diff --git a/manuscript/CHANGELOG.mde b/manuscript/CHANGELOG.mde new file mode 100644 index 0000000..9405c12 --- /dev/null +++ b/manuscript/CHANGELOG.mde @@ -0,0 +1,26 @@ +# CHANGELOG + +## Subscribe to updates + +* Email : Sign up [here](http://eepurl.com/dfx95n) (double-opt-in) to receive email updates on new and improve recipes! +* Mastodon: https://mastodon.social/@geekcookbook_changes +* RSS: https://mastodon.social/@geekcookbook_changes.rss +* The #changelog channel in our [Discord server](http://chat.funkypenguin.co.nz) + +## Recent additions to work-in-progress + +* Kubernetes recipes for UniFi controller, Miniflux, Kanboard and PrivateBin coming in March! (_19 Mar 2019_) + +## Recently added recipes +* Overhauled [Ceph (Shared Storage)](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph/) recipe for Ceph Octopus (v15) (_25 May 2020_) +* Added recipe for making your own [DIY Kubernetes Cluster](/kubernetes/diycluster/) (_14 December 2019_) +* Added recipe for [authenticating Traefik Forward Auth against KeyCloak](/ha-docker-swarm/traefik-forward-auth/keycloak/) (_16 May 2019_) +* Added [Bitwarden](/recipes/bitwarden/), an **awesome** open-source password manager, with great mobile sync support (_14 May 2019_) +* Added [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/), replacing function of multiple [oauth_proxies](/reference/oauth_proxy/) with a single, 7MB Go application, which can authenticate against Google, [KeyCloak](/recipes/keycloak/), and other OIDC providers (_10 May 2019_) + +## Recent improvements + +* Added recipe for [automated snapshots of Kubernetes Persistent Volumes](/kubernetes/snapshots/), instructions for using [Helm](/kubernetes/helm/), and recipe for deploying [Traefik](/kubernetes/traefik/), which completes the Kubernetes cluster design! (_9 Feb 2019_) +* Added detailed description (_and diagram_) of our [Kubernetes design](/kubernetes/design/), plus a [simple load-balancer design](kubernetes/loadbalancer/) to avoid the complexities/costs of permitting ingress access to a cluster (_7 Feb 2019_) +* Added an [introductory/explanatory page, including a children's story, on Kubernetes](/kubernetes/start/) (_29 Jan 2019_) +* [NextCloud](/recipes/nextcloud/) updated to fix CalDAV/CardDAV service discovery behind Traefik reverse proxy (_12 Dec 2018_) diff --git a/manuscript/README-UI.mde b/manuscript/README-UI.mde new file mode 100644 index 0000000..635418c --- /dev/null +++ b/manuscript/README-UI.mde @@ -0,0 +1,11 @@ +# How to read this book + +## Structure + +1. "Recipes" generally follow on from each other. I.e., if a particular recipe requires a mail server, that mail server would have been described in an earlier recipe. +2. Each recipe contains enough detail in a single page to take a project from start to completion. +3. When there are optional add-ons/integrations possible to a project (_i.e., the addition of "smart LED bulbs" to Home Assistant_), this will be reflected either as a brief "Chef's note" after the recipe, or if they're substantial enough, as a sub-page of the main project + +## Conventions + +1. When creating swarm networks, we always explicitly set the subnet in the overlay network, to avoid potential conflicts (_which docker won't prevent, but which will generate errors_) (https://github.com/moby/moby/issues/26912) diff --git a/manuscript/ha-docker-swarm/design.md b/manuscript/ha-docker-swarm/design.md index f358575..30b925e 100644 --- a/manuscript/ha-docker-swarm/design.md +++ b/manuscript/ha-docker-swarm/design.md @@ -92,4 +92,4 @@ In summary, although I suffered an **unplanned power outage to all of my infrast [^1]: Since there's no impact to availability, I can fix (or just reinstall) the failed node whenever convenient. -## Chef's Notes 📓 \ No newline at end of file +## Chef's Notes \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/design.mde b/manuscript/ha-docker-swarm/design.mde new file mode 100644 index 0000000..b11e967 --- /dev/null +++ b/manuscript/ha-docker-swarm/design.mde @@ -0,0 +1,95 @@ +# Design + +In the design described below, our "private cloud" platform is: + +* **Highly-available** (_can tolerate the failure of a single component_) +* **Scalable** (_can add resource or capacity as required_) +* **Portable** (_run it on your garage server today, run it in AWS tomorrow_) +* **Secure** (_access protected with [LetsEncrypt certificates](/ha-docker-swarm/traefik/) and optional [OIDC with 2FA](/ha-docker-swarm/traefik-forward-auth/)_) +* **Automated** (_requires minimal care and feeding_) + +## Design Decisions + +**Where possible, services will be highly available.** + +This means that: + +* At least 3 docker swarm manager nodes are required, to provide fault-tolerance of a single failure. +* [Ceph](/ha-docker-swarm/shared-storage-ceph/) is employed for share storage, because it too can be made tolerant of a single failure. + +!!! note + An exception to the 3-nodes decision is running a single-node configuration. If you only **have** one node, then obviously your swarm is only as resilient as that node. It's still a perfectly valid swarm configuration, ideal for starting your self-hosting journey. In fact, under the single-node configuration, you don't need ceph either, and you can simply use the local volume on your host for storage. You'll be able to migrate to ceph/more nodes if/when you expand. + +**Where multiple solutions to a requirement exist, preference will be given to the most portable solution.** + +This means that: + +* Services are defined using docker-compose v3 YAML syntax +* Services are portable, meaning a particular stack could be shut down and moved to a new provider with minimal effort. + +## Security + +Under this design, the only inbound connections we're permitting to our docker swarm in a **minimal** configuration (*you may add custom services later, like UniFi Controller*) are: + +### Network Flows + +* **HTTP (TCP 80)** : Redirects to https +* **HTTPS (TCP 443)** : Serves individual docker containers via SSL-encrypted reverse proxy + +### Authentication + +* Where the hosted application provides a trusted level of authentication (*i.e., [NextCloud](/recipes/nextcloud/)*), or where the application requires public exposure (*i.e. [Privatebin](/recipes/privatebin/)*), no additional layer of authentication will be required. +* Where the hosted application provides inadequate (*i.e. [NZBGet](/recipes/autopirate/nzbget/)*) or no authentication (*i.e. [Gollum](/recipes/gollum/)*), a further authentication against an OAuth provider will be required. + + +## High availability + +### Normal function + +Assuming a 3-node configuration, under normal circumstances the following is illustrated: + +* All 3 nodes provide shared storage via Ceph, which is provided by a docker container on each node. +* All 3 nodes participate in the Docker Swarm as managers. +* The various containers belonging to the application "stacks" deployed within Docker Swarm are automatically distributed amongst the swarm nodes. +* Persistent storage for the containers is provide via cephfs mount. +* The **traefik** service (*in swarm mode*) receives incoming requests (*on HTTP and HTTPS*), and forwards them to individual containers. Traefik knows the containers names because it's able to read the docker socket. +* All 3 nodes run keepalived, at varying priorities. Since traefik is running as a swarm service and listening on TCP 80/443, requests made to the keepalived VIP and arriving at **any** of the swarm nodes will be forwarded to the traefik container (*no matter which node it's on*), and then onto the target backend. + +![HA function](../images/docker-swarm-ha-function.png) + +### Node failure + +In the case of a failure (or scheduled maintenance) of one of the nodes, the following is illustrated: + +* The failed node no longer participates in Ceph, but the remaining nodes provide enough fault-tolerance for the cluster to operate. +* The remaining two nodes in Docker Swarm achieve a quorum and agree that the failed node is to be removed. +* The (*possibly new*) leader manager node reschedules the containers known to be running on the failed node, onto other nodes. +* The **traefik** service is either restarted or unaffected, and as the backend containers stop/start and change IP, traefik is aware and updates accordingly. +* The keepalived VIP continues to function on the remaining nodes, and docker swarm continues to forward any traffic received on TCP 80/443 to the appropriate node. + +![HA function](../images/docker-swarm-node-failure.png) + +### Node restore + +When the failed (*or upgraded*) host is restored to service, the following is illustrated: + +* Ceph regains full redundancy +* Docker Swarm managers become aware of the recovered node, and will use it for scheduling **new** containers +* Existing containers which were migrated off the node are not migrated backend +* Keepalived VIP regains full redundancy + + +![HA function](../images/docker-swarm-node-restore.png) + +### Total cluster failure + +A day after writing this, my environment suffered a fault whereby all 3 VMs were unexpectedly and simultaneously powered off. + +Upon restore, docker failed to start on one of the VMs due to local disk space issue[^1]. However, the other two VMs started, established the swarm, mounted their shared storage, and started up all the containers (services) which were managed by the swarm. + +In summary, although I suffered an **unplanned power outage to all of my infrastructure**, followed by a **failure of a third of my hosts**... ==all my platforms are 100% available with **absolutely no manual intervention**==. + +[^1]: Since there's no impact to availability, I can fix (or just reinstall) the failed node whenever convenient. + + +## Chef's Notes 📓 \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/docker-swarm-mode.md b/manuscript/ha-docker-swarm/docker-swarm-mode.md index 8cec755..169d6bf 100644 --- a/manuscript/ha-docker-swarm/docker-swarm-mode.md +++ b/manuscript/ha-docker-swarm/docker-swarm-mode.md @@ -172,4 +172,4 @@ After completing the above, you should have: * [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/)ha-docker-swarm/design/) -## Chef's Notes 📓 \ No newline at end of file +## Chef's Notes \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/docker-swarm-mode.mde b/manuscript/ha-docker-swarm/docker-swarm-mode.mde new file mode 100644 index 0000000..0e1c5ca --- /dev/null +++ b/manuscript/ha-docker-swarm/docker-swarm-mode.mde @@ -0,0 +1,175 @@ +# Docker Swarm Mode + +For truly highly-available services with Docker containers, we need an orchestration system. Docker Swarm (as defined at 1.13) is the simplest way to achieve redundancy, such that a single docker host could be turned off, and none of our services will be interrupted. + +## Ingredients + +!!! summary + Existing + + * [X] 3 x nodes (*bare-metal or VMs*), each with: + * A mainstream Linux OS (*tested on either [CentOS](https://www.centos.org) 7+ or [Ubuntu](http://releases.ubuntu.com) 16.04+*) + * At least 2GB RAM + * At least 20GB disk space (_but it'll be tight_) + * [X] Connectivity to each other within the same subnet, and on a low-latency link (_i.e., no WAN links_) + +## Preparation + +### Bash auto-completion + +Add some handy bash auto-completion for docker. Without this, you'll get annoyed that you can't autocomplete ```docker stack deploy -c ``` commands. + +``` +cd /etc/bash_completion.d/ +curl -O https://raw.githubusercontent.com/docker/cli/b75596e1e4d5295ac69b9934d1bd8aff691a0de8/contrib/completion/bash/docker +``` + +Install some useful bash aliases on each host +``` +cd ~ +curl -O https://raw.githubusercontent.com/funkypenguin/geek-cookbook/master/examples/scripts/gcb-aliases.sh +echo 'source ~/gcb-aliases.sh' >> ~/.bash_profile +``` + +## Serving + +### Release the swarm! + +Now, to launch a swarm. Pick a target node, and run `docker swarm init` + +Yeah, that was it. Seriously. Now we have a 1-node swarm. + +``` +[root@ds1 ~]# docker swarm init +Swarm initialized: current node (b54vls3wf8xztwfz79nlkivt8) is now a manager. + +To add a worker to this swarm, run the following command: + + docker swarm join \ + --token SWMTKN-1-2orjbzjzjvm1bbo736xxmxzwaf4rffxwi0tu3zopal4xk4mja0-bsud7xnvhv4cicwi7l6c9s6l0 \ + 202.170.164.47:2377 + +To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions. + +[root@ds1 ~]# +``` + +Run `docker node ls` to confirm that you have a 1-node swarm: + +``` +[root@ds1 ~]# docker node ls +ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS +b54vls3wf8xztwfz79nlkivt8 * ds1.funkypenguin.co.nz Ready Active Leader +[root@ds1 ~]# +``` + +Note that when you run `docker swarm init` above, the CLI output gives youe a command to run to join further nodes to my swarm. This command would join the nodes as __workers__ (*as opposed to __managers__*). Workers can easily be promoted to managers (*and demoted again*), but since we know that we want our other two nodes to be managers too, it's simpler just to add them to the swarm as managers immediately. + +On the first swarm node, generate the necessary token to join another manager by running ```docker swarm join-token manager```: + +``` +[root@ds1 ~]# docker swarm join-token manager +To add a manager to this swarm, run the following command: + + docker swarm join \ + --token SWMTKN-1-2orjbzjzjvm1bbo736xxmxzwaf4rffxwi0tu3zopal4xk4mja0-cfm24bq2zvfkcwujwlp5zqxta \ + 202.170.164.47:2377 + +[root@ds1 ~]# +``` + +Run the command provided on your other nodes to join them to the swarm as managers. After addition of a node, the output of ```docker node ls``` (on either host) should reflect all the nodes: + + +``` +[root@ds2 davidy]# docker node ls +ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS +b54vls3wf8xztwfz79nlkivt8 ds1.funkypenguin.co.nz Ready Active Leader +xmw49jt5a1j87a6ihul76gbgy * ds2.funkypenguin.co.nz Ready Active Reachable +[root@ds2 davidy]# +``` + +### Setup automated cleanup + +Docker swarm doesn't do any cleanup of old images, so as you experiment with various stacks, and as updated containers are released upstream, you'll soon find yourself loosing gigabytes of disk space to old, unused images. + +To address this, we'll run the "[meltwater/docker-cleanup](https://github.com/meltwater/docker-cleanup)" container on all of our nodes. The container will clean up unused images after 30 minutes. + +First, create docker-cleanup.env (_mine is under /var/data/config/docker-cleanup_), and exclude container images we **know** we want to keep: + +``` +KEEP_IMAGES=traefik,keepalived,docker-mailserver +DEBUG=1 +``` + +Then create a docker-compose.yml as follows: + +``` +version: "3" + +services: + docker-cleanup: + image: meltwater/docker-cleanup:latest + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker:/var/lib/docker + networks: + - internal + deploy: + mode: global + env_file: /var/data/config/docker-cleanup/docker-cleanup.env + +networks: + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.0.