251 lines
6.7 KiB
Markdown
251 lines
6.7 KiB
Markdown
---
|
||
navigation: true
|
||
title: Beszel
|
||
main:
|
||
fluid: false
|
||
---
|
||
:ellipsis{left=0px width=40rem top=10rem blur=140px}
|
||
# Beszel
|
||
|
||
::alert{type="info"}
|
||
🎯 __Objectives:__
|
||
- Install Beszel
|
||
- Monitor the local server
|
||
- Monitor a remote server
|
||
- Expose Beszel with Swag
|
||
::
|
||
|
||
[Beszel](https://beszel.dev/) is a container that gives you real-time access to hardware information from your servers and allows historical tracking. CPU activity, disk usage, temperatures, RAM—nothing escapes your monitoring. Beszel also lets you configure notifications and alerts when your predefined thresholds are exceeded.
|
||
|
||
Beszel includes a hub with a web UI and an agent that collects data from your server or a remote server.
|
||
|
||
|
||
|
||
## Installation
|
||
---
|
||
|
||
Folder structure
|
||
|
||
```console
|
||
root
|
||
└── docker
|
||
└── beszel
|
||
├── data
|
||
└── socket
|
||
```
|
||
|
||
Open Dockge, click `compose`, name the stack `beszel`, and paste the following:
|
||
|
||
```yaml
|
||
---
|
||
services:
|
||
beszel:
|
||
image: henrygd/beszel:latest
|
||
container_name: beszel
|
||
restart: unless-stopped
|
||
ports:
|
||
- ${PORT}:8090
|
||
volumes:
|
||
- ./data:/beszel_data
|
||
- ./socket:/beszel_socket
|
||
|
||
beszel-agent:
|
||
image: henrygd/beszel-agent:latest
|
||
container_name: beszel-agent
|
||
restart: unless-stopped
|
||
network_mode: host
|
||
volumes:
|
||
- ./socket:/beszel_socket
|
||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||
environment:
|
||
LISTEN: /beszel_socket/beszel.sock
|
||
# Do not remove quotes around the key
|
||
KEY: ${KEY}
|
||
```
|
||
|
||
::alert{type="success"}
|
||
✨ __Tip:__ Add the Watchtower label to each container to automate updates.
|
||
|
||
```yaml
|
||
services:
|
||
beszel:
|
||
#...
|
||
labels:
|
||
- com.centurylinklabs.watchtower.enable=true
|
||
```
|
||
::
|
||
|
||
Fill out the `.env` file, for example:
|
||
|
||
```properties
|
||
PORT=8090 # web UI port
|
||
KEY= # private key to retrieve from Beszel when adding a system
|
||
```
|
||
|
||
For the `KEY` value, you'll need to launch Beszel once to get it.
|
||
|
||
Deploy the container and go to `http://yourserverip:8090`. Your Beszel web UI is now accessible!
|
||
|
||
::alert{type="danger"}
|
||
:::list{type="danger"}
|
||
- __If it fails:__ check your firewall rules.
|
||
:::
|
||
::
|
||
|
||
### Add local server information
|
||
|
||
Now that the web UI is accessible, you need to push local server information into it. Just add a machine via the web UI and configure it like this:
|
||
|
||
|
||
|
||
Note the private key and confirm. Enter the key in your `.env` file in Dockge and redeploy the stack. Once done, your server will appear in the web UI:
|
||
|
||
|
||
|
||
### Add a remote server
|
||
|
||
You can also monitor a remote server. To do so, run the agent on the remote server. Add a new machine in Beszel and fill in:
|
||
|
||
- The name displayed for your remote server
|
||
- The IP address or domain name of the remote server
|
||
- The listening port (e.g., `45876`)
|
||
|
||
Beszel will suggest a `compose.yaml` to deploy on the remote server, or you can use:
|
||
|
||
```yaml
|
||
---
|
||
services:
|
||
beszel-agent:
|
||
image: henrygd/beszel-agent
|
||
container_name: beszel-agent
|
||
restart: unless-stopped
|
||
network_mode: host
|
||
volumes:
|
||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||
environment:
|
||
LISTEN: ${PORT}
|
||
KEY: ${KEY}
|
||
```
|
||
|
||
And in `.env`:
|
||
|
||
```properties
|
||
PORT=45876 # communication port between hub and remote agent
|
||
KEY= # private key from Beszel when adding the system
|
||
```
|
||
|
||
Deploy the stack on the remote server. Data will begin flowing into the web UI after a few seconds.
