KeyArgo
/
seedbox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
seedbox/doc/configuration.md

9.5 KiB
Raw Blame History

Seedbox configuration

Almost the whole stack can be configured by using the main configuration item: config.yaml. Here is what it looks like:

# List of all services
services:
  # Name of the service
  - name: traefik
    # Flag indicating if the service will be created
    enabled: true
    # Define traefik behavior for this service
    traefik:
      # Enable or disable Traefik routing. For example, if your service is a DB, disable Traefik.
      enabled: true
      # Routing rules, which will be processed and rendered as Traefik "dynamic configuration" via file provider
      rules:
          # Host to match request. Any environment variable is supported here, as long as there are braces around it.
        - host: traefik.${TRAEFIK_DOMAIN}
          # Traefik service to match (if it is a particular one). Here the "api@internal" service is internal to Traefik (dashboard access).
          service: api@internal
          # Enable http authentication
          httpAuth: true
  # Another service
  - name: deluge
    enabled: true
    # Enable VPN (default to false). Service "gluetun" must be configured and enabled (with proper variables set in .env) to be able to use vpn mode on any service.
    vpn: true
    traefik:
      enabled: true
      rules:
        - host: deluge.${TRAEFIK_DOMAIN}
          httpAuth: true
          # Internal container port on which we want to bind the Traefik routing
          internalPort: 8112
  # Another service
  - name: flaresolverr
    enabled: true
    # Do not use VPN (same as nothing as false is default)
    vpn: false
    traefik:
      # This service is not reachable directly (no UI). So Traefik is disabled and rules are an empty array.
      enabled: false
      # Optional, won't be evaluated as Traefik is disabled
      rules: []
  # Another service with 2 Traefik rules
  - name: sonarr
    enabled: true
    vpn: false
    traefik:
      enabled: true
      rules:
          # First "regular" routing rule
        - host: sonarr.${TRAEFIK_DOMAIN}
          httpAuth: true
          internalPort: 8989
          # Another rule which bypasses certificate generation using Let's Encrypt (ACME challenge).
        - host: sonarr-unsecure.${TRAEFIK_DOMAIN}
          httpAuth: true
          internalPort: 8989
          # Using this flag, sonarr-unsecure.domain.com (for example) will be accesisble ONLY via http protocol
          httpOnly: true
  # Another service with backend using https
  - name: nextcloud
    enabled: false
    vpn: false
    traefik:
      enabled: true
      rules:
        - host: nextcloud.${TRAEFIK_DOMAIN}
          httpAuth: false
          internalPort: 443
          # Specify that the routing will be on https://nextcloud:443 (internally), while by default services expose only http.
          # Nextcloud is known to be an exception and exposes only port 443 with SSL
          internalScheme: https

The provided config.sample.yaml is good enough to get started and will be used if no config.yaml is found.

Some general rules:

  • In order to enable VPN (vpn: true) on a service, you must configure and enable gluetun service.
  • By default, all services match "http://service_name:port" for routing.
  • By default, when httpOnly is false or not set, service will be accessible from both http and https, but a redirection will be created from http to https.
    • And when httpOnly is set to true, the service will be accessible ONLY via http, bypassing certificate generation. It is useful when you do not want Traefik to handle certificates for this service.

Environment variables

Also, do not forget to edit your .env file, which is where all the data which will be sent to containers (passwords, tokens, uid for disk permission...) lives.

Add your own service

Let's say you want to add a container nginx without interfering or creating conflicts in this git repository. That's possible.

Start by creating a files named nginx.yaml in the services/custom/ directory:

services:
  nginx:
    image: nginx:latest
    container_name: nginx
    restart: always
    # ...

Then, enable it in your config.yaml:

services:
  # ...
  - name: nginx
    enabled: true
    vpn: false
    # Specify the path to your custom docker-compose file, relative to the "services" directory
    customFile: custom/nginx.yaml
    traefik:
      enabled: true
      rules:
        - host: nginx.${TRAEFIK_DOMAIN}
          httpAuth: false
          # 80 because official nginx image uses this port
          internalPort: 80
  # ...

...and you're set!

Please note that the customFile flag MUST be relative to the "services" directory, because in some cases, some alternatives yaml files for bundled services are provided in the services directory. For example, in this repository is provided a custom "plex-hardware-transcoding.yaml" file, with all the necessary adaptations to make Plex run with hardware transcoding enabled. Just add the customFile field in the plex service and this file will be used, instead of the default "plex.yaml".