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + +Launch the cleanup stack by running ```docker stack deploy docker-cleanup -c ``` + +### Setup automatic updates + +If your swarm runs for a long time, you might find yourself running older container images, after newer versions have been released. If you're the sort of geek who wants to live on the edge, configure [shepherd](https://github.com/djmaze/shepherd) to auto-update your container images regularly. + +Create /var/data/config/shepherd/shepherd.env as follows: + +``` +# Don't auto-update Plex or Emby, I might be watching a movie! (Customize this for the containers you _don't_ want to auto-update) +BLACKLIST_SERVICES="plex_plex emby_emby" +# Run every 24 hours. Note that SLEEP_TIME appears to be in seconds. +SLEEP_TIME=86400 +``` + +Then create /var/data/config/shepherd/shepherd.yml as follows: + +``` +version: "3" + +services: + shepherd-app: + image: mazzolino/shepherd + env_file : /var/data/config/shepherd/shepherd.env + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + labels: + - "traefik.enable=false" + deploy: + placement: + constraints: [node.role == manager] +``` + +Launch shepherd by running ```docker stack deploy shepherd -c /var/data/config/shepherd/shepherd.yml```, and then just forget about it, comfortable in the knowledge that every day, Shepherd will check that your images are the latest available, and if not, will destroy and recreate the container on the latest available image. + +### Summary + +After completing the above, you should have: + +* [X] [Docker swarm cluster](/ha-docker-swarm/design/) + + +## Chef's Notes 📓 \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/index.mde b/manuscript/ha-docker-swarm/index.mde new file mode 100644 index 0000000..e69de29 diff --git a/manuscript/ha-docker-swarm/keepalived.md b/manuscript/ha-docker-swarm/keepalived.md index 84b9d77..244f5d8 100644 --- a/manuscript/ha-docker-swarm/keepalived.md +++ b/manuscript/ha-docker-swarm/keepalived.md @@ -65,7 +65,7 @@ docker run -d --name keepalived --restart=always \ That's it. Each node will talk to the other via unicast (no need to un-firewall multicast addresses), and the node with the highest priority gets to be the master. When ingress traffic arrives on the master node via the VIP, docker's routing mesh will deliver it to the appropriate docker node. -## Chef's notes 📓 +## Chef's notes 1. Some hosting platforms (*OpenStack, for one*) won't allow you to simply "claim" a virtual IP. Each node is only able to receive traffic targetted to its unique IP, unless certain security controls are disabled by the cloud administrator. In this case, keepalived is not the right solution, and a platform-specific load-balancing solution should be used. In OpenStack, this is Neutron's "Load Balancer As A Service" (LBAAS) component. AWS, GCP and Azure would likely include similar protections. 2. More than 2 nodes can participate in keepalived. Simply ensure that each node has the appropriate priority set, and the node with the highest priority will become the master. \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/keepalived.mde b/manuscript/ha-docker-swarm/keepalived.mde new file mode 100644 index 0000000..84b9d77 --- /dev/null +++ b/manuscript/ha-docker-swarm/keepalived.mde @@ -0,0 +1,71 @@ +# Keepalived + +While having a self-healing, scalable docker swarm is great for availability and scalability, none of that is any good if nobody can connect to your cluster. + +In order to provide seamless external access to clustered resources, regardless of which node they're on and tolerant of node failure, you need to present a single IP to the world for external access. + +Normally this is done using a HA loadbalancer, but since Docker Swarm aready provides the load-balancing capabilities (*[routing mesh](https://docs.docker.com/engine/swarm/ingress/)*), all we need for seamless HA is a virtual IP which will be provided by more than one docker node. + +This is accomplished with the use of keepalived on at least two nodes. + +## Ingredients + +!!! summary "Ingredients" + Already deployed: + + * [X] At least 2 x swarm nodes + * [X] low-latency link (i.e., no WAN links) + + New: + + * [ ] At least 3 x IPv4 addresses (one for each node and one for the virtual IP) + +## Preparation + +### Enable IPVS module + +On all nodes which will participate in keepalived, we need the "ip_vs" kernel module, in order to permit serivces to bind to non-local interface addresses. + +Set this up once for both the primary and secondary nodes, by running: + +``` +echo "modprobe ip_vs" >> /etc/rc.local +modprobe ip_vs +``` + +### Setup nodes + +Assuming your IPs are as follows: + +* 192.168.4.1 : Primary +* 192.168.4.2 : Secondary +* 192.168.4.3 : Virtual + +Run the following on the primary +``` +docker run -d --name keepalived --restart=always \ + --cap-add=NET_ADMIN --net=host \ + -e KEEPALIVED_UNICAST_PEERS="#PYTHON2BASH:['192.168.4.1', '192.168.4.2']" \ + -e KEEPALIVED_VIRTUAL_IPS=192.168.4.3 \ + -e KEEPALIVED_PRIORITY=200 \ + osixia/keepalived:1.3.5 +``` + +And on the secondary: +``` +docker run -d --name keepalived --restart=always \ + --cap-add=NET_ADMIN --net=host \ + -e KEEPALIVED_UNICAST_PEERS="#PYTHON2BASH:['192.168.4.1', '192.168.4.2']" \ + -e KEEPALIVED_VIRTUAL_IPS=192.168.4.3 \ + -e KEEPALIVED_PRIORITY=100 \ + osixia/keepalived:1.3.5 +``` + +## Serving + +That's it. Each node will talk to the other via unicast (no need to un-firewall multicast addresses), and the node with the highest priority gets to be the master. When ingress traffic arrives on the master node via the VIP, docker's routing mesh will deliver it to the appropriate docker node. + +## Chef's notes 📓 + +1. Some hosting platforms (*OpenStack, for one*) won't allow you to simply "claim" a virtual IP. Each node is only able to receive traffic targetted to its unique IP, unless certain security controls are disabled by the cloud administrator. In this case, keepalived is not the right solution, and a platform-specific load-balancing solution should be used. In OpenStack, this is Neutron's "Load Balancer As A Service" (LBAAS) component. AWS, GCP and Azure would likely include similar protections. +2. More than 2 nodes can participate in keepalived. Simply ensure that each node has the appropriate priority set, and the node with the highest priority will become the master. \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/maintenance.mde b/manuscript/ha-docker-swarm/maintenance.mde new file mode 100644 index 0000000..89d98ee --- /dev/null +++ b/manuscript/ha-docker-swarm/maintenance.mde @@ -0,0 +1,83 @@ +# Introduction + +## Adding a host + +## Adding storage + +gluster volume add-brick VOLNAME NEW_BRICK + +example + +# gluster volume add-brick test-volume server4:/exp4 +Add Brick successful + +# Replacing failed host + +Followed https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3/html/Administration_Guide/sect-Replacing_Hosts.html + + +[root@glusterfs-server /]# gluster peer status +Number of Peers: 1 + +Hostname: ds1 +Uuid: db9c80da-11e4-461d-8ea5-66dd12ca897c +State: Peer in Cluster (Disconnected) +[root@glusterfs-server /]# + +Grab UUID above + +edit /var/lib/glusterd/glusterd.info +change: +UUID=aee45c2c-aa19-4d29-bc94-4833f2b22863 +to +UUID=db9c80da-11e4-461d-8ea5-66dd12ca897c + +My peer's id (ds2): +[root@glusterfs-server /]# gluster system:: uuid get +UUID: 38ca4e8b-8ef5-4165-9f41-5c8b3f0103cc +[root@glusterfs-server /]# + +vi /var/lib/glusterd/peers/38ca4e8b-8ef5-4165-9f41-5c8b3f0103cc + +UUID=38ca4e8b-8ef5-4165-9f41-5c8b3f0103cc +state=3 +hostname=ds3 + + + +Got volume info + + +[root@glusterfs-server /]# gluster volume info + +Volume Name: gv0 +Type: Replicate +Volume ID: 84e1169c-41dc-467a-9ae1-a474efaf789f +Status: Started +Snapshot Count: 0 +Number of Bricks: 1 x 2 = 2 +Transport-type: tcp +Bricks: +Brick1: ds1:/var/no-direct-write-here/brick1/gv0 +Brick2: ds3:/var/no-direct-write-here/brick1/gv0 +Options Reconfigured: +nfs.disable: on +transport.address-family: inet +[root@glusterfs-server /]# + + + +---- +[root@glusterfs-server /]# getfattr -d -m. -ehex /var/no-direct-write-here/brick1/gv0/ +getfattr: Removing leading '/' from absolute path names +# file: var/no-direct-write-here/brick1/gv0/ +security.selinux=0x73797374656d5f753a6f626a6563745f723a756e6c6162656c65645f743a733000 +trusted.gfid=0x00000000000000000000000000000001 +trusted.glusterfs.dht=0x000000010000000000000000ffffffff +trusted.glusterfs.volume-id=0x84e1169c41dc467a9ae1a474efaf789f + +[root@glusterfs-server /]# + + + +setfattr -n trusted.glusterfs.volume-id -v 0x84e1169c41dc467a9ae1a474efaf789f /var/no-direct-write-here/brick1/gv0 diff --git a/manuscript/ha-docker-swarm/nodes.md b/manuscript/ha-docker-swarm/nodes.md index c989ab9..5629165 100644 --- a/manuscript/ha-docker-swarm/nodes.md +++ b/manuscript/ha-docker-swarm/nodes.md @@ -76,4 +76,4 @@ After completing the above, you should have: * At least 20GB disk space (_but it'll be tight_) * [X] Connectivity to each other within the same subnet, and on a low-latency link (_i.e., no WAN links_) -## Chef's Notes 📓 \ No newline at end of file +## Chef's Notes \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/nodes.mde b/manuscript/ha-docker-swarm/nodes.mde new file mode 100644 index 0000000..373045c --- /dev/null +++ b/manuscript/ha-docker-swarm/nodes.mde @@ -0,0 +1,79 @@ +# Nodes + +Let's start building our cluster. You can use either bare-metal machines or virtual machines - the configuration would be the same. To avoid confusion, I'll be referring to these as "nodes" from now on. + +!!! note + In 2017, I **initially** chose the "[Atomic](https://www.projectatomic.io/)" CentOS/Fedora image for the swarm hosts, but later found its outdated version of Docker to be problematic with advanced features like GPU transcoding (in [Plex](/recipes/plex/)), [Swarmprom](/recipes/swarmprom/), etc. In the end, I went mainstream and simply preferred a modern Ubuntu installation. + +## Ingredients + +!!! summary "Ingredients" + New in this recipe: + + * [ ] 3 x nodes (*bare-metal or VMs*), each with: + * A mainstream Linux OS (*tested on either [CentOS](https://www.centos.org) 7+ or [Ubuntu](http://releases.ubuntu.com) 16.04+*) + * At least 2GB RAM + * At least 20GB disk space (_but it'll be tight_) + * [ ] Connectivity to each other within the same subnet, and on a low-latency link (_i.e., no WAN links_) + + +## Preparation + +### Permit connectivity + +Most modern Linux distributions include firewall rules which only only permit minimal required incoming connections (like SSH). We'll want to allow all traffic between our nodes. The steps to achieve this in CentOS/Ubuntu are a little different... + +#### CentOS + +Add something like this to `/etc/sysconfig/iptables`: + +``` +# Allow all inter-node communication +-A INPUT -s 192.168.31.0/24 -j ACCEPT +``` + +And restart iptables with ```systemctl restart iptables``` + +#### Ubuntu + +Install the (*non-default*) persistent iptables tools, by running `apt-get install iptables-persistent`, establishing some default rules (*dkpg will prompt you to save current ruleset*), and then add something like this to `/etc/iptables/rules.v4`: + +``` +# Allow all inter-node communication +-A