Djeex/docudjeex
1
1
Fork 0
Code Issues Pull Requests Projects Wiki Activity

Fully translated + good linking

Browse Source
This commit is contained in:
Djeex
2025-07-04 13:37:55 +00:00
parent e9ccda2e14
commit 5c207add10
32 changed files with 435 additions and 469 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
content/3.serveex/2.core/1.installation.md Normal file
View File

@ -0,0 +1,75 @@
---
navigation: true
title: Debian 12
main:
fluid: false
---
:ellipsis{left=0px width=40rem top=10rem blur=140px}
# Debian 12
::alert{type="info"}
🎯 __Goal:__ Install Debian 12 and the main dependencies to have a ready-to-use OS, accessible via SSH.
::
![picture](/img/serveex/server.svg)
## Installation
---
1. [BIOS Setup](https://www.debian.org/releases/stable/i386/ch03s06.fr.html#bios-setup)
2. [Download Debian Image](https://www.debian.org/download.fr.html)
3. [Create Bootable USB (Rufus)](https://dev.to/devops2808/how-to-create-bootable-usb-installer-for-debian-12-4f66)
4. [Install Debian and Set Up SSH](https://www.howtoforge.com/tutorial/debian-minimal-server/)
5. Install sudo and add a user to the sudo group for administrative privileges.
Log in as root:
```shell
su -
```
Enter your password, then type:
```shell
apt install sudo
```
Add the user to the sudo group:
```shell
adduser <username> sudo
```
Next time the user logs in, they will be able to use the `sudo` command to execute commands with administrative privileges.
6. [Everything About Remote Console Access (SSH)](https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys)
7. Optional - [UPS Client in Case of Power Outage](https://www.sindastra.de/p/2078/how-to-connect-linux-server-to-synology-ups-server) / [also here](https://www.reddit.com/r/synology/comments/gtkjam/use_synology_nas_as_ups_server_to_safely_power/)
8. Optional - Wake up after power outage → configure BIOS S0 state
9. Optional - [Wake Server Remotely (WoW - WoL)](https://dev.to/zakery1369/enable-wake-on-lan-on-debian-4ljd)
## Must-Have CLI Apps
---
Some essential apps youll likely need at some point, so might as well install them early:
```shell
sudo apt update
sudo apt upgrade
sudo apt install vim btop ranger git duf neofetch samba cifs-utils tree unzip ufw
```
Additionally:
- [gping](https://www.linode.com/docs/guides/how-to-use-gping-on-linux/) - Graphical ping tool
- [lazydocker](https://github.com/jesseduffield/lazydocker) - CLI Docker container manager
## Useful Features
---
### Firewall
- [ufw](https://www.zenarmor.com/docs/network-security-tutorials/how-to-set-up-a-firewall-with-ufw-on-debian)
- [Firewalld](https://linuxcapable.com/how-to-install-firewalld-on-debian-linux/)
### Samba Sharing (Access a Remote Network Disk)
- [Create and Access a Samba Share](/general/samba)
### File Transfer via rsync
```shell
sudo rsync -avhHSP /source /destination
```
::alert{type="info" icon="exclamation-circle"}
:::list{type="info"}
- Add ` --exclude @eaDir`{lang=shell} if the source is a Synology NAS
:::
::