Integration with other services (custom Traefik config)

You can also add you own Traefik configuration to integrate with local services on your LAN. Just put your Traefik configuration file in the samples/custom-traefik/ directory. All files will be copied in the Traefik configuration directory on each run-seedbox execution. Example:

http:
  routers:
    synology-admin:
      rule: 'Host(`synology-admin.{{ env "TRAEFIK_DOMAIN" }}`)'
      middlewares: 
        - common-auth@file
      service: admin
  services:
    synology-admin:
      loadBalancer:
        servers:
          - url: "https://your-nas-hostname-on-your-local-network:5001"

Disable HTTPS completely

If you want to handle your certificates on a firewall or another reverse proxy somewhere else on your network, it is now possible. You just have to set httpOnly: true on all your services in config.yaml. Then, make the machine which acts as reverse proxy (and handles certificates) points on every Traefik URL with the correpsonding certificate, or make a wildcard redirection, based on your reverse proxy.

How does it work?

Behind the scenes, the run-seedbox.sh script will parse your config.yaml file and will generate a Traefik dynamic configuration file, which looks like this:

http:
  routers:
    deluge-1:
      rule: 'Host(`deluge.{{ env "TRAEFIK_DOMAIN" }}`)'
      middlewares:
        - common-auth@file
        - redirect-to-https
      service: deluge-1
    sonarr-1:
      rule: 'Host(`sonarr.{{ env "TRAEFIK_DOMAIN" }}`)'
      middlewares:
        - common-auth@file
        - redirect-to-https
      service: sonarr-1
    sonarr-2:
      rule: 'Host(`sonarr-unsecure.{{ env "TRAEFIK_DOMAIN" }}`)'
      middlewares:
        - common-auth@file
      service: sonarr-2
      entryPoints:
        - insecure
    nextcloud:
      rule: 'Host(`nextcloud.{{ env "TRAEFIK_DOMAIN" }}`)'
      middlewares:
        - redirect-to-https
      service: nextcloud-1
  services:
    deluge-1:
      loadBalancer:
        servers:
            # Gluetun is automatically set by run-seedbox.sh (instead of "deluge") because vpn was enabled on this service
          - url: "http://gluetun:8112"
    sonarr-1:
      loadBalancer:
        servers:
          - url: "http://sonarr:8989"
    sonarr-2:
      loadBalancer:
        servers:
          - url: "http://sonarr:8989"
    nextcloud-1:
      loadBalancer:
        servers:
          - url: "https://nextcloud:443"

This file will be automatically placed in traefik/custom/ directory (mounted by Traefik container) so the config will dynamically apply. This file is updated on each run-seedbox.sh execution.

VPN

In order to hide a service behind a VPN, just enable gluetun service.

By default, the file used is gluetun.yaml, which is in "Wireguard custom" mode, meaning you must have somewhere a Wireguard server running and access to its client configuration. But you can add your own config to match your requirements. See sections below.

Default mode - Wireguard custom

  • Edit the .env and replace the Wireguard variables with your own (take them in .env.sample).
  • Enable gluetun service.
  • Enable vn (vpn: true) on any service.
  • Run ./run-seedbox.sh.
  • The service now uses Wireguard. If gluetun is down or if the VPN link is broken, your service won't have any access to Internet.

Your own mode (VPN provider supported by gluetun)

  • Create a gluetun-custom.yaml in the services/custom/ directory. You can duplicate this one to avoid starting from scratch.
  • Adapt it to your needs (variables, mode...) according to your provider.
    • Add all variables you may need (used in your custom yaml file in your .env file (replacing the wireguard ones).
  • Edit your config.yaml and add customFile: custom/gluetun-custom.yaml in the gluetun section.
  • Enable vn (vpn: true) on any service.
  • Run ./run-seedbox.sh.
  • The service now uses your VPN by tunneling via gluetun container. If gluetun is down or if the VPN link is broken, your service won't have any access to Internet.

How does VPN is handled?

Behind the scenes, the run-seedbox.sh script will mainly add 2 overrides when enabling VPN on a service:

  • Adds a file in services/generated/ which adds a network_mode: gluetun for your service.
  • Specify in Traefik rule that the backend host is gluetun instead of the service directly.