INPUT -s 192.168.31.0/24 -j ACCEPT +``` + +And refresh your running iptables rules with `iptables-restore < /etc/iptables/rules.v4` + +### Enable hostname resolution + +Depending on your hosting environment, you may have DNS automatically setup for your VMs. If not, it's useful to set up static entries in /etc/hosts for the nodes. For example, I setup the following: + +``` +192.168.31.11 ds1 ds1.funkypenguin.co.nz +192.168.31.12 ds2 ds2.funkypenguin.co.nz +192.168.31.13 ds3 ds3.funkypenguin.co.nz +``` + +### Set timezone + +Set your local timezone, by running: + +``` +ln -sf /usr/share/zoneinfo/ /etc/localtime +``` + +## Serving + +After completing the above, you should have: + +!!! summary "Summary" + Deployed in this recipe: + + * [X] 3 x nodes (*bare-metal or VMs*), each with: + * A mainstream Linux OS (*tested on either [CentOS](https://www.centos.org) 7+ or [Ubuntu](http://releases.ubuntu.com) 16.04+*) + * At least 2GB RAM + * At least 20GB disk space (_but it'll be tight_) + * [X] Connectivity to each other within the same subnet, and on a low-latency link (_i.e., no WAN links_) + +## Chef's Notes 📓 \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/registry.md b/manuscript/ha-docker-swarm/registry.md index 3cb32e1..77a0ca9 100644 --- a/manuscript/ha-docker-swarm/registry.md +++ b/manuscript/ha-docker-swarm/registry.md @@ -110,4 +110,4 @@ systemctl restart docker-latest !!! tip "" Note the extra comma required after "false" above -## Chef's notes 📓 \ No newline at end of file +## Chef's notes \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/registry.mde b/manuscript/ha-docker-swarm/registry.mde new file mode 100644 index 0000000..8b2944d --- /dev/null +++ b/manuscript/ha-docker-swarm/registry.mde @@ -0,0 +1,113 @@ +# Create registry mirror + +Although we now have shared storage for our persistent container data, our docker nodes don't share any other docker data, such as container images. This results in an inefficiency - every node which participates in the swarm will, at some point, need the docker image for every container deployed in the swarm. + +When dealing with large container (looking at you, GitLab!), this can result in several gigabytes of wasted bandwidth per-node, and long delays when restarting containers on an alternate node. (_It also wastes disk space on each node, but we'll get to that in the next section_) + +The solution is to run an official Docker registry container as a ["pull-through" cache, or "registry mirror"](https://docs.docker.com/registry/recipes/mirror/). By using our persistent storage for the registry cache, we can ensure we have a single copy of all the containers we've pulled at least once. After the first pull, any subsequent pulls from our nodes will use the cached version from our registry mirror. As a result, services are available more quickly when restarting container nodes, and we can be more aggressive about cleaning up unused containers on our nodes (more later) + +The registry mirror runs as a swarm stack, using a simple docker-compose.yml. Customize __your mirror FQDN__ below, so that Traefik will generate the appropriate LetsEncrypt certificates for it, and make it available via HTTPS. + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design +3. DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + + +## Preparation + +Create /var/data/config/registry/registry.yml as follows: + +``` +version: "3" + +services: + + registry-mirror: + image: registry:2 + networks: + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host: + - traefik.docker.network=traefik_public + - traefik.port=5000 + ports: + - 5000:5000 + volumes: + - /var/data/registry/registry-mirror-data:/var/lib/registry + - /var/data/registry/registry-mirror-config.yml:/etc/docker/registry/config.yml + +networks: + traefik_public: + external: true +``` + +!!! note "Unencrypted registry" + We create this registry without consideration for SSL, which will fail if we attempt to use the registry directly. However, we're going to use the HTTPS-proxied version via Traefik, leveraging Traefik to manage the LetsEncrypt certificates required. + + +Create /var/data/registry/registry-mirror-config.yml as follows: +``` +version: 0.1 +log: + fields: + service: registry +storage: + cache: + blobdescriptor: inmemory + filesystem: + rootdirectory: /var/lib/registry + delete: + enabled: true +http: + addr: :5000 + headers: + X-Content-Type-Options: [nosniff] +health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 +proxy: + remoteurl: https://registry-1.docker.io +``` + +## Serving + +### Launch registry stack + +Launch the registry stack by running ```docker stack deploy registry -c ``` + +### Enable registry mirror and experimental features + +To tell docker to use the registry mirror, and (_while we're here_) in order to be able to watch the logs of any service from any manager node (_an experimental feature in the current Atomic docker build_), edit **/etc/docker-latest/daemon.json** on each node, and change from: + +``` +{ + "log-driver": "journald", + "signature-verification": false +} +``` + +To: + +``` +{ + "log-driver": "journald", + "signature-verification": false, + "experimental": true, + "registry-mirrors": ["https://"] +} +``` + +Then restart docker by running: +``` +systemctl restart docker-latest +``` + +!!! tip "" + Note the extra comma required after "false" above + +## Chef's notes 📓 \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/shared-storage-ceph.md b/manuscript/ha-docker-swarm/shared-storage-ceph.md index 70fcecb..bd7f256 100644 --- a/manuscript/ha-docker-swarm/shared-storage-ceph.md +++ b/manuscript/ha-docker-swarm/shared-storage-ceph.md @@ -213,6 +213,6 @@ Here's a screencast of the playbook in action. I sped up the boring parts, it ac [patreon]: https://www.patreon.com/bePatron?u=6982506 [github_sponsor]: https://github.com/sponsors/funkypenguin -## Chef's Notes 📓 +## Chef's Notes [^1]: Minimum Viable Cluster acronym copyright, trademark, and whatever else, to Funky Penguin for 1,000,000 years. diff --git a/manuscript/ha-docker-swarm/shared-storage-ceph.mde b/manuscript/ha-docker-swarm/shared-storage-ceph.mde new file mode 100644 index 0000000..cf7485f --- /dev/null +++ b/manuscript/ha-docker-swarm/shared-storage-ceph.mde @@ -0,0 +1,218 @@ +# Shared Storage (Ceph) + +While Docker Swarm is great for keeping containers running (_and restarting those that fail_), it does nothing for persistent storage. This means if you actually want your containers to keep any data persistent across restarts (_hint: you do!_), you need to provide shared storage to every docker node. + +![Ceph Screenshot](../images/ceph.png) + +## Ingredients + +!!! summary "Ingredients" + 3 x Virtual Machines (configured earlier), each with: + + * [X] Support for "modern" versions of Python and LVM + * [X] At least 1GB RAM + * [X] At least 20GB disk space (_but it'll be tight_) + * [X] Connectivity to each other within the same subnet, and on a low-latency link (_i.e., no WAN links_) + * [X] A second disk dedicated to the Ceph OSD + * [X] Each node should have the IP of every other participating node hard-coded in /etc/hosts (*including its own IP*) + +## Preparation + +!!! tip "No more [foolish games](https://www.youtube.com/watch?v=UNoouLa7uxA)" + Earlier iterations of this recipe (*based on [Ceph Jewel](https://docs.ceph.com/docs/master/releases/jewel/)*) required significant manual effort to install Ceph in a Docker environment. In the 2+ years since Jewel was released, significant improvements have been made to the ceph "deploy-in-docker" process, including the [introduction of the cephadm tool](https://ceph.io/ceph-management/introducing-cephadm/). Cephadm is the tool which now does all the heavy lifting, below, for the current version of ceph, codenamed "[Octopus](https://www.youtube.com/watch?v=Gi58pN8W3hY)". + +### Pick a master node + +One of your nodes will become the cephadm "master" node. Although all nodes will participate in the Ceph cluster, the master node will be the node which we bootstrap ceph on. It's also the node which will run the Ceph dashboard, and on which future upgrades will be processed. It doesn't matter _which_ node you pick, and the cluster itself will operate in the event of a loss of the master node (although you won't see the dashboard) + +### Install cephadm on master node + +Run the following on the ==master== node: + +``` +MYIP=`ip route get 1.1.1.1 | grep -oP 'src \K\S+'` +curl --silent --remote-name --location https://github.com/ceph/ceph/raw/octopus/src/cephadm/cephadm +chmod +x cephadm +mkdir -p /etc/ceph +./cephadm bootstrap --mon-ip $MYIP +``` + +The process takes about 30 seconds, after which, you'll have a MVC (*Minimum Viable Cluster*)[^1], encompassing a single monitor and mgr instance on your chosen node. Here's the complete output from a fresh install: + +??? "Example output from a fresh cephadm bootstrap" + ``` + root@raphael:~# MYIP=`ip route get 1.1.1.1 | grep -oP 'src \K\S+'` + root@raphael:~# curl --silent --remote-name --location https://github.com/ceph/ceph/raw/octopus/src/cephadm/cephadm + + root@raphael:~# chmod +x cephadm + root@raphael:~# mkdir -p /etc/ceph + root@raphael:~# ./cephadm bootstrap --mon-ip $MYIP + INFO:cephadm:Verifying podman|docker is present... + INFO:cephadm:Verifying lvm2 is present... + INFO:cephadm:Verifying time synchronization is in place... + INFO:cephadm:Unit systemd-timesyncd.service is enabled and running + INFO:cephadm:Repeating the final host check... + INFO:cephadm:podman|docker (/usr/bin/docker) is present + INFO:cephadm:systemctl is present + INFO:cephadm:lvcreate is present + INFO:cephadm:Unit systemd-timesyncd.service is enabled and running + INFO:cephadm:Host looks OK + INFO:root:Cluster fsid: bf3eff78-9e27-11ea-b40a-525400380101 + INFO:cephadm:Verifying IP 192.168.38.101 port 3300 ... + INFO:cephadm:Verifying IP 192.168.38.101 port 6789 ... + INFO:cephadm:Mon IP 192.168.38.101 is in CIDR network 192.168.38.0/24 + INFO:cephadm:Pulling latest docker.io/ceph/ceph:v15 container... + INFO:cephadm:Extracting ceph user uid/gid from container image... + INFO:cephadm:Creating initial keys... + INFO:cephadm:Creating initial monmap... + INFO:cephadm:Creating mon... + INFO:cephadm:Waiting for mon to start... + INFO:cephadm:Waiting for mon... + INFO:cephadm:mon is available + INFO:cephadm:Assimilating anything we can from ceph.conf... + INFO:cephadm:Generating new minimal ceph.conf... + INFO:cephadm:Restarting the monitor... + INFO:cephadm:Setting mon public_network... + INFO:cephadm:Creating mgr... + INFO:cephadm:Wrote keyring to /etc/ceph/ceph.client.admin.keyring + INFO:cephadm:Wrote config to /etc/ceph/ceph.conf + INFO:cephadm:Waiting for mgr to start... + INFO:cephadm:Waiting for mgr... + INFO:cephadm:mgr not available, waiting (1/10)... + INFO:cephadm:mgr not available, waiting (2/10)... + INFO:cephadm:mgr not available, waiting (3/10)... + INFO:cephadm:mgr is available + INFO:cephadm:Enabling cephadm module... + INFO:cephadm:Waiting for the mgr to restart... + INFO:cephadm:Waiting for Mgr epoch 5... + INFO:cephadm:Mgr epoch 5 is available + INFO:cephadm:Setting orchestrator backend to cephadm... + INFO:cephadm:Generating ssh key... + INFO:cephadm:Wrote public SSH key to to /etc/ceph/ceph.pub + INFO:cephadm:Adding key to root@localhost's authorized_keys... + INFO:cephadm:Adding host raphael... + INFO:cephadm:Deploying mon service with default placement... + INFO:cephadm:Deploying mgr service with default placement... + INFO:cephadm:Deploying crash service with default placement... + INFO:cephadm:Enabling mgr prometheus module... + INFO:cephadm:Deploying prometheus service with default placement... + INFO:cephadm:Deploying grafana service with default placement... + INFO:cephadm:Deploying node-exporter service with default placement... + INFO:cephadm:Deploying alertmanager service with default placement... + INFO:cephadm:Enabling the dashboard module... + INFO:cephadm:Waiting for the mgr to restart... + INFO:cephadm:Waiting for Mgr epoch 13... + INFO:cephadm:Mgr epoch 13 is available + INFO:cephadm:Generating a dashboard self-signed certificate... + INFO:cephadm:Creating initial admin user... + INFO:cephadm:Fetching dashboard port number... + INFO:cephadm:Ceph Dashboard is now available at: + + URL: https://raphael:8443/ + User: admin + Password: mid28k0yg5 + + INFO:cephadm:You can access the Ceph CLI with: + + sudo ./cephadm shell --fsid bf3eff78-9e27-11ea-b40a-525400380101 -c /etc/ceph/ceph.conf -k /etc/ceph/ceph.client.admin.keyring + + INFO:cephadm:Please consider enabling telemetry to help improve Ceph: + + ceph telemetry on + + For more information see: + + https://docs.ceph.com/docs/master/mgr/telemetry/ + + INFO:cephadm:Bootstrap complete. + root@raphael:~# + ``` + + +### Prepare other nodes + +It's now necessary to tranfer the following files to your ==other== nodes, so that cephadm can add them to your cluster, and so that they'll be able to mount the cephfs when we're done: + +Path on master | Path on non-master +--------------- | ----- +`/etc/ceph/ceph.conf` | `/etc/ceph/ceph.conf` +`/etc/ceph/ceph.client.admin.keyring` | `/etc/ceph/ceph.client.admin.keyring` +`/etc/ceph/ceph.pub` | `/root/.ssh/authorized_keys` (append to anything existing) + + +Back on the ==master== node, run `ceph orch host add ` once for each other node you want to join to the cluster. You can validate the results by running `ceph orch host ls` + +!!! question "Should we be concerned about giving cephadm using root access over SSH?" + Not really. Docker is inherently insecure at the host-level anyway (*think what would happen if you launched a global-mode stack with a malicious container image which mounted `/root/.ssh`*), so worrying about cephadm seems a little barn-door-after-horses-bolted. If you take host-level security seriously, consider switching to [Kubernetes](/kubernetes/start/) :) + +### Add OSDs + +Now the best improvement since the days of ceph-deploy and manual disks.. on the ==master== node, run `ceph orch apply osd --all-available-devices`. This will identify any unloved (*unpartitioned, unmounted*) disks attached to each participating node, and configure these disks as OSDs. + +### Setup CephFS + +On the ==master== node, create a cephfs volume in your cluster, by running `ceph fs volume create data`. Ceph will handle the necessary orchestration itself, creating the necessary pool, mds daemon, etc. + +You can watch the progress by running `ceph fs ls` (to see the fs is configured), and `ceph -s` to wait for `HEALTH_OK` + +### Mount CephFS volume + +On ==every== node, create a mountpoint for the data, by running ```mkdir /var/data```, add an entry to fstab to ensure the volume is auto-mounted on boot, and ensure the volume is actually _mounted_ if there's a network / boot delay getting access to the gluster volume: + +``` +mkdir /var/data + +MYNODES=",," # Add your own nodes here, comma-delimited +MYHOST=`ip route get 1.1.1.1 | grep -oP 'src \K\S+'` +echo -e " +# Mount cephfs volume \n +raphael,donatello,leonardo:/ /var/data ceph name=admin,noatime,_netdev 0 0" >> /etc/fstab +mount -a +``` + +## Serving + +### Sprinkle with tools + +Although it's possible to use `cephadm shell` to exec into a container with the necessary ceph tools, it's more convenient to use the native CLI tools. To this end, on each node, run the following, which will install the appropriate apt repository, and install the latest ceph CLI tools: + +``` +curl -L https://download.ceph.com/keys/release.asc | sudo apt-key add - +cephadm add-repo --release octopus +cephadm install ceph-common +``` + +### Drool over dashboard + +Ceph now includes a comprehensive dashboard, provided by the mgr daemon. The dashboard will be accessible at https://[IP of your ceph master node]:8443, but you'll need to run `ceph dashboard ac-user-create administrator` first, to create an administrator account: + +``` +root@raphael:~# ceph dashboard ac-user-create batman supermansucks administrator +{"username": "batman", "password": "$2b$12$3HkjY85mav.dq3HHAZiWP.KkMiuoV2TURZFH.6WFfo/BPZCT/0gr.", "roles": ["administrator"], "name": null, "email": null, "lastUpdate": 1590372281, "enabled": true, "pwdExpirationDate": null, "pwdUpdateRequired": false} +root@raphael:~# +``` + +## Summary + +What have we achieved? + +!!! summary "Summary" + Created: + + * [X] Persistent storage available to every node + * [X] Resiliency in the event of the failure of a single node + * [X] Beautiful dashboard + +## The easy, 5-minute install + +I share (_with [sponsors][github_sponsor] and [patrons][patreon]_) a private "_premix_" GitHub repository, which includes an ansible playbook for deploying the entire Geek's Cookbook stack, automatically. This means that members can create the entire environment with just a ```git pull``` and an ```ansible-playbook deploy.yml``` 👍 + +Here's a screencast of the playbook in action. I sped up the boring parts, it actually takes ==5 min== (*you can tell by the timestamps on the prompt*): + +![Screencast of ceph install via ansible](https://static.funkypenguin.co.nz/ceph_install_via_ansible_playbook.gif) +[patreon]: https://www.patreon.com/bePatron?u=6982506 +[github_sponsor]: https://github.com/sponsors/funkypenguin + +## Chef's Notes 📓 + +[^1]: Minimum Viable Cluster acronym copyright, trademark, and whatever else, to Funky Penguin for 1,000,000 years. diff --git a/manuscript/ha-docker-swarm/shared-storage-gluster.md b/manuscript/ha-docker-swarm/shared-storage-gluster.md index da238e6..7c3febb 100644 --- a/manuscript/ha-docker-swarm/shared-storage-gluster.md +++ b/manuscript/ha-docker-swarm/shared-storage-gluster.md @@ -157,7 +157,7 @@ After completing the above, you should have: * [X] Persistent storage available to every node * [X] Resiliency in the event of the failure of a single (gluster) node -## Chef's Notes 📓 +## Chef's Notes Future enhancements to this recipe include: diff --git a/manuscript/ha-docker-swarm/shared-storage-gluster.mde b/manuscript/ha-docker-swarm/shared-storage-gluster.mde new file mode 100644 index 0000000..925243d --- /dev/null +++ b/manuscript/ha-docker-swarm/shared-storage-gluster.mde @@ -0,0 +1,165 @@ +# Shared Storage (GlusterFS) + +While Docker Swarm is great for keeping containers running (_and restarting those that fail_), it does nothing for persistent storage. This means if you actually want your containers to keep any data persistent across restarts (_hint: you do!_), you need to provide shared storage to every docker node. + +!!! warning + This recipe is deprecated. It didn't work well in 2017, and it's not likely to work any better now. It remains here as a reference. I now recommend the use of [Ceph for shared storage](/ha-docker-swarm/shared-storage-ceph/) instead. - 2019 Chef + +## Design + +### Why GlusterFS? + +This GlusterFS recipe was my original design for shared storage, but I [found it to be flawed](shared-storage-ceph/#why-not-glusterfs), and I replaced it with a [design which employs Ceph instead](shared-storage-ceph/#why-ceph). This recipe is an alternate to the Ceph design, if you happen to prefer GlusterFS. + +## Ingredients + +!!! summary "Ingredients" + 3 x Virtual Machines (configured earlier), each with: + + * [X] CentOS/Fedora Atomic + * [X] At least 1GB RAM + * [X] At least 20GB disk space (_but it'll be tight_) + * [X] Connectivity to each other within the same subnet, and on a low-latency link (_i.e., no WAN links_) + * [ ] A second disk, or adequate space on the primary disk for a dedicated data partition + +## Preparation + +### Create Gluster "bricks" + +To build our Gluster volume, we need 2 out of the 3 VMs to provide one "brick". The bricks will be used to create the replicated volume. Assuming a replica count of 2 (_i.e., 2 copies of the data are kept in gluster_), our total number of bricks must be divisible by our replica count. (_I.e., you can't have 3 bricks if you want 2 replicas. You can have 4 though - We have to have minimum 3 swarm manager nodes for fault-tolerance, but only 2 of those nodes need to run as gluster servers._) + +On each host, run a variation following to create your bricks, adjusted for the path to your disk. + +!!! note "The example below assumes /dev/vdb is dedicated to the gluster volume" +``` +( +echo o # Create a new empty DOS partition table +echo n # Add a new partition +echo p # Primary partition +echo 1 # Partition number +echo # First sector (Accept default: 1) +echo # Last sector (Accept default: varies) +echo w # Write changes +) | sudo fdisk /dev/vdb + +mkfs.xfs -i size=512 /dev/vdb1 +mkdir -p /var/no-direct-write-here/brick1 +echo '' >> /etc/fstab >> /etc/fstab +echo '# Mount /dev/vdb1 so that it can be used as a glusterfs volume' >> /etc/fstab +echo '/dev/vdb1 /var/no-direct-write-here/brick1 xfs defaults 1 2' >> /etc/fstab +mount -a && mount +``` + +!!! warning "Don't provision all your LVM space" + Atomic uses LVM to store docker data, and **automatically grows** Docker's volumes as requried. If you commit all your free LVM space to your brick, you'll quickly find (as I did) that docker will start to fail with error messages about insufficient space. If you're going to slice off a portion of your LVM space in /dev/atomicos, make sure you leave enough space for Docker storage, where "enough" depends on how much you plan to pull images, make volumes, etc. I ate through 20GB very quickly doing development, so I ended up provisioning 50GB for atomic alone, with a separate volume for the brick. + +### Create glusterfs container + +Atomic doesn't include the Gluster server components. This means we'll have to run glusterd from within a container, with privileged access to the host. Although convoluted, I've come to prefer this design since it once again makes the OS "disposable", moving all the config into containers and code. + +Run the following on each host: +``` +docker run \ + -h glusterfs-server \ + -v /etc/glusterfs:/etc/glusterfs:z \ + -v /var/lib/glusterd:/var/lib/glusterd:z \ + -v /var/log/glusterfs:/var/log/glusterfs:z \ + -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ + -v /var/no-direct-write-here/brick1:/var/no-direct-write-here/brick1 \ + -d --privileged=true --net=host \ + --restart=always \ + --name="glusterfs-server" \ + gluster/gluster-centos +``` +### Create trusted pool + +On a single node (doesn't matter which), run ```docker exec -it glusterfs-server bash``` to launch a shell inside the container. + +From the node, run +```gluster peer probe ``` + +Example output: +``` +[root@glusterfs-server /]# gluster peer probe ds1 +peer probe: success. +[root@glusterfs-server /]# +``` + +Run ```gluster peer status``` on both nodes to confirm that they're properly connected to each other: + +Example output: +``` +[root@glusterfs-server /]# gluster peer status +Number of Peers: 1 + +Hostname: ds3 +Uuid: 3e115ba9-6a4f-48dd-87d7-e843170ff499 +State: Peer in Cluster (Connected) +[root@glusterfs-server /]# +``` + +### Create gluster volume + +Now we create a *replicated volume* out of our individual "bricks". + +Create the gluster volume by running +``` +gluster volume create gv0 replica 2 \ + server1:/var/no-direct-write-here/brick1 \ + server2:/var/no-direct-write-here/brick1 +``` + +Example output: +``` +[root@glusterfs-server /]# gluster volume create gv0 replica 2 ds1:/var/no-direct-write-here/brick1/gv0 ds3:/var/no-direct-write-here/brick1/gv0 +volume create: gv0: success: please start the volume to access data +[root@glusterfs-server /]# +``` + +Start the volume by running ```gluster volume start gv0``` + +``` +[root@glusterfs-server /]# gluster volume start gv0 +volume start: gv0: success +[root@glusterfs-server /]# +``` + +The volume is only present on the host you're shelled into though. To add the other hosts to the volume, run ```gluster peer probe ```. Don't probe host from itself. + +From one other host, run ```docker exec -it glusterfs-server bash``` to shell into the gluster-server container, and run ```gluster peer probe ``` to update the name of the host which started the volume. + +### Mount gluster volume + +On the host (i.e., outside of the container - type ```exit``` if you're still shelled in), create a mountpoint for the data, by running ```mkdir /var/data```, add an entry to fstab to ensure the volume is auto-mounted on boot, and ensure the volume is actually _mounted_ if there's a network / boot delay getting access to the gluster volume: + +``` +mkdir /var/data +MYHOST=`hostname -s` +echo '' >> /etc/fstab >> /etc/fstab +echo '# Mount glusterfs volume' >> /etc/fstab +echo "$MYHOST:/gv0 /var/data glusterfs defaults,_netdev,context="system_u:object_r:svirt_sandbox_file_t:s0" 0 0" >> /etc/fstab +mount -a +``` + +For some reason, my nodes won't auto-mount this volume on boot. I even tried the trickery below, but they stubbornly refuse to automount. +``` +echo -e "\n\n# Give GlusterFS 10s to start before \ +mounting\nsleep 10s && mount -a" >> /etc/rc.local +systemctl enable rc-local.service +``` + +For non-gluster nodes, you'll need to replace $MYHOST above with the name of one of the gluster hosts (I haven't worked out how to make this fully HA yet) + +## Serving + +After completing the above, you should have: + +* [X] Persistent storage available to every node +* [X] Resiliency in the event of the failure of a single (gluster) node + +## Chef's Notes 📓 + +Future enhancements to this recipe include: + +1. Migration of shared storage from GlusterFS to Ceph ()[#2](https://gitlab.funkypenguin.co.nz/funkypenguin/geeks-cookbook/issues/2)) +2. Correct the fact that volumes don't automount on boot ([#3](https://gitlab.funkypenguin.co.nz/funkypenguin/geeks-cookbook/issues/3)) \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/traefik-forward-auth.md b/manuscript/ha-docker-swarm/traefik-forward-auth.md index 66803d4..d32017a 100644 --- a/manuscript/ha-docker-swarm/traefik-forward-auth.md +++ b/manuscript/ha-docker-swarm/traefik-forward-auth.md @@ -108,7 +108,7 @@ What have we achieved? By adding an additional three simple labels to any servic -## Chef's Notes 📓 +## Chef's Notes 1. Traefik forward auth replaces the use of [oauth_proxy containers](https://geek-cookbook.funkypenguin.co.nz/)reference/oauth_proxy/) found