174
content/3.serveex/2.core/2.docker.md Normal file
View File

@ -0,0 +1,174 @@
---
navigation: true
title: Docker
main:
fluid: false
---
:ellipsis{left=0px width=40rem top=10rem blur=140px}
# Docker
Docker, to install deployable services in seconds and manage them with just a few commands or clicks.
::alert{type="info"}
🎯 __Goals:__
- Install [Docker](https://www.docker.com/)
- Install [Dockge](https://github.com/louislam/dockge) to manage stacks
- Install [Watchtower](https://github.com/containrrr/watchtower) to update containers
::
![picture](/img/serveex/docker.svg)
## Install Docker
---
Add the Docker repositories and GPG key:
```shell
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
```
Install the packages:
```shell
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```
That's it!
**More options:** [Install Docker for Debian 12](https://docs.docker.com/engine/install/debian/)
::alert{type="info" icon="exclamation-circle"}
:::list{type="info"}
- From here on, we assume the stacks are installed in the `/docker` folder, created using the command:
:::
```shell
sudo mkdir /docker
::
## Install [Dockge](https://github.com/louislam/dockge) to manage and deploy containers
---
[Dockge](https://github.com/louislam/dockge) is a web tool to create, configure, launch, and manage Docker containers. It's a simple, intuitive interface thats lighter and easier for beginners than using the CLI or Portainer.
![picture](/img/serveex/dockge.png)
### Configuration
File structure we will create:
```console
root
└── docker
└── dockge
└── compose.yml
```
Create the stack folder:
```shell
cd /docker
sudo mkdir dockge
```
Then create the `compose.yml` file in this folder using `vim`:
```shell
cd /docker/dockge
sudo vi compose.yml
```
Press `i` to enter insert mode and paste the following:
```yaml
---
services:
dockge:
image: louislam/dockge:1
restart: unless-stopped
container_name: dockge
ports:
- 3555:5001 # LAN-accessible port will be 3555
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /docker/dockge/data:/app/data
- /docker:/docker
environment:
- DOCKGE_STACKS_DIR=/docker
```
Press `Esc` and type `:x` to save and exit.
To launch the container:
```shell
cd /docker/dockge
sudo docker compose up -d
```
Then go to `http://yourserverip:3555` in your browser to access the login page.
More info on [Dockge and how to use it](https://github.com/louislam/dockge)
And there you go — Docker and a tool to easily manage your containers are ready!
## [Watchtower](https://github.com/containrrr/watchtower?tab=readme-ov-file), to auto-update containers
---
Watchtower is a container that checks for updates and pulls new images automatically, just by adding a label in your containers `compose.yml` files.
### Configuration
- Open Dockge in your browser
- Click `compose`
- Name the stack `watchtower`
- Paste the config below into the default config area in Dockge
```yaml
---
services:
watchtower:
container_name: watchtower
image: containrrr/watchtower:latest
restart: unless-stopped
env_file:
- .env
environment:
- TZ=Europe/Paris
- WATCHTOWER_SCHEDULE=${SCHEDULE}
- WATCHTOWER_LABEL_ENABLE=true
- WATCHTOWER_CLEANUP=true
- WATCHTOWER_REMOVE_VOLUMES=true
# Discord notifications - uncomment if used
#- WATCHTOWER_NOTIFICATIONS=slack
#- WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER=Watchtower
#- WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL=${WH_URL}
volumes:
- /var/run/docker.sock:/var/run/docker.sock
```
Then fill in the `.env` section in Dockge with the following:
```properties
SCHEDULE=
WH_URL=
```
| Property | Value | Examples |
|----------------|--------------------------------------------------------------------|----------------------------------------------|
| `SCHEDULE` | Cron format | `0 0 6 * * *` (every day at 6 AM) |
| `WH_URL` | Your Discord webhook URL - append `/slack` at the end | `https://yourdiscordserver/webhook/slack` |
To have Watchtower monitor your other containers, add this to their `compose.yml`:
```yaml
labels:
- com.centurylinklabs.watchtower.enable=true
```
Then restart the modified stacks. And that's it — you now have a solid base to start deploying the services you want!

