfin uses software based transcoding which is resource intensive.
+
+Most of the new CPU/GPU support HW based transcoding. For our Ryzen 5 2500U
+processor, we have HW transcoding. Here is the process to enable it:
+
+    ```
+    sudo apt-get update
+    sudo apt-get install vainfo mesa-va-drivers libva2 libva-utils
+
+    # Run the following command to make sure VA API is working properly
+    vainfo
+
+    # Add the following to services to the Jellyfin container compose file
+    devices:
+      - /dev/dri/renderD128:/dev/dri/renderD128  # VA-API device for hardware acceleration
+    group_add:
+      - video  # Add the container to the 'video' group
+
+    ```
+
+
+# Traefik Reverse proxy
+
+   - Traefik is modern HTTP reverse proxy and load balancerthat can be used to route
+     traffic to different internal containers or ports based on subdomain name.
+
+   - In addition to that It can also automatically handle SSL certificate genertion
+     and renewal for HTTPS automatically handle SSL certificate genertion
+     and renewal for HTTPS.
+
+
+## Configuration
+
+In order to get wildcard certificates from LetsEncrypt, I will be using DNS challange
+method. DNS challange method is one of the methods provided by LetsEncrypt to verify
+the ownership of the domain by adding specific DNS records.
+
+To do that with cloudflare, I have created a new API token with name _CF_DNS_API_TOKEN_
+and saved it as docker secret under ~/docker/secrets directory
+```
+# To save the appdata for traefik3, created the following folders
+mkdir -p ~/docker/appdata/traefik3/acme
+mkdir -p ~/docker/appdata/traefik3/rules/udms
+
+# To save teh LetsEncrypt certificate, created the following file
+touch acme.json
+chmod 600 acme.json  # without 600, Traefik will not start
+
+# To save logs, created following files
+touch traefik.log
+touch access.log
+```
+After creating the Docker Compose file, add these TLS options like this:
+```
+# Under DOCKERDIR/appdata/traefik3/rules/udms/tls-opts.yml
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true
+```
+Add the middleware Basic Auth:
+```
+# Under DOCKERDIR/appdata/traefik3/rules/udms/middlewares-basic-auth.yml
+http:
+  middlewares:
+    middlewares-basic-auth:
+      basicAuth:
+        # users:
+        #   - "user:password"
+        usersFile: "/run/secrets/basic_auth_credentials"
+        realm: "Traefik 3 Basic Auth"
+
+```
+Add middleware rate limited to prevent DDoS attack
+```
+# Under DOCKERDIR/appdata/traefik3/rules/udms/middlewares-rate-limit.yaml
+http:
+  middlewares:
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50
+```
+Add secure headers middleware
+```
+# Under DOCKERDIR/appdata/traefik3/rules/udms/middlewares-secure-headers.yaml
+http:
+  middlewares:
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        # forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
+        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "same-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
+          server: "" # hide server info from visitors
+```
+
+## Networking
+
+Create a default Bridge network for the Traefik
+
+# Wireguard VPN setup
+
+In order for qbittorrent container to use the wireguard VPN tunnel
+wireguard container has been added to the qbittorrent docker compose
+file.
+  - qbittorrent container depends on the wireguard container. If
+    wireguard container is down, qbittorrent network will not work.
+
+  - Since, qbittorrent is using the wireguard container, port 9500
+    has been forwared to the host 9500 port from the wireguard container
+
+  -  qbittorrent is using wireguard network interface. So, to access
+     the qbittorrent GUI, iptables rules had to be setup. Also, when the pc restarts
+     the wireguard container IP might change.
+
+      ```
+      # Forward traffic coming to port 9500 on the host to port 9500 on the WireGuard container
+      sudo iptables -t nat -A PREROUTING -p tcp --dport 9500 -j DNAT --to-destination 172.18.0.6:9500
+
+      # Forward traffic from the WireGuard container back to the host's port 9500
+      sudo iptables -t nat -A POSTROUTING -p tcp -d 172.18.0.6 --dport 9500 -j MASQUERADE
+      ```
+  - We can check the host ip geolocation by the following command. In that way
+    we can verify VPN is working.
+    ```
+    docker exec -it qbittorrent curl ipinfo.io
+
+    {
+      "ip": "1.2.3.4",
+      "hostname": "1.2.3.4.in-addr.arpa",
+      "city": "Amsterdam",
+      "region": "North Holland",
+      "country": "NL",
+      "loc": "55.3740,41.8897",
+      "org": "Some Company",
+      "postal": "1234",
+      "timezone": "Europe/Amsterdam",
+      "readme": "https://ipinfo.io/missingauth"
+    }
+    ```
+  - We can check the wireguard VPN connection status with the following command
+    ```
+    docker exec -it wireguard wg
+
+    interface: wg0
+      public key: <public key>
+      private key: (hidden)
+      listening port: 56791
+      fwmark: 0xca6c
+
+    peer: <public key>
+      preshared key: (hidden)
+      endpoint: <ip>:51820
+      allowed ips: 0.0.0.0/0, ::/0
+      latest handshake: 1 minute, 47 seconds ago
+      transfer: 12.69 MiB received, 822.64 KiB sent
+      persistent keepalive: every 15 seconds
+    ```
+
+# FAQ
+
+1. How to get the plex claim?
+-> Go the the url and login: https://www.plex.tv/claim/