in some of the existing recipes 2. [@thomaseddon's original version](https://github.com/thomseddon/traefik-forward-auth) of traefik-forward-auth only works with Google currently, but I've created a [fork](https://www.github.com/funkypenguin/traefik-forward-auth) of a [fork](https://github.com/noelcatt/traefik-forward-auth), which implements generic OIDC providers. diff --git a/manuscript/ha-docker-swarm/traefik-forward-auth.mde b/manuscript/ha-docker-swarm/traefik-forward-auth.mde new file mode 100644 index 0000000..10f7ef6 --- /dev/null +++ b/manuscript/ha-docker-swarm/traefik-forward-auth.mde @@ -0,0 +1,116 @@ +# Traefik Forward Auth + +Now that we have Traefik deployed, automatically exposing SSL access to our Docker Swarm services using LetsEncrypt wildcard certificates, let's pause to consider that we may not _want_ some services exposed directly to the internet... + +..Wait, why not? Well, Traefik doesn't provide any form of authentication, it simply secures the **transmission** of the service between Docker Swarm and the end user. If you were to deploy a service with no native security (*[Radarr](/recipes/autopirate/radarr/) or [Sonarr](/recipes/autopirate/sonarr/) come to mind*), then anybody would be able to use it! Even services which _may_ have a layer of authentication **might** not be safe to expose publically - often open source projects may be maintained by enthusiasts who happily add extra features, but just pay lip service to security, on the basis that "*it's the user's problem to secure it in their own network*". + +To give us confidence that **we** can access our services, but BadGuys(tm) cannot, we'll deploy a layer of authentication **in front** of Traefik, using [Forward Authentication](https://docs.traefik.io/configuration/entrypoints/#forward-authentication). You can use your own [KeyCloak](/recipes/keycloak/) instance for authentication, but to lower the barrier to entry, this recipe will assume you're authenticating against your own Google account. + +## Ingredients + +!!! summary "Ingredients" + Existing: + + * [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph) + * [X] [Traefik](/ha-docker-swarm/traefik/) configured per design + + New: + + * [ ] Client ID and secret from an OpenID-Connect provider (Google, [KeyCloak](/recipes/keycloak/), Microsoft, etc..) + +## Preparation + +### Obtain OAuth credentials + +!!! note + This recipe will demonstrate using Google OAuth for traefik forward authentication, but it's also possible to use a self-hosted KeyCloak instance - see the [KeyCloak OIDC Provider](/recipes/keycloak/setup-oidc-provider/) recipe for more details! + +Log into https://console.developers.google.com/, create a new project then search for and select "Credentials" in the search bar. + +Fill out the "OAuth Consent Screen" tab, and then click, "**Create Credentials**" > "**OAuth client ID**". Select "**Web Application**", fill in the name of your app, skip "**Authorized JavaScript origins**" and fill "**Authorized redirect URIs**" with either all the domains you will allow authentication from, appended with the url-path (*e.g. https://radarr.example.com/_oauth, https://radarr.example.com/_oauth, etc*), or if you don't like frustration, use a "auth host" URL instead, like "*https://auth.example.com/_oauth*" (*see below for details*) + +Store your client ID and secret safely - you'll need them for the next step. + + +### Prepare environment + +Create `/var/data/config/traefik/traefik-forward-auth.env` as follows: + +``` +CLIENT_ID= +CLIENT_SECRET= +OIDC_ISSUER=https://accounts.google.com +SECRET= +# uncomment this to use a single auth host instead of individual redirect_uris (recommended but advanced) +#AUTH_HOST=auth.example.com +COOKIE_DOMAINS=example.com +``` + +### Prepare the docker service config + +This is a small container, you can simply add the following content to the existing `traefik-app.yml` deployed in the previous [Traefik](/recipes/traefik/) recipe: + +``` + traefik-forward-auth: + image: funkypenguin/traefik-forward-auth + env_file: /var/data/config/traefik/traefik-forward-auth.env + networks: + - traefik_public + # Uncomment these lines if you're using auth host mode + #deploy: + # labels: + # - traefik.port=4181 + # - traefik.frontend.rule=Host:auth.example.com + # - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181 + # - traefik.frontend.auth.forward.trustForwardHeader=true +``` + +If you're not confident that forward authentication is working, add a simple "whoami" test container, to help debug traefik forward auth, before attempting to add it to a more complex container. + +``` + # This simply validates that traefik forward authentication is working + whoami: + image: containous/whoami + networks: + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:whoami.example.com + - traefik.port=80 + - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181 + - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User + - traefik.frontend.auth.forward.trustForwardHeader=true +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + + +## Serving + +### Launch + +Redeploy traefik with ```docker stack deploy traefik-app -c /var/data/traefik/traeifk-app.yml```, to launch the traefik-forward-auth container. + +### Test + +Browse to https://whoami.example.com (*obviously, customized for your domain and having created a DNS record*), and all going according to plan, you should be redirected to a Google login. Once successfully logged in, you'll be directed to the basic whoami page. + +## Summary + +What have we achieved? By adding an additional three simple labels to any service, we can secure any service behind our choice of OAuth provider, with minimal processing / handling overhead. + +!!! summary "Summary" + Created: + + * [X] Traefik-forward-auth configured to authenticate against an OIDC provider + + + +## Chef's Notes 📓 + +1. Traefik forward auth replaces the use of [oauth_proxy containers](/reference/oauth_proxy/) found in some of the existing recipes +2. [@thomaseddon's original version](https://github.com/thomseddon/traefik-forward-auth) of traefik-forward-auth only works with Google currently, but I've created a [fork](https://www.github.com/funkypenguin/traefik-forward-auth) of a [fork](https://github.com/noelcatt/traefik-forward-auth), which implements generic OIDC providers. +3. I reviewed several implementations of forward authenticators for Traefik, but found most to be rather heavy-handed, or specific to a single auth provider. @thomaseddon's go-based docker image is 7MB in size, and with the generic OIDC patch (above), it can be extended to work with any OIDC provider. +4. No, not github natively, but you can ferderate GitHub into KeyCloak, and then use KeyCloak as the OIDC provider. diff --git a/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md b/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md index 031b4cd..6ceec97 100644 --- a/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md +++ b/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md @@ -117,6 +117,6 @@ What have we achieved? By adding an additional three simple labels to any servic -## Chef's Notes 📓 +## Chef's Notes 1. KeyCloak is very powerful. You can add 2FA and all other clever things outside of the scope of this simple recipe ;) diff --git a/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.mde b/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.mde new file mode 100644 index 0000000..126eaf8 --- /dev/null +++ b/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.mde @@ -0,0 +1,122 @@ +# Using Traefik Forward Auth with KeyCloak + +While the [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/) recipe demonstrated a quick way to protect a set of explicitly-specified URLs using OIDC credentials from a Google account, this recipe will illustrate how to use your own KeyCloak instance to secure **any** URLs within your DNS domain. + +## Ingredients + +!!! Summary + Existing: + + * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully, with a [local user](/recipes/keycloak/create-user/) and an [OIDC client](/recipes/keycloak/setup-oidc-provider/) + + New: + + * [ ] DNS entry for your auth host (*"auth.yourdomain.com" is a good choice*), pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### What is AuthHost mode + +Under normal OIDC auth, you have to tell your auth provider which URLs it may redirect an authenticated user back to, post-authentication. This is a security feture of the OIDC spec, preventing a malicious landing page from capturing your session and using it to impersonate you. When you're securing many URLs though, explicitly listing them can be a PITA. + +[@thomaseddon's traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) includes an ingenious mechanism to simulate an "*auth host*" in your OIDC authentication, so that you can protect an unlimited amount of DNS names (*with a common domain suffix*), without having to manually maintain a list. + +#### How does it work? + +Say you're protecting **radarr.example.com**. When you first browse to **https://radarr.example.com**, Traefik forwards your session to traefik-forward-auth, to be authenticated. Traefik-forward-auth redirects you to your OIDC provider's login (*KeyCloak, in this case*), but instructs the OIDC provider to redirect a successfully authenticated session **back** to **https://auth.example.com/_oauth**, rather than to **https://radarr.example.com/_oauth**. + +When you successfully authenticate against the OIDC provider, you are redirected to the "*redirect_uri*" of https://auth.example.com. Again, your request hits Traefik, whichforwards the session to traefik-forward-auth, which **knows** that you've just been authenticated (*cookies have a role to play here*). Traefik-forward-auth also knows the URL of your **original** request (*thanks to the X-Forwarded-Whatever header*). Traefik-forward-auth redirects you to your original destination, and everybody is happy. + +This clever workaround only works under 2 conditions: + + +1. Your "auth host" has the same domain name as the hosts you're protecting (*i.e., auth.example.com protecting radarr.example.com*) +2. You explictly tell traefik-forward-auth to use a cookie authenticating your **whole** domain (*i.e. example.com*) + +### Setup environment + +Create `/var/data/config/traefik/traefik-forward-auth.env` as follows (*change "master" if you created a different realm*): + +``` +CLIENT_ID= +CLIENT_SECRET= +OIDC_ISSUER=https:///auth/realms/master +SECRET= +AUTH_HOST= +COOKIE_DOMAIN= +``` + +### Prepare the docker service config + +This is a small container, you can simply add the following content to the existing `traefik-app.yml` deployed in the previous [Traefik](/recipes/traefik/) recipe: + +``` + traefik-forward-auth: + image: funkypenguin/traefik-forward-auth + env_file: /var/data/config/traefik/traefik-forward-auth.env + networks: + - traefik_public + deploy: + labels: + - traefik.port=4181 + - traefik.frontend.rule=Host:auth.example.com + - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181 + - traefik.frontend.auth.forward.trustForwardHeader=true +``` + +If you're not confident that forward authentication is working, add a simple "whoami" test container, to help debug traefik forward auth, before attempting to add it to a more complex container. + +``` + # This simply validates that traefik forward authentication is working + whoami: + image: containous/whoami + networks: + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:whoami.example.com + - traefik.port=80 + - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181 + - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User + - traefik.frontend.auth.forward.trustForwardHeader=true +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Serving + +### Launch + +Redeploy traefik with ```docker stack deploy traefik-app -c /var/data/traefik/traeifk-app.yml```, to launch the traefik-forward-auth container. + +### Test + +Browse to https://whoami.example.com (*obviously, customized for your domain and having created a DNS record*), and all going according to plan, you'll be redirected to a KeyCloak login. Once successfully logged in, you'll be directed to the basic whoami page. + +### Protect services + +To protect any other service, ensure the service itself is exposed by Traefik (*if you were previously using an oauth_proxy for this, you may have to migrate some labels from the oauth_proxy serivce to the service itself*). Add the following 3 labels: + +``` +- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181 +- traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User +- traefik.frontend.auth.forward.trustForwardHeader=true +``` + +And re-deploy your services :) + +## Summary + +What have we achieved? By adding an additional three simple labels to any service, we can secure any service behind our KeyCloak OIDC provider, with minimal processing / handling overhead. + +!!! summary "Summary" + Created: + + * [X] Traefik-forward-auth configured to authenticate against KeyCloak + + + +## Chef's Notes 📓 + +1. KeyCloak is very