|
||
|
||
::alert{type="danger"}
|
||
:::list{type="danger"}
|
||
- __If it fails:__ check your firewall rules.
|
||
:::
|
||
::
|
||
|
||
## Expose Beszel with Swag
|
||
---
|
||
|
||
::alert{type="warning"}
|
||
:::list{type="warning"}
|
||
- Beszel does not support multi-factor authentication. Exposing it on the internet could compromise connected machines. Only do this if you're using a system like [Authentik](/serveex/security/authentik/). Otherwise, do not expose with SWAG—use a VPN like [Wireguard](/serveex/security/wireguard) instead.
|
||
:::
|
||
::
|
||
|
||
If you want to access Beszel remotely from all your devices, expose it using Swag.
|
||
|
||
::alert{type="info"}
|
||
📋 __Prerequisite:__
|
||
<br/><br/>
|
||
You must have created a DNS subdomain like `beszel.mydomain.com` with a `CNAME` pointing to `mydomain.com`, and—unless you're using Cloudflare Zero Trust—you must have forwarded port `443` on your router to your server’s `443` port via [NAT rules](/general/networking/nat).
|
||
::
|
||
|
||
In Dockge, edit Swag's compose file and add Beszel’s network:
|
||
|
||
```yaml
|
||
services:
|
||
swag:
|
||
container_name: # ...
|
||
# ...
|
||
networks:
|
||
# ...
|
||
- beszel # network declared in the stack
|
||
|
||
networks:
|
||
# ...
|
||
beszel:
|
||
name: beszel_default # actual external network name
|
||
external: true
|
||
```
|
||
|
||
Redeploy the stack and wait for Swag to become fully operational.
|
||
|
||
::alert{type="info"}
|
||
:::list{type="info"}
|
||
- We assume the network name is `beszel_default`. You can check connectivity by visiting Swag's dashboard at `http://yourserverip:81`.
|
||
:::
|
||
::
|
||
|
||
In Swag’s config folders, create `beszel.subdomain.conf`.
|
||
|
||
::alert{type="success"}
|
||
✨ __Tip:__ Use [File Browser](/serveex/files/file-browser) to browse and edit files instead of terminal commands.
|
||
::
|
||
|
||
```shell
|
||
sudo vi /docker/swag/config/nginx/proxy-confs/beszel.subdomain.conf
|
||
```
|
||
|
||
Press `i` to enter insert mode and paste:
|
||
|
||
```nginx
|
||
## Version 2023/12/19
|
||
|
||
server {
|
||
listen 443 ssl;
|
||
listen [::]:443 ssl;
|
||
|
||
server_name beszel.*;
|
||
|
||
include /config/nginx/ssl.conf;
|
||
|
||
client_max_body_size 0;
|
||
|
||
#if ($lan-ip = yes) { set $geo-whitelist yes; }
|
||
#if ($geo-whitelist = no) { return 404; }
|
||
if ($geo-blacklist = no) { return 404; }
|
||
|
||
# enable for ldap auth
|
||
#include /config/nginx/ldap-server.conf;
|
||
|
||
# enable for Authelia
|
||
#include /config/nginx/authelia-server.conf;
|
||
|
||
# enable for Authentik
|
||
#include /config/nginx/authentik-server.conf;
|
||
|
||
location / {
|
||
#auth_basic "Restricted";
|
||
#auth_basic_user_file /config/nginx/.htpasswd;
|
||
|
||
#include /config/nginx/ldap-location.conf;
|
||
#include /config/nginx/authelia-location.conf;
|
||
#include /config/nginx/authentik-location.conf;
|
||
|
||
include /config/nginx/proxy.conf;
|
||
include /config/nginx/resolver.conf;
|
||
set $upstream_app beszel;
|
||
set $upstream_port 8090;
|
||
set $upstream_proto http;
|
||
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
|
||
}
|
||
}
|
||
```
|
||
|
||
Press `Esc`, type `:x`, and hit `Enter` to save and exit.
|
||
|
||
That’s it—Beszel is now exposed!
|
||
|
||
::alert{type="success"}
|
||
✨ You can protect this app with Authentik by opening `beszel.subdomain.conf` and removing the `#` in front of `include /config/nginx/authentik-server.conf;` and `include /config/nginx/authentik-location.conf;`. Don’t forget to [create an application and provider in Authentik](/serveex/security/authentik#protecting-an-app-via-reverse-proxy).
|
||
::
|