taqi/homeserver
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5e8aa6b87f2d6754675cf7875e4d69c1c344da0
homeserver/docker_compose
History
Taqi Tahmid e5e8aa6b87 homeserver initial commit 
- ansible
- docker-compose
- Kubernetes_deployments
2025-02-12 20:11:49 +02:00
..
.gitignore
homeserver initial commit
2025-02-12 20:11:49 +02:00
jackett.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00
jellyfin.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00
plex.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00
portainer.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00
qbittorrent.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00
radarr.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00
README.md
homeserver initial commit
2025-02-12 20:11:49 +02:00
sonarr.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00
traefikv3.yaml
homeserver initial commit
2025-02-12 20:11:49 +02:00

README.md

Homeserver Notes

Future Plan

  • Add authentication frontend like Authentik which will handle the authentication
  • Add Nextcloud
  • Add Gitea

List of Service Running on Homeserver

- Adguard
- Plex
- Sonarr
- Radarr
- qbittorrent
- Portainer
- Jackett
- Jellyfin
- Wireguard

List of Basic CLI tools installed on server

- ca-certificates
- curl
- gnupg
- lsb-release
- ntp
- ncdu
- net-tools
- apache2-utils
- apt-transport-https
- htop

Firewall Rules (Currently Disabled)

I am using ufw to set different firewall rules. As I go I will update the rules

```
sudo ufw default allow outgoing
sudo ufw default allow incoming
sudo ufw allow from 192.168.1.0/24
sudo ufw allow 443
sudo ufw allow 80
sudo ufw enable
```

Hardware Transcoding for Jellyfin

The media stream applications such as Jellyfin and Plex uses transcoding to convert video format which might be necessary if the end user device does not support some video formats or resolution. If hardware transcoding is not enabled Plex/Jellyfin uses software based transcoding which is resource intensive.

Most of the new CPU/GPU support HW based transcoding. For our Ryzen 5 2500U processor, we have HW transcoding. Here is the process to enable it:

```
sudo apt-get update
sudo apt-get install vainfo mesa-va-drivers libva2 libva-utils

# Run the following command to make sure VA API is working properly
vainfo

# Add the following to services to the Jellyfin container compose file
devices:
  - /dev/dri/renderD128:/dev/dri/renderD128  # VA-API device for hardware acceleration
group_add:
  - video  # Add the container to the 'video' group

```

Traefik Reverse proxy

  • Traefik is modern HTTP reverse proxy and load balancerthat can be used to route traffic to different internal containers or ports based on subdomain name.

  • In addition to that It can also automatically handle SSL certificate genertion and renewal for HTTPS automatically handle SSL certificate genertion and renewal for HTTPS.

Configuration

In order to get wildcard certificates from LetsEncrypt, I will be using DNS challange method. DNS challange method is one of the methods provided by LetsEncrypt to verify the ownership of the domain by adding specific DNS records.

To do that with cloudflare, I have created a new API token with name CF_DNS_API_TOKEN and saved it as docker secret under ~/docker/secrets directory

# To save the appdata for traefik3, created the following folders
mkdir -p ~/docker/appdata/traefik3/acme
mkdir -p ~/docker/appdata/traefik3/rules/udms

# To save teh LetsEncrypt certificate, created the following file
touch acme.json
chmod 600 acme.json  # without 600, Traefik will not start

# To save logs, created following files
touch traefik.log
touch access.log

After creating the Docker Compose file, add these TLS options like this:

# Under DOCKERDIR/appdata/traefik3/rules/udms/tls-opts.yml
tls:
  options:
    tls-opts:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

Add the middleware Basic Auth:

# Under DOCKERDIR/appdata/traefik3/rules/udms/middlewares-basic-auth.yml
http:
  middlewares:
    middlewares-basic-auth:
      basicAuth:
        # users:
        #   - "user:password"
        usersFile: "/run/secrets/basic_auth_credentials"
        realm: "Traefik 3 Basic Auth"

Add middleware rate limited to prevent DDoS attack

# Under DOCKERDIR/appdata/traefik3/rules/udms/middlewares-rate-limit.yaml
http:
  middlewares:
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50

Add secure headers middleware

# Under DOCKERDIR/appdata/traefik3/rules/udms/middlewares-secure-headers.yaml
http:
  middlewares:
    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        # forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
          server: "" # hide server info from visitors

Networking

Create a default Bridge network for the Traefik

Wireguard VPN setup

In order for qbittorrent container to use the wireguard VPN tunnel wireguard container has been added to the qbittorrent docker compose file.

  • qbittorrent container depends on the wireguard container. If wireguard container is down, qbittorrent network will not work.

  • Since, qbittorrent is using the wireguard container, port 9500 has been forwared to the host 9500 port from the wireguard container

  • qbittorrent is using wireguard network interface. So, to access the qbittorrent GUI, iptables rules had to be setup. Also, when the pc restarts the wireguard container IP might change.

    # Forward traffic coming to port 9500 on the host to port 9500 on the WireGuard container
sudo iptables -t nat -A PREROUTING -p tcp --dport 9500 -j DNAT --to-destination 172.18.0.6:9500

# Forward traffic from the WireGuard container back to the host's port 9500
sudo iptables -t nat -A POSTROUTING -p tcp -d 172.18.0.6 --dport 9500 -j MASQUERADE

  • We can check the host ip geolocation by the following command. In that way we can verify VPN is working.

    docker exec -it qbittorrent curl ipinfo.io

{
  "ip": "1.2.3.4",
  "hostname": "1.2.3.4.in-addr.arpa",
  "city": "Amsterdam",
  "region": "North Holland",
  "country": "NL",
  "loc": "55.3740,41.8897",
  "org": "Some Company",
  "postal": "1234",
  "timezone": "Europe/Amsterdam",
  "readme": "https://ipinfo.io/missingauth"
}

  • We can check the wireguard VPN connection status with the following command

    docker exec -it wireguard wg

interface: wg0
  public key: <public key>
  private key: (hidden)
  listening port: 56791
  fwmark: 0xca6c

peer: <public key>
  preshared key: (hidden)
  endpoint: <ip>:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 47 seconds ago
  transfer: 12.69 MiB received, 822.64 KiB sent
  persistent keepalive: every 15 seconds

FAQ

  1. How to get the plex claim? -> Go the the url and login: https://www.plex.tv/claim/