379
content/3.serveex/2.core/3.swag.md Normal file
View File

@ -0,0 +1,379 @@
---
navigation: true
title: SWAG
main:
fluid: false
---
:ellipsis{left=0px width=40rem top=10rem blur=140px}
# SWAG
::alert{type="info"}
🎯 __Objectives:__
- Install Swag
- Enable SSL
- Access the dashboard
- Configure regional blocking
- Expose Dockge
::
[Swag](https://docs.linuxserver.io/general/swag/) is the core of this homelab. Its a powerful reverse proxy that allows you to expose services on the internet using domain names, handling SSL certificate issuance (for encrypted connections), request routing, and access security (via HTTP auth or SSO like Authelia or Authentik). All the necessary documentation is [available here](https://docs.linuxserver.io/general/swag).
::alert{type="warning"}
:::list{type="warning"}
- SWAG is only useful for exposing your services to the internet—i.e., accessing them via a public URL like `https://service.mydomain.com`. If you dont want to expose your services and prefer to always use a VPN to connect remotely, you can go [here instead](/serveex/securite/wireguard).
:::
::
Below is an example exposing Dockge. We will install SWAG along with the dbip mod for geolocation-based blocking, and the dashboard mod for managing swag, fail2ban, and geolocation.
**Reverse proxy principle and its application in our case:**
![Picture](/img/serveex/reverse-proxy.svg)
## Installation
---
::alert{type="info" icon="exclamation-circle"}
:::list{type="info"}
- This tutorial assumes you have a domain name pointing to your server, and that your router has a NAT rule forwarding port `443` to your server's IP and port `443`. The example domain will be `mydomain.com`.
:::
::
File structure to be modified:
```console
root
└── docker
└── swag
├── config
│ ├── dns-conf
│ │ └── ovh.ini
│ └── nginx
│ ├── dbip.conf
│ ├── nginx.conf
│ └── proxy-confs
│ └── dockge.subdomain.conf
├── compose.yml
└── .env
```
Open Dockge in your browser, click on `compose`, name the stack `swag`, and copy the following config:
```yaml
---
services:
swag:
image: lscr.io/linuxserver/swag:latest
container_name: swag
cap_add:
- NET_ADMIN
env_file:
- .env
environment:
- TZ=Europe/Paris
- URL=${DOMAIN}
- EXTRA_DOMAINS=${DOMAINS}
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN=${PLUGIN}
- EMAIL=${EMAIL}
- DOCKER_MODS=linuxserver/mods:swag-dbip|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-reload
volumes:
- /docker/swag/config:/config
ports:
- 80:80
- 443:443
- 81:81
restart: unless-stopped
networks:
- swag
networks:
swag:
name: swag_default
```
::alert{type="success"}
__Tip:__
Add the watchtower label to each container to enable automatic updates
```yaml
services:
swag:
#...
labels:
- com.centurylinklabs.watchtower.enable=true
```
::
Then in the `.env` file:
```properties
DOMAIN=
DOMAINS=
EMAIL=
PLUGIN=
```
Fill out the variables as follows:
| Property | Value | Examples |
|-------------------------|---------------------------------------------------------------------------|-----------------------|
| `DOMAIN` | Your domain (covers all subdomains too) | `mydomain.com` |
| `DOMAINS` | Any additional domains | `myseconddomain.com` |
| `EMAIL` | Your email for generating the certificate | `your@email.com` |
| `PLUGIN` | Plugin for certificate generation—depends on your [DNS provider](https://docs.linuxserver.io/general/swag/) | `ovh`<br>`cloudflare` |
Assuming your DNS zone is managed by OVH, deploy the stack once. The logs will show a failure in creating the SSL certificate due to a missing `ovh.ini` configuration. Stop the stack.
In CLI, go to the dns-conf folder and edit the `ovh.ini` file:
::alert{type="success"}
__Tip for terminal-shy users:__
You can use [File Browser](/serveex/files/file-browser) to browse and edit files instead of using terminal commands.
::
```shell
sudo vi /docker/swag/config/dns-conf/ovh.ini
```
You should see:
```properties
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-ovh/certbot_dns_ovh/__init__.py#L20
# Replace with your values
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key =
dns_ovh_application_secret =
dns_ovh_consumer_key =
```
Authenticate and create [your token here](https://www.ovh.com/auth/?onsuccess=https%3A%2F%2Fwww.ovh.com%2Fauth%2Fapi%2FcreateToken).
Set the following permissions:
* `GET /domain/zone/*`
* `PUT /domain/zone/*`
* `POST /domain/zone/*`
* `DELETE /domain/zone/*`
Note the 3 keys temporarily and enter them in `ovh.ini`. (In vim, press `i` to edit, `Esc` when done, `:x` to save and exit)
Save and exit the file.
Now configure swag to access DBIP, the geolocation-based access control module. Open the `nginx.conf` file:
```shell
sudo vi /docker/swag/config/nginx/nginx.conf
```
Add the following line below the `http` section:
```nginx
include /config/nginx/dbip.conf;
```
Restart the stack in Dockge. This time, the SSL certificate should be successfully generated! Check the logs to confirm the server is ready.
## Dashboard
---
Access the dashboard locally by going to `http://yourserverip:81`
On the left, you'll see a list of currently "proxied" services (none yet). On the right, the list of banned IPs. Below, various indicators. For more details, [click here](https://www.linuxserver.io/blog/introducing-swag-dashboard).
![picture](https://www.linuxserver.io/user/pages/03.blog/introducing-swag-dashboard/example.png)
## DBIP
---
DBIP allows you to block connections based on countries. It relies on the configuration file named `dbip.conf` located in `/docker/swag/config/nginx`. [More info here](https://virtualize.link/secure/).
In this example, well configure it to block a list of countries known to be the source of most malicious traffic. Well also configure a variable to allow internal server traffic, your boxs local network, and a potential VPN in the 10.x.x.x range to access your services — but not the open internet.