powerful. You can add 2FA and all other clever things outside of the scope of this simple recipe ;) diff --git a/manuscript/ha-docker-swarm/traefik.md b/manuscript/ha-docker-swarm/traefik.md index ea28883..5835c06 100644 --- a/manuscript/ha-docker-swarm/traefik.md +++ b/manuscript/ha-docker-swarm/traefik.md @@ -234,6 +234,6 @@ You should now be able to access your traefik instance on http://:8080 * [X] Automatic SSL support for all proxied resources -## Chef's Notes 📓 +## Chef's Notes 1. Did you notice how no authentication was required to view the Traefik dashboard? Eek! We'll tackle that in the next section, regarding [Traefik Forward Authentication](https://geek-cookbook.funkypenguin.co.nz/)ha-docker-swarm/traefik-forward-auth/)! \ No newline at end of file diff --git a/manuscript/ha-docker-swarm/traefik.mde b/manuscript/ha-docker-swarm/traefik.mde new file mode 100644 index 0000000..dfcc6ce --- /dev/null +++ b/manuscript/ha-docker-swarm/traefik.mde @@ -0,0 +1,239 @@ +# Traefik + +The platforms we plan to run on our cloud are generally web-based, and each listening on their own unique TCP port. When a container in a swarm exposes a port, then connecting to **any** swarm member on that port will result in your request being forwarded to the appropriate host running the container. (_Docker calls this the swarm "[routing mesh](https://docs.docker.com/engine/swarm/ingress/)"_) + +So we get a rudimentary load balancer built into swarm. We could stop there, just exposing a series of ports on our hosts, and making them HA using keepalived. + +There are some gaps to this approach though: + +- No consideration is given to HTTPS. Implementation would have to be done manually, per-container. +- No mechanism is provided for authentication outside of that which the container providers. We may not **want** to expose every interface on every container to the world, especially if we are playing with tools or containers whose quality and origin are unknown. + +To deal with these gaps, we need a front-end load-balancer, and in this design, that role is provided by [Traefik](https://traefik.io/). + +![Traefik Screenshot](../images/traefik.png) + +## Ingredients + +!!! summary "You'll need" + Existing + + * [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph) + + New + + * [ ] Access to update your DNS records for manual/automated [LetsEncrypt](https://letsencrypt.org/docs/challenge-types/) DNS-01 validation, or ingress HTTP/HTTPS for HTTP-01 validation + +## Preparation + +### Prepare the host + +The traefik container is aware of the __other__ docker containers in the swarm, because it has access to the docker socket at **/var/run/docker.sock**. This allows traefik to dynamically configure itself based on the labels found on containers in the swarm, which is hugely useful. To make this functionality work on a SELinux-enabled CentOS7 host, we need to add custom SELinux policy. + +!!! tip + The following is only necessary if you're using SELinux! + +Run the following to build and activate policy to permit containers to access docker.sock: + +``` +mkdir ~/dockersock +cd ~/dockersock +curl -O https://raw.githubusercontent.com/dpw/\ +selinux-dockersock/master/Makefile +curl -O https://raw.githubusercontent.com/dpw/\ +selinux-dockersock/master/dockersock.te +make && semodule -i dockersock.pp +``` + +### Prepare traefik.toml + +While it's possible to configure traefik via docker command arguments, I prefer to create a config file (`traefik.toml`). This allows me to change traefik's behaviour by simply changing the file, and keeps my docker config simple. + +Create `/var/data/traefik/traefik.toml` as follows: + +``` +checkNewVersion = true +defaultEntryPoints = ["http", "https"] + +# This section enable LetsEncrypt automatic certificate generation / renewal +[acme] +email = "" +storage = "acme.json" # or "traefik/acme/account" if using KV store +entryPoint = "https" +acmeLogging = true +onDemand = true +OnHostRule = true + +# Request wildcard certificates per https://docs.traefik.io/configuration/acme/#wildcard-domains +[[acme.domains]] + main = "*.example.com" + sans = ["example.com"] + +# Redirect all HTTP to HTTPS (why wouldn't you?) +[entryPoints] + [entryPoints.http] + address = ":80" + [entryPoints.http.redirect] + entryPoint = "https" + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + +[web] +address = ":8080" +watch = true + +[docker] +endpoint = "tcp://127.0.0.1:2375" +domain = "example.com" +watch = true +swarmmode = true +``` + +### Prepare the docker service config + +!!! tip + "We'll want an overlay network, independent of our traefik stack, so that we can attach/detach all our other stacks (including traefik) to the overlay network. This way, we can undeploy/redepoly the traefik stack without having to bring every other stack first!" - voice of experience + +Create `/var/data/config/traefik/traefik.yml` as follows: + +``` +version: "3.2" + +# What is this? +# +# This stack exists solely to deploy the traefik_public overlay network, so that +# other stacks (including traefik-app) can attach to it + +services: + scratch: + image: scratch + deploy: + replicas: 0 + networks: + - public + +networks: + public: + driver: overlay + attachable: true + ipam: + config: + - subnet: 172.16.200.0/24 +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +Create `/var/data/config/traefik/traefik-app.yml` as follows: + +``` +version: "3" + +services: + traefik: + image: traefik + command: --web --docker --docker.swarmmode --docker.watch --docker.domain=example.com --logLevel=DEBUG + # Note below that we use host mode to avoid source nat being applied to our ingress HTTP/HTTPS sessions + # Without host mode, all inbound sessions would have the source IP of the swarm nodes, rather than the + # original source IP, which would impact logging. If you don't care about this, you can expose ports the + # "minimal" way instead + ports: + - target: 80 + published: 80 + protocol: tcp + mode: host + - target: 443 + published: 443 + protocol: tcp + mode: host + - target: 8080 + published: 8080 + protocol: tcp + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /var/data/config/traefik:/etc/traefik + - /var/data/traefik/traefik.log:/traefik.log + - /var/data/traefik/acme.json:/acme.json + networks: + - traefik_public + # Global mode makes an instance of traefik listen on _every_ node, so that regardless of which + # node the request arrives on, it'll be forwarded to the correct backend service. + deploy: + labels: + - "traefik.enable=false" + mode: global + placement: + constraints: [node.role == manager] + restart_policy: + condition: on-failure + +networks: + traefik_public: + external: true +``` + +Docker won't start a service with a bind-mount to a non-existent file, so prepare an empty acme.json (_with the appropriate permissions_) by running: + +``` +touch /var/data/traefik/acme.json +chmod 600 /var/data/traefik/acme.json +``` + +!!! warning + Pay attention above. You **must** set `acme.json`'s permissions to owner-readable-only, else the container will fail to start with an [ID-10T](https://en.wikipedia.org/wiki/User_error#ID-10-T_error) error! + +Traefik will populate acme.json itself when it runs, but it needs to exist before the container will start (_Chicken, meet egg._) + + + +## Serving + +### Launch + +First, launch the traefik stack, which will do nothing other than create an overlay network by running `docker stack deploy traefik -c /var/data/traefik/traefik.yml` + +``` +[root@kvm ~]# docker stack deploy traefik -c traefik.yml +Creating network traefik_public +Creating service traefik_scratch +[root@kvm ~]# +``` + +Now deploy the traefik appliation itself (*which will attach to the overlay network*) by running `docker stack deploy traefik-app -c /var/data/traefik/traefik-app.yml` + +``` +[root@kvm ~]# docker stack deploy traefik-app -c traefik-app.yml +Creating service traefik-app_app +[root@kvm ~]# +``` + +Confirm traefik is running with `docker stack ps traefik-app`: + +``` +[root@kvm ~]# docker stack ps traefik-app +ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS +74uipz4sgasm traefik-app_app.t4vcm8siwc9s1xj4c2o4orhtx traefik:alpine kvm.funkypenguin.co.nz Running Running 33 seconds ago *:443->443/tcp,*:80->80/tcp +[root@kvm ~]# +``` + +### Check Traefik Dashboard + +You should now be able to access your traefik instance on http://:8080 - It'll look a little lonely currently (*below*), but we'll populate it as we add recipes :) + +![Screenshot of Traefik, post-launch](/images/traefik-post-launch.png) + +### Summary + +!!! summary + We've achieved: + + * [X] An overlay network to permit traefik to access all future stacks we deploy + * [X] Frontend proxy which will dynamically configure itself for new backend containers + * [X] Automatic SSL support for all proxied resources + + +## Chef's Notes 📓 + +1. Did you notice how no authentication was required to view the Traefik dashboard? Eek! We'll tackle that in the next section, regarding [Traefik Forward Authentication](/ha-docker-swarm/traefik-forward-auth/)! \ No newline at end of file diff --git a/manuscript/index.md b/manuscript/index.md index a9771f3..ceb5826 100644 --- a/manuscript/index.md +++ b/manuscript/index.md @@ -59,7 +59,7 @@ The best way to support this work is to become a [GitHub Sponsor](https://github Impulsively **[click here (NOW quick do it!)][github_sponsor]** to [sponsor me][github_sponsor] via GitHub, or [patronize me via Patreon][patreon]! -### Work with me 🤝 +### Work with me Need some Cloud / Microservices / DevOps / Infrastructure design work done? I'm a full-time [AWS-certified][aws_cert] consultant, this stuff is my bread and butter! :bread: :fork_and_knife: [Get in touch][contact], and let's talk business! diff --git a/manuscript/index.mde b/manuscript/index.mde new file mode 100644 index 0000000..1d52ade --- /dev/null +++ b/manuscript/index.mde @@ -0,0 +1,93 @@ +# What is this? + +Funky Penguin's "**[Geek Cookbook](https://geek-cookbook.funkypenguin.co.nz)**" is a collection of how-to guides for establishing your own container-based self-hosting platform, using either [Docker Swarm](/ha-docker-swarm/design/) or [Kubernetes](/kubernetes/start/). + +Running such a platform enables you to run self-hosted tools such as [AutoPirate](/recipes/autopirate/) (*Radarr, Sonarr, NZBGet and friends*), [Plex][plex], [NextCloud][nextcloud], and includes elements such as: + +* [Automatic SSL-secured access](/ha-docker-swarm/traefik/) to all services (*with LetsEncrypt*) +* [SSO / authentication layer](/ha-docker-swarm/traefik-forward-auth/) to protect unsecured / vulnerable services +* [Automated backup](/recipes/elkarbackup/) of configuration and data +* [Monitoring and metrics](/recipes/swarmprom/) collection, graphing and alerting + +Recent updates and additions are posted on the [CHANGELOG](/CHANGELOG/), and there's a friendly community of like-minded geeks in the [Discord server](http://chat.funkypenguin.co.nz). + +## Who is this for? + +You already have a familiarity with concepts such as virtual machines, [Docker](https://www.docker.com/) containers, [LetsEncrypt SSL certificates](https://letsencrypt.org/), databases, and command-line interfaces. + +You've probably played with self-hosting some mainstream apps yourself, like [Plex][plex], [NextCloud][nextcloud], [Wordpress][wordpress] or [Ghost][ghost]. + +## Why should I read this? + +So if you're familiar enough with the concepts above, and you've done self-hosting before, why would you read any further? + +1. You want to upskill. You want to work with container orchestration, Prometheus and Grafana, Kubernetes +2. You want to play. You want a safe sandbox to test new tools, keeping the ones you want and tossing the ones you don't. +3. You want reliability. Once you go from __playing__ with a tool to actually __using__ it, you want it to be available when you need it. Having to "*quickly ssh into the basement server and restart plex*" doesn't cut it when you finally convince your wife to sit down with you to watch sci-fi. + +!!! quote "...how useful the recipes are for people just getting started with containers..." + + + + +## What have you done for me lately? (CHANGELOG) + +Check out recent change at [CHANGELOG](/CHANGELOG/) + +## What do you want from me? + +I want your [support][github_sponsor], either in the [financial][github_sponsor] sense, or as a member of our [friendly geek community][discord] (*or both!*) + +### Get in touch 👋 + +* Come and say hi to me and the friendly geeks in the [Discord][discord] chat or the [Discourse][discourse] forums - say hi, ask a question, or suggest a new recipe! +* Tweet me up, I'm [@funkypenguin][twitter]! 🐦 +* [Contact me][contact] by a variety of channels + + +### [Sponsor][github_sponsor] / [Patronize][patreon] me ❤️ + +The best way to support this work is to become a [GitHub Sponsor](https://github.com/sponsors/funkypenguin) / [Patreon patron][patreon]. You get: + +* warm fuzzies, +* access to the pre-mix repo, +* an anonymous plug you can pull at any time, +* and a bunch more loot based on tier + +.. and I get some pocket money every month to buy wine, cheese, and cryptocurrency! 