The first time I built this I knew nothing about docker. Plus, Portainer stacks and docker-compose relationships are not the same thing. Portainer is very convenient for individual containers and can see the compose relationships as unmanageable stacks, but that's enough. You can still see and restart things in the stack and that plus light monitoring is all I use Portainer for so I will continue to use it.
This time, I'll make sure everything has properly persistent mounts or even bind mounts so things don't get deleted on a container update, and everything will be created with a compose file instead of through the Portainer UI. The last change won't matter very much in my case, because I have this directory on the same physical disk as root, but I'll move all the compose files and volumes into /mnt/dietpi_userdata/containers/ so they can be organized instead of sitting in home directories.
Basic steps to get the Pi online:
Watchtower
Keep all the other containers up to date automatically.
Dozzle
Watch logs for all running containers.
Audiobookshelf
audiobookshelf.org/guides/docker-install
I chose this because it doesn't play nice with Authentik redirects, so it's a good test.
code-server
docs.linuxserver.io/images/docker-code-server
I chose this one second because it definitely needs to be behind authentik. Plus the FOAM notes being online was my original reason to have an exposed service on the homelab.
Nginx Proxy Manager & Authentik
github.com/NginxProxyManager/nginx-proxy-ma..
docs.goauthentik.io/docs/installation/docke..
I chose these as reverse proxy and authentication just because they were recommended on self hosting forums. They worked well last time and I don't have infinite energy to relearn this setup. Plus I have some notes in the foam vscode repository from last time!
DuckDNS
docs.linuxserver.io/images/docker-duckdns
DNS registration for free on a subdomain. I used to have a script for this running on the host, but why not containerize it.
Making UFW play nice with Docker.
github.com/chaifeng/ufw-docker
Now I'm dealing with and logging UFW blocking and I immediately saw a lot of ICMP and multicasting. The multicasting is a problem with my home router, but the ICMPv6 is across the virtual devices for docker. Luckily someone else has noticed and wrote a script to automatically add some 'after' scripts for UFW to make it get along with Docker.
sudo wget -O /usr/local/bin/ufw-docker \ https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker ufw-docker installIt is vitally important after that to add your docker container for Nginx Proxy Manager to the rules! I got stuck on this when I was trying to set up NPM, especially the SSL certs.
sudo ufw-docker allow npm-app-1 80 sudo ufw-docker allow npm-app-1 443 sudo ufw-docker allow audiobookshelf-audiobookshelf-1 80 sudo ufw-docker allow code-server 8443 sudo ufw-docker allow authentik-server-1 9000Now, previously when I set up NPM I was able to use the container names as the host when I set up proxy hosts. Something about this UFW setup broke that and I have no idea why it insists on IP addresses now. So I have added a few lines to each docker config to set up static IPs.
version: "3.7" services: audiobookshelf: image: ghcr.io/advplyr/audiobookshelf:latest ports: - 13378:80 volumes: - ./audiobook:/audiobooks - ./podcasts:/podcasts - ./config:/config - ./metadata:/metadata environment: - TZ=America/New_York networks: nginx: ipv4_address: 172.20.0.3 networks: nginx: name: npm_default external: trueAfter that, Authentik needs to be configured.
Finally, I can check that code-server is behind authentication and clone in my Foam repository. Foam notes is why I made the original homelab accessible outside LAN. I use it for documentation, mostly the notes are about building the homelab and other personal programming projects.