This configuration can be enabled or disabled per service (see the Dockge example below).
Open `dbip.conf`:
```shell
sudo vi /docker/swag/config/nginx/dbip.conf
```
Make your changes ([see documentation](https://github.com/linuxserver/docker-mods/tree/swag-dbip)), or use the following example:
```nginx
geoip2 /config/geoip2db/dbip-country-lite.mmdb {
auto_reload 1w;
$geoip2_data_continent_code continent code;
$geoip2_data_country_iso_code country iso_code;
}
# Country Codes: https://en.wikipedia.org/wiki/ISO_3166-2
map $geoip2_data_country_iso_code $geo-whitelist {
default no;
FR yes;
}
map $geoip2_data_country_iso_code $geo-blacklist {
default yes;
CN no; #China
RU no; #Russia
HK no; #Hong Kong
IN no; #India
IR no; #Iran
VN no; #Vietnam
TR no; #Turkey
EG no; #Egypt
MX no; #Mexico
JP no; #Japan
KR no; #South Korea
KP no; #North Korea
PE no; #Peru
BR no; #Brazil
UA no; #Ukraine
ID no; #Indonesia
TH no; #Thailand
}
geo $lan-ip {
default no;
10.0.0.0/8 yes;
172.16.0.0/12 yes;
192.168.0.0/16 yes;
127.0.0.1 yes;
}
```
Save and close the file. Restart the stack.
In the domain config files (see next section), you can enable or disable the whitelist or blacklist ([see documentation here](https://www.forum-nas.fr/threads/tuto-installer-swag-en-docker-reverse-proxy.15057/)). In our case, the whitelist allows only French requests. The blacklist blocks only the listed countries. We'll use the blacklist, like so:
```nginx
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name some-app.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
if ($geo-blacklist = no) { return 404; }
location / {
```
## Exposing Dockge
---
::alert{type="info"}
📋 __Prerequisite:__ <br/><br/>
We assume that you have created a subdomain like `dockge.mydomain.com` in your [DNS zone](/general/dns), with a `CNAME` pointing to `mydomain.com` and — unless you're using [Cloudflare Zero Trust](/serveex/securite/cloudflare) — that you've forwarded port `443` from your router to the server's `443` in [your NAT rules](/general/nat).
::
Now it's time to expose Dockge on the internet so you can access and manage your containers remotely. We assume you've set up the subdomain `dockge.mydomain.com` with a `CNAME` pointing to `mydomain.com`.
::alert{type="warning"}
:::list{type="warning"}
- Dockge does not support multi-factor authentication. Exposing it online could compromise all connected machines. Only do this if you're using an MFA solution like [Authentik](/serveex/securite/authentik/). Otherwise, dont expose it with SWAG — use a VPN like [Wireguard](/serveex/securite/wireguard) instead.
:::
::
Open the `dockge.subdomain.conf` file:
```shell
sudo vi /docker/swag/config/nginx/proxy-confs/dockge.subdomain.conf
```
Configure it like this:
```nginx
## Version 2023/12/19
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name dockge.*; # define the subdomain to redirect
include /config/nginx/ssl.conf;
client_max_body_size 0;
#if ($lan-ip = yes) { set $geo-whitelist yes; }
#if ($geo-whitelist = no) { return 404; }
if ($geo-blacklist = no) { return 404; } # all countries un blacklist are forbidden
#include /config/nginx/ldap-server.conf;
#include /config/nginx/authelia-server.conf;
#include /config/nginx/authentik-server.conf;
location / {
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
#include /config/nginx/ldap-location.conf;
#include /config/nginx/authelia-location.conf;
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app dockge; # container name
set $upstream_port 5001; # internal container port (not exposed port)
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
```
Save and exit. The configuration will update within a few seconds.
::alert{type="info"}
:::list{type="info"}
- By default, SWAG doesnt recognize the name "dockge". Youll need to add Dockges network to SWAGs `compose.yml`.
:::
::
Go to the SWAG stack, click `edit`, and modify the config file like this (note the `networks` section):
```yaml
services:
swag:
container_name: #...
# ...
networks: # Link the container to the custom network
- dockge # Network name as defined in the stack
networks: # Define the custom network
# ...
dockge: # Network name as defined in the stack
name: dockge_default # True external network name
external: true
```
::alert{type="info"}
:::list{type="info"}
- We assume the Dockge network is named `dockge_default`. You can verify the setup works by checking the SWAG dashboard at `http://yourserverip:81`.
:::
::
Redeploy the SWAG stack.
Wait a moment, then visit `https://dockge.mydomain.com` in your browser — you should be redirected to Dockge. You can also check the service status from the dashboard (`http://yourserverip:81` on your local network).
## Exposing Another Service with SWAG
---
SWAG includes templates for most known services, named `servicename.subdomain.conf.sample`. Just create the subdomain in your registrar's DNS zone (like OVH), point it to your main domain via a CNAME, then copy and rename the sample file:
```shell
cd /docker/swag/config/proxy-confs
sudo cp servicename.subdomain.conf.sample servicename.subdomain.conf
```
::alert{type="danger"}
:::list{type="danger"}
- __If the subdomain is not redirected properly__
:::
- Open the file and verify the container name in `set $upstream_app containername;`{lang=nginx}
- Make sure you added the container's network in SWAGs `compose.yml`
::
You can also customize the subdomain by editing `server_name yoursubdomain.*;`{lang=nginx} and renaming the file to `yoursubdomain.subdomain.conf`.

1
content/3.serveex/2.core/_dir.yml Normal file
View File

@ -0,0 +1 @@
navigation.title: Server core