🍷 💰 + +Impulsively **[click here (NOW quick do it!)][github_sponsor]** to [sponsor me][github_sponsor] via GitHub, or [patronize me via Patreon][patreon]! + + +### Work with me 🤝 + +Need some Cloud / Microservices / DevOps / Infrastructure design work done? I'm a full-time [AWS-certified][aws_cert] consultant, this stuff is my bread and butter! :bread: :fork_and_knife: [Get in touch][contact], and let's talk business! + +[plex]: https://www.plex.tv/ +[nextcloud]: https://nextcloud.com/ +[wordpress]: https://wordpress.org/ +[ghost]: https://ghost.io/ +[discord]: http://chat.funkypenguin.co.nz +[patreon]: https://www.patreon.com/bePatron?u=6982506 +[github_sponsor]: https://github.com/sponsors/funkypenguin +[github]: https://github.com/sponsors/funkypenguin +[discourse]: https://discourse.geek-kitchen.funkypenguin.co.nz/ +[twitter]: https://twitter.com/funkypenguin +[contact]: https://www.funkypenguin.co.nz +[aws_cert]: https://www.certmetrics.com/amazon/public/badge.aspx?i=4&t=c&d=2019-02-22&ci=AWS00794574 + +!!! quote "He unblocked me on all the technical hurdles to launching my SaaS in GKE!" + + By the time I had enlisted Funky Penguin's help, I'd architected myself into a bit of a nightmare with Kubernetes. I knew what I wanted to achieve, but I'd made a mess of it. Funky Penguin (David) was able to jump right in and offer a vital second-think on everything I'd done, pointing out where things could be simplified and streamlined, and better alternatives. + + He unblocked me on all the technical hurdles to launching my SaaS in GKE! + + With him delivering the container/Kubernetes architecture and helm CI/CD workflow, I was freed up to focus on coding and design, which fast-tracked me to launching on time. And now I have a simple deployment process that is easy for me to execute and maintain as a solo founder. + + I have no hesitation in recommending him for your project, and I'll certainly be calling on him again in the future. + + -- John McDowall, Founder, [kiso.io](https://kiso.io) + +### Buy my book 📖 + +I'm publishing the Geek Cookbook as a formal eBook (*PDF, mobi, epub*), on Leanpub (https://leanpub.com/geek-cookbook). Check it out! \ No newline at end of file diff --git a/manuscript/kubernetes/cluster.md b/manuscript/kubernetes/cluster.md index 7da75bb..c151c55 100644 --- a/manuscript/kubernetes/cluster.md +++ b/manuscript/kubernetes/cluster.md @@ -7,7 +7,7 @@ IMO, the easiest Kubernetes cloud provider to experiment with is [DigitalOcean]( ## Ingredients 1. [DigitalOcean](https://www.digitalocean.com/?refcode=e33b78ad621b) account, either linked to a credit card or (_my preference for a trial_) topped up with $5 credit from PayPal. (_yes, this is a referral link, making me some to buy _) -2. Geek-Fu required : 🐱 (easy - even has screenshots!) +2. Geek-Fu required : (easy - even has screenshots!) ## Preparation diff --git a/manuscript/kubernetes/cluster.mde b/manuscript/kubernetes/cluster.mde new file mode 100644 index 0000000..1b1d0c2 --- /dev/null +++ b/manuscript/kubernetes/cluster.mde @@ -0,0 +1,86 @@ +# Kubernetes on DigitalOcean + +IMO, the easiest Kubernetes cloud provider to experiment with is [DigitalOcean](https://m.do.co/c/e33b78ad621b) (_this is a referral link_). I've included instructions below to start a basic cluster. + +![Kubernetes on Digital Ocean](/images/kubernetes-on-digitalocean.jpg) + +## Ingredients + +1. [DigitalOcean](https://www.digitalocean.com/?refcode=e33b78ad621b) account, either linked to a credit card or (_my preference for a trial_) topped up with $5 credit from PayPal. (_yes, this is a referral link, making me some 💰 to buy 🍷_) +2. Geek-Fu required : 🐱 (easy - even has screenshots!) + +## Preparation + +### Create DigitalOcean Account + +Create a project, and then from your project page, click **Manage** -> **Kubernetes (LTD)** in the left-hand panel: + +![Kubernetes on Digital Ocean Screenshot #1](/images/kubernetes-on-digitalocean-screenshot-1.png) + +Until DigitalOcean considers their Kubernetes offering to be "production ready", you'll need the additional step of clicking on **Enable Limited Access**: + +![Kubernetes on Digital Ocean Screenshot #2](/images/kubernetes-on-digitalocean-screenshot-2.png) + +The _Enable Limited Access_ button changes to read _Create a Kubernetes Cluster_ . Cleeeek it: + +![Kubernetes on Digital Ocean Screenshot #3](/images/kubernetes-on-digitalocean-screenshot-3.png) + +When prompted, choose some defaults for your first node pool (_your pool of "compute" resources for your cluster_), and give it a name. In more complex deployments, you can use this concept of "node pools" to run certain applications (_like an inconsequential nightly batch job_) on a particular class of compute instance (_such as cheap, preemptible instances_) + +![Kubernetes on Digital Ocean Screenshot #4](/images/kubernetes-on-digitalocean-screenshot-4.png) + +That's it! Have a sip of your 🍷, a bite of your :cheese:, and wait for your cluster to build. While you wait, follow the instructions to setup kubectl (if you don't already have it) + +![Kubernetes on Digital Ocean Screenshot #5](/images/kubernetes-on-digitalocean-screenshot-5.png) + +DigitalOcean will provide you with a "kubeconfig" file to use to access your cluster. It's at the bottom of the page (_illustrated below_), and easy to miss (_in my experience_). + +![Kubernetes on Digital Ocean Screenshot #6](/images/kubernetes-on-digitalocean-screenshot-6.png) + +## Release the kubectl! + +Save your kubeconfig file somewhere, and test it our by running ```kubectl --kubeconfig= get nodes``` + +Example output: +``` +[davidy:~/Downloads] 130 % kubectl --kubeconfig=penguins-are-the-sexiest-geeks-kubeconfig.yaml get nodes +NAME STATUS ROLES AGE VERSION +festive-merkle-8n9e Ready 20s v1.13.1 +[davidy:~/Downloads] % +``` + +In the example above, my nodes were being deployed. Repeat the command to see your nodes spring into existence: + +``` +[davidy:~/Downloads] % kubectl --kubeconfig=penguins-are-the-sexiest-geeks-kubeconfig.yaml get nodes +NAME STATUS ROLES AGE VERSION +festive-merkle-8n96 Ready 6s v1.13.1 +festive-merkle-8n9e Ready 34s v1.13.1 +[davidy:~/Downloads] % + +[davidy:~/Downloads] % kubectl --kubeconfig=penguins-are-the-sexiest-geeks-kubeconfig.yaml get nodes +NAME STATUS ROLES AGE VERSION +festive-merkle-8n96 Ready 30s v1.13.1 +festive-merkle-8n9a Ready 17s v1.13.1 +festive-merkle-8n9e Ready 58s v1.13.1 +[davidy:~/Downloads] % +``` + +That's it. You have a beautiful new kubernetes cluster ready for some action! + +## Move on.. + +Still with me? Good. Move on to creating your own external load balancer.. + +* [Start](/kubernetes/start/) - Why Kubernetes? +* [Design](/kubernetes/design/) - How does it fit together? +* Cluster (this page) - Setup a basic cluster +* [Load Balancer](/kubernetes/loadbalancer/) - Setup inbound access +* [Snapshots](/kubernetes/snapshots/) - Automatically backup your persistent data +* [Helm](/kubernetes/helm/) - Uber-recipes from fellow geeks +* [Traefik](/kubernetes/traefik/) - Traefik Ingress via Helm + + +## Chef's Notes + +1. Ok, yes, there's not much you can do with your cluster _yet_. But stay tuned, more Kubernetes fun to come! \ No newline at end of file diff --git a/manuscript/kubernetes/design.mde b/manuscript/kubernetes/design.mde new file mode 100644 index 0000000..926d108 --- /dev/null +++ b/manuscript/kubernetes/design.mde @@ -0,0 +1,129 @@ +# Design + +Like the [Docker Swarm](ha-docker-swarm/design/) "_private cloud_" design, the Kubernetes design is: + +* **Highly-available** (_can tolerate the failure of a single component_) +* **Scalable** (_can add resource or capacity as required_) +* **Portable** (_run it in DigitalOcean today, AWS tomorrow and Azure on Thursday_) +* **Secure** (_access protected with LetsEncrypt certificates_) +* **Automated** (_requires minimal care and feeding_) + +*Unlike* the Docker Swarm design, the Kubernetes design is: + +* **Cloud-Native** (_While you **can** [run your own Kubernetes cluster](https://microk8s.io/), it's far simpler to let someone else manage the infrastructure, freeing you to play with the fun stuff_) +* **Complex** (_Requires more basic elements, more verbose configuration, and provides more flexibility and customisability_) + +## Design Decisions + +**The design and recipes are provider-agnostic** + +This means that: + +* The design should work on GKE, AWS, DigitalOcean, Azure, or even MicroK8s +* Custom service elements specific to individual providers are avoided + +**The simplest solution to achieve the desired result will be preferred** + +This means that: + +* Persistent volumes from the cloud provider are used for all persistent storage +* We'll do things the "_Kubernetes way_", i.e., using secrets and configmaps, rather than trying to engineer around the Kubernetes basic building blocks. + +**Insofar as possible, the format of recipes will align with Docker Swarm** + +This means that: + +* We use Kubernetes namespaces to replicate Docker Swarm's "_per-stack_" networking and service discovery + +## Security + +Under this design, the only inbound connections we're permitting to our Kubernetes swarm are: + +### Network Flows + +* HTTPS (TCP 443) : Serves individual docker containers via SSL-encrypted reverse proxy (_Traefik_) +* Individual additional ports we choose to expose for specific recipes (_i.e., port 8443 for [MQTT](/recipes/mqtt/)_) + +### Authentication + +* Other than when an SSL-served application provides a trusted level of authentication, or where the application requires public exposure, applications served via Traefik will be protected with an OAuth proxy. + +## The challenges of external access + +Because we're Cloude-Native now, it's complex to get traffic **into** our cluster from outside. We basically have 3 options: + +1. **HostIP**: Map a port on the host to a service. This is analogous to Docker's port exposure, but lacking in that it restricts us to one host port per-container, and it's not possible to anticipate _which_ of your Kubernetes hosts is running a given container. Kubernetes does not have Docker Swarm's "routing mesh", allowing for simple load-balancing of incoming connections. + +2. **LoadBalancer**: Purchase a "loadbalancer" per-service from your cloud provider. While this is the simplest way to assure a fixed IP and port combination will always exist for your service, it has 2 significant limitations: + 1. Cost is prohibitive, at roughly $US10/month per port + 2. You won't get the _same_ fixed IP for multiple ports. So if you wanted to expose 443 and 25 (_webmail and smtp server, for example_), you'd find yourself assigned a port each on two **unique** IPs, a challenge for a single DNS-based service, like "_mail.batman.com_" + +3. **NodePort**: Expose our service as a port (_between 30000-32767_) on the host which happens to be running the service. This is challenging because you might want to expose port 443, but that's not possible with NodePort. + +To further complicate options #1 and #3 above, our cloud provider may, without notice, change the IP of the host running your containers (_O hai, Google!_). + +Our solution to these challenges is to employ a simple-but-effective solution which places an HAProxy instance in front of the services exposed by NodePort. For example, this allows us to expose a container on 443 as NodePort 30443, and to cause HAProxy to listen on port 443, and forward all requests to our Node's IP on port 30443, after which it'll be forwarded onto our container on the original port 443. + +We use a phone-home container, which calls a simple webhook on our haproxy VM, advising HAProxy to update its backend for the calling IP. This means that when our provider changes the host's IP, we automatically update HAProxy and keep-on-truckin'! + +Here's a high-level diagram: + +![Kubernetes Design](/images/kubernetes-cluster-design.png) + +## Overview + +So what's happening in the diagram above? I'm glad you asked - let's go through it! + +### Setting the scene + +In the diagram, we have a Kubernetes cluster comprised of 3 nodes. You'll notice that there's no visible master node. This is because most cloud providers will give you "_free_" master node, but you don't get to access it. The master node is just a part of the Kubernetes "_as-a-service_" which you're purchasing. + +Our nodes are partitioned into several namespaces, which logically separate our individual recipes. (_I.e., allowing both a "gitlab" and a "nextcloud" namespace to include a service named "db", which would be challenging without namespaces_) + +Outside of our cluster (_could be anywhere on the internet_) is a single VM servicing as a load-balancer, running HAProxy and a webhook service. This load-balancer is described in detail, [in its own section](/kubernetes/loadbalancer/), but what's important up-front is that this VM is the **only element of the design for which we need to provide a fixed IP address**. + +### 1 : The mosquitto pod + +In the "mqtt" namespace, we have a single pod, running 2 containers - the mqtt broker, and a "phone-home" container. + +Why 2 containers in one pod, instead of 2 independent pods? Because all the containers in a pod are **always** run on the same physical host. We're using the phone-home container as a simple way to call a webhook on the not-in-the-cluster VM. + +The phone-home container calls the webhook, and tells HAProxy to listen on port 8443, and to forward any incoming requests to port 30843 (_within the NodePort range_) on the IP of the host running the container (_and because of the pod, tho phone-home container is guaranteed to be on the same host as the MQTT container_). + +### 2 : The Traefik Ingress + +In the "default" namespace, we have a Traefik "Ingress Controller". An Ingress controller is a way to use a single port (_say, 443_) plus some intelligence (_say, a defined mapping of URLs to services_) to route incoming requests to the appropriate containers (_via services_). Basically, the Trafeik ingress does what [Traefik does for us under Docker Swarm](/docker-ha-swarm/traefik/). + +What's happening in the diagram is that a phone-home pod is tied to the traefik pod using affinity, so that both containers will be executed on the same host. Again, the phone-home container calls a webhook on the HAProxy VM, auto-configuring HAproxy to send any HTTPs traffic to its calling address and customer NodePort port number. + +When an inbound HTTPS request is received by Traefik, based on some internal Kubernetes elements (ingresses), Traefik provides SSL termination, and routes the request to the appropriate service (_In this case, either the GitLab UI or teh UniFi UI_) + +### 3 : The UniFi pod + +What's happening in the UniFi pod is a combination of #1 and #2 above. UniFi controller provides a webUI (_typically 8443, but we serve it via Traefik on 443_), plus some extra ports for device adoption, which are using a proprietary protocol, and can't be proxied with Traefik. + +To make both the webUI and the adoption ports work, we use a combination of an ingress for the webUI (_see #2 above_), and a phone-home container to tell HAProxy to forward port 8080 (_the adoption port_) directly to the host, using a NodePort-exposed service. + +This allows us to retain the use of a single IP for all controller functions, as accessed outside of the cluster. + +### 4 : The webhook + +Each phone-home container is calling a webhook on the HAProxy VM, secured with a secret shared token. The phone-home container passes the desired frontend port (i.e., 443), the corresponding NodeIP port (i.e., 30443), and the node's current public IP address. + +The webhook uses the provided details to update HAProxy for the combination of values, validate the config, and then restart HAProxy. + +### 5 : The user + +Finally, the DNS for all externally-accessible services is pointed to the IP of the HAProxy VM. On receiving an inbound request (_be it port 443, 8080, or anything else configured_), HAProxy will forward the request to the IP and NodePort port learned from the phone-home container. + +## Move on.. + +Still with me? Good. Move on to creating your cluster! + +* [Start](/kubernetes/start/) - Why Kubernetes? +* Design (this page) - How does it fit together? +* [Cluster](/kubernetes/cluster/) - Setup a basic cluster +* [Load Balancer](/kubernetes/loadbalancer/) - Setup inbound access +* [Snapshots](/kubernetes/snapshots/) - Automatically backup your persistent data +* [Helm](/kubernetes/helm/) - Uber-recipes from fellow geeks +* [Traefik](/kubernetes/traefik/) - Traefik Ingress via Helm \ No newline at end of file diff --git a/manuscript/kubernetes/diycluster.md b/manuscript/kubernetes/diycluster.md index 4d4620d..297bf4c 100644 --- a/manuscript/kubernetes/diycluster.md +++ b/manuscript/kubernetes/diycluster.md @@ -29,7 +29,7 @@ If you want to use minikube, there is a guide below but again, I recommend using they add in additional complexities to the installation as they require running a Linux based image running in a VM, that although minikube will manage, adds to the complexities. And - even then, who uses Windows or macOS in production anyways? 🙂 + even then, who uses Windows or macOS in production anyways? If you are serious about running on windows/macOS, check the official MiniKube guides [here](https://minikube.sigs.k8s.io/docs/start/) @@ -82,7 +82,7 @@ Then spin yourself up as many systems as you need with the following guide !!! note I am running a 3 node cluster, with nodes running on Ubuntu 19.04, all virtualized with VMWare ESXi - Your setup doesn't need to be as complex as mine, you can use 3 old Dell OptiPlex if you really want 🙂 + Your setup doesn't need to be as complex as mine, you can use 3 old Dell OptiPlex if you really want 1. Insert your installation medium into the machine, and boot it. 2. Select your language @@ -183,7 +183,7 @@ thomas-k3s-node1$ curl -sfL https://get.k3s.io | sh - [INFO] env: Creating environment file /etc/systemd/system/k3s.service.env [INFO] systemd: Creating service file /etc/systemd/system/k3s.service [INFO] systemd: Enabling k3s unit -Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service. +Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service /etc/systemd/system/k3s.service. [INFO] systemd: Starting k3s ``` @@ -284,7 +284,7 @@ That is all! You have yourself a Kubernetes cluster for you and your dog to enjo DRP or Digital Rebar Provisioning Tool is a tool designed to automatically setup your cluster, installing an operating system for you, and doing all the configuration like we did in the k3s setup. -This section is WIP, instead, try using the K3S guide above 🙂 +This section is WIP, instead, try using the K3S guide above ## Where from now @@ -304,7 +304,7 @@ This article, believe it or not, was not diced up by your regular chef (funkypen Instead, today's article was diced up by HexF, a fellow kiwi (hence a lot of kiwi references) who enjoys his sysadmin time. Feel free to talk to today's chef in the discord, or see one of his many other links that you can follow below -[Twitter](https://hexf.me/api/social/twitter/geekcookbook) • [Website](https://hexf.me/api/social/website/geekcookbook) • [Github](https://hexf.me/api/social/github/geekcookbook) +[Twitter](https://hexf.me/api/social/twitter/geekcookbook) [Website](https://hexf.me/api/social/website/geekcookbook) [Github](https://hexf.me/api/social/github/geekcookbook) + +Select one node to become your master, in my case `thomas-k3s-node1`. +Now SSH into this node, and run the following: + +```sh +localpc$ ssh thomas@thomas-k3s-node1 +Enter passphrase for key '/home/thomas/.ssh/id_rsa': [ssh key password] + +thomas-k3s-node1$ curl -sfL https://get.k3s.io | sh - +[sudo] password for thomas: [password entered in setup] +[INFO] Finding latest release +[INFO] Using v1.0.0 as release +[INFO] Downloading hash https://github.com/rancher/k3s/releases/download/v1.0.0/sha256sum-amd64.txt +[INFO] Downloading binary https://github.com/rancher/k3s/releases/download/v1.0.0/k3s +[INFO] Verifying binary download +[INFO] Installing k3s to /usr/local/bin/k3s +[INFO] Creating /usr/local/bin/kubectl symlink to k3s +[INFO] Creating /usr/local/bin/crictl symlink to k3s +[INFO] Creating /usr/local/bin/ctr symlink to k3s +[INFO] Creating killall script /usr/local/bin/k3s-killall.sh +[INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh +[INFO] env: Creating environment file /etc/systemd/system/k3s.service.env +[INFO] systemd: Creating service file /etc/systemd/system/k3s.service +[INFO] systemd: Enabling k3s unit +Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service. +[INFO] systemd: Starting k3s +``` + +Before we log out of the master, we need the token from it. +Make sure to note this token down +(please don't write it on paper, use something like `notepad` or `vim`, it's ~100 characters) + +```sh +thomas-k3s-node1$ sudo cat /var/lib/rancher/k3s/server/node-token +K1097e226f95f56d90a4bab7151... +``` + +Make sure all nodes can access each other by hostname, whether you add them to `/etc/hosts` or to your DNS server + +Now that you have your master node setup, you can now add worker nodes + +SSH into the other nodes, and run the following making sure to replace values with ones that suit your installation + +```sh +localpc$ ssh thomas@thomas-k3s-node2 +Enter passphrase for key '/home/thomas/.ssh/id_rsa': [ssh key password] + +thomas-k3s-node2$ curl -sfL https://get.k3s.io | K3S_URL=https://thomas-k3s-node1:6443 K3S_TOKEN=K1097e226f95f56d90a4bab7151... sh - +``` + +Now test your installation! + +SSH into your master node + +```sh +ssh thomas@thomas-k3s-node1 +Enter passphrase for key '/home/thomas/.ssh/id_rsa': [ssh key password] + +thomas-k3s-node1$ sudo kubectl get nodes + +NAME STATUS ROLES AGE VERSION +thomas-k3s-node1 Ready master 15m3s v1.16.3-k3s.2 +thomas-k3s-node2 Ready 6m58s v1.16.3-k3s.2 +thomas-k3s-node3 Ready 6m12s v1.16.3-k3s.2 +``` + +If you got Ready for all your nodes, Well Done! Your k3s cluster is now running! If not try getting help in our discord. + +### Post-Installation + +Now you can get yourself a kubeconfig for your cluster. +SSH into your master node, and run the following + +```sh +localpc$ ssh thomas@thomas-k3s-node1 +Enter passphrase for key '/home/thomas/.ssh/id_rsa': [ssh key password] + +thomas-k3s-node1$ sudo kubectl config view --flatten +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: LS0tLS1CRUdJTiBD... + server: https://127.0.0.1:6443 + name: default +contexts: +- context: + cluster: default + user: default + name: default +current-context: default +kind: Config +preferences: {} +users: +- name: default + user: + password: thisishowtolosecontrolofyourk3s + username: admin +``` + +Make sure to change `clusters.cluster.server` to have the master node's name instead of `127.0.0.1`, in my case making it `https://thomas-k3s-node1:6443` + +!!! warning + This kubeconfig file can grant full access to your Kubernetes installation, I recommend you protect this file just as well as you protect your passwords + +You will probably want to save this kubeconfig file into a file on your local machine, say `my-k3s-cluster.yml` or `where-8-hours-of-my-life-went.yml`. +Now test it out! + +```sh +localpc$ kubectl --kubeconfig=my-k3s-cluster.yml get nodes +NAME STATUS ROLES AGE VERSION +thomas-k3s-node1 Ready master 495m v1.16.3-k3s.2 +thomas-k3s-node2 Ready 488m v1.16.3-k3s.2 +thomas-k3s-node3 Ready 487m v1.16.3-k3s.2 +``` + + + +That is all! You have yourself a Kubernetes cluster for you and your dog to enjoy. + +## DRP + +DRP or Digital Rebar Provisioning Tool is a tool designed to automatically setup your cluster, installing an operating system for you, and doing all the configuration like we did in the k3s setup. + +This section is WIP, instead, try using the K3S guide above 🙂 + +## Where from now + +Now that you have wasted half a lifetime on installing your very own cluster, you can install more to it. Like a load balancer! + +* [Start](/kubernetes/start/) - Why Kubernetes? +* [Design](/kubernetes/design/) - How does it fit together? +* Cluster (this page) - Setup a basic cluster +* [Load Balancer](/kubernetes/loadbalancer/) - Setup inbound access +* [Snapshots](/kubernetes/snapshots/) - Automatically backup your persistent data +* [Helm](/kubernetes/helm/) - Uber-recipes from fellow geeks +* [Traefik](/kubernetes/traefik/) - Traefik Ingress via Helm + +## About your Chef + +This article, believe it or not, was not diced up by your regular chef (funkypenguin). +Instead, today's article was diced up by HexF, a fellow kiwi (hence a lot of kiwi references) who enjoys his sysadmin time. +Feel free to talk to today's chef in the discord, or see one of his many other links that you can follow below + +[Twitter](https://hexf.me/api/social/twitter/geekcookbook) • [Website](https://hexf.me/api/social/website/geekcookbook) • [Github](https://hexf.me/api/social/github/geekcookbook) + + diff --git a/manuscript/kubernetes/helm.md b/manuscript/kubernetes/helm.md index a255b0d..4d8af81 100644 --- a/manuscript/kubernetes/helm.md +++ b/manuscript/kubernetes/helm.md @@ -10,7 +10,7 @@ ## Ingredients 1. [Kubernetes cluster](https://geek-cookbook.funkypenguin.co.nz/)kubernetes/cluster/) -2. Geek-Fu required : 🐤 (_easy - copy and paste_) +2. Geek-Fu required : (_easy - copy and paste_) ## Preparation diff --git a/manuscript/kubernetes/helm.mde b/manuscript/kubernetes/helm.mde new file mode 100644 index 0000000..a4c024a --- /dev/null +++ b/manuscript/kubernetes/helm.mde @@ -0,0 +1,62 @@ +# Helm + +[Helm](https://github.com/helm/helm) is a tool for managing Kubernetes "charts" (_think of it as an uber-polished collection of recipes_). Using one simple command, and by tweaking one simple config file (values.yaml), you can launch a complex stack. There are many publicly available helm charts for popular packages like [elasticsearch](https://github.com/helm/charts/tree/master/stable/elasticsearch), [ghost](https://github.com/helm/charts/tree/master/stable/ghost), [grafana](https://github.com/helm/charts/tree/master/stable/grafana), [mediawiki](https://github.com/helm/charts/tree/master/stable/mediawiki), etc. + