Docker Compose service definitions for the various apps I have running on my home network.
After setting up all of the necessary environment variables (remember to cp .env.example .env first), everything (besides some of the weirdness discussed below) should just kinda work, I think...?
docker compose up -d๐ = Inbound access is handled by a Traefik container, proxied via a DigitalOcean VPS running Caddy for access from anywhere. This negates the need to open any ports on the router. (More on this soon.)
๐ = Protected by Authelia single sign-on.
๐ = Publically accessible but OAuth (also via Authelia) is used for admin logins.
๐ = Outgoing WAN traffic is tunneled through a WireGuard client container to Mullvad VPN.
- ๐ ๐ Gitea
- ๐ ๐ MinIO
- ๐ ๐ ๐ Sonarr
- ๐ ๐ ๐ Radarr
- ๐ ๐ ๐ Prowlarr
- ๐ ๐ ๐ Bazarr
- ๐ ๐ ๐ qBittorrent
- ๐ ๐ Tautulli
- ๐ ๐ Homepage
- ๐ ๐ Portainer
- ๐ ๐ Munin
- ๐ ๐ Dozzle
- ๐ Flaresolverr
- Docker secrets are used to store/read the WireGuard private key
and Plex Pass claim token. These are stored as files in thesecretssubdirectory here and mounted to/run/secrets/secret_namein the containers.
- Getting the keys for Mullvad is pretty awkward โ you need to generate configuration files (with a new private key if needed) from the Mullvad dashboard, extract the ZIP archive it spits out, and then open any one of the .conf files in a text editor to extract the
PrivateKey. Read more: https://github.com/qdm12/gluetun/wiki/Mullvad#wireguard-only - In the same .conf file(s), the hard-coded
PrivateKeycan now be removed. Replace it with the followingPostUpcommand so that WireGuard knows to refer to the Docker secret for it instead:
[Interface]
- PrivateKey = xxxxxx
+ PostUp = wg set %i private-key <(cat /run/secrets/wg_private_key)-
Port forwarding is probably the biggest benefit of using Mullvad and can speed up BT downloads bigly. Mullvad can assign a random one (between 40000ish and 60000ish) pointed towards the WireGuard keypair used above. Setting
VPN_FORWARDED_PORTto this number will tell both WireGuard and qBittorrent to open the port and use it for P2P connections. -
Filesystem permissions get super tricky and frustrating very quickly. Carefully override
UIDandGIDif necessary (both default to1000for most containers, which usually belong to the first non-root account created on the host) and, um... good luck. -
The conflicts between Docker and UFW are far more severe than I realized. Thankfully, nothing here is important enough to cause me to lose sleep at night, so poking these holes in the wall seemed to help solve/cover up most issues...
ufw route allow from 172.17.0.0/12 to 172.17.0.0/12These notes are for my own reference and are probably band-aids for edge cases that may or may not apply to anyone else. In reality, they'll probably cause you more problems and introduce security holes if you're hosting anything other than completely legally obtained TV shows Linux ISOs...
Everything here assumes the host is running something Debian-based (because it is).
https://docs.docker.com/engine/install/debian/
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install the Docker packages
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginCreate a PAT (classic) with the read:packages scope.
export CR_PAT=TOKEN_FROM_THERE
echo $CR_PAT | docker login ghcr.io -u jakejarvis --password-stdin