Modernize your home infrastructure, like a pro!
MIT License
Modernize your home infrastructure, like a pro!
Please read through the entire documentation before starting.
64-bit ArmV8-Buster
image without anyDietPi
to use a static IP (say, 192.168.0.10)nano
or vi
docker
, you can use dietpi-software
to installDocker
.git
, you can use dietpi-software
to install git
too.If the above checklist is complete, we can now go on with the next steps:
Fork this repo, this will be needed if you plan to save your own configs.
Clone the repo you just forked:
git clone https://github.com/<user_name>/home-infrastructure.git && cd home-infrastructure
We need docker-compose
and all the related dependencies which can be installed:
./setup.sh
Populate the .env
(this stores all your secrets, hence never committed).
nano .env
Fill out all the details:
# Global
LOG_LEVEL=ERROR # Could be DEBUG, INFO, ERROR, NONE
TZ='America/Edmonton' # Timezone
PGID=1000 # You don't need to touch this
PUID=1000 # You don't need to touch this
# Cloudflare
CF_KEY= # Cloudflare token with zone edit permissions for the domain you own.
CF_EMAIL= # Cloudflare email id
CF_ZONE= # Cloudflare zone id for the domain
# Domains
BASE_URL= # domain.tld
SUBDOMAIN= # home [or could be anything where your services should show up]
HOME_URL= # home.domain.tld [or whatever you used in previous step]
# Github PAT for docker package registry.
GH_PAT= # Github personal access token with `read:packages` permission.
# Auth/TFA
SECRET_SALT= # Random string, make it 64bytes long.
GOOGLE_CLIENT_ID= # Register your project on Google console and get this.
GOOGLE_CLIENT_SECRET= # Ditto
WHITELISTED='[email protected],[email protected]'
AUTH_LOGIN_TOKEN_EXPIRY=2592000
Once everything is filled in, just start:
./run.sh -v
If something does not look right, kill all containers and force rebuild:
./run.sh -kv
All services are now behind a reverse proxy, this script would setup six services for you.
home.domain.tld
this is your dashboard, behind Google Auth, you can go in add links to yourpihole.home.domain.tld
this is the pihole web-interface to manage your adblocker.hass.home.domain.tld
this is your home automation hub.portainer.home.domain.tld
you can manage your containers here.traefik.home.domain.tld
status of your reverse proxy.kibana.home.domain.tld
all your container logs in one place, searchable.Go to your router settings page, add a NAT route:
Service Type: HTTPS
External Port: 443
Internal IP: 192.168.0.10 (RPi IP address)
Internal Port: 443
Protocol: TCP
In your cloudflare settings panel, change SSL config to Full SSL
Once the server is up and running, all of the services will boot up and create their own configs. I would recommend reading through each of their documentation to understand their capabilities.
logstash-*
Most of the services will be storing data in their own docker volumes. But if you decide you need to save configurations manually, you can create:
mkdir -p <app_name-config>
and then edit docker-compose.yaml
in the volumes:
section for the app replace app_name-data
with ./app_name-config
. Delete the entry from the docker volumes section on the top.
Note: Make sure you are not committing secrets in your public repo.
Since your reverse proxy is protecting all your endpoints, you might want to remove additional inbuilt authentication settings:
PiHole: You need to send a command to change password to the container. Assuming pihole is alread up and running:
docker exec -it pihole pihole -a -p
do not enter any value, just press return key, this will remove the login screen for pihole.
HASS: Once hass is up and running, it will populate files in your hassio
folder. Edit the
hassio/configuration.yaml
file and add the following lines on the top:
homeassistant:
auth_providers:
- type: trusted_networks
trusted_networks:
- 172.18.0.0/24
allow_bypass_login: true
this bypasses auth for all requests coming via internal docker network. Since this will be going in via Traefik, this should not have additional authentication.
Portainer: Portainer does not support forward auth at this point
You can add more services in the docker-compose.yaml
. Or replace existing services with something
different, e.g. Replacing pihole
with adguard
:
pihole
entry from docker-compose.yaml
:
pihole:
container_name: pihole
... more config
... everything.
adguard
config:
adguard:
container_name: adguard
image: adguard/adguardhome:latest
depends_on:
- traefik
restart: unless-stopped
volumes:
- adguard_data:/opt/adguardhome/work
- ./build/adguard:/opt/adguardhome/conf
network_mode: host
labels:
- "traefik.enable=true"
- "traefik.http.routers.adguard.rule=Host(`adguard.${HOME_URL}`)"
- "traefik.http.routers.adguard.entrypoints=websecure"
- "traefik.http.services.adguard.loadbalancer.server.port=3333"
- "traefik.http.routers.adguard.service=adguard"
- "traefik.http.routers.adguard.tls.certresolver=homeinfra"
- "traefik.http.routers.adguard.middlewares=tfa"
logging:
driver: gelf
options:
gelf-address: udp://localhost:12201
tag: "adguard"
volumes:
...
adguard_data:
name: "adguard_data"
...
./run.sh -kv
All the services installed using this script are results of hardwork by their respective owners.
These carry their own licenses, rights and terms. The images used here are the last stable build
built for AARCH64
architecture. You can change the versions as you may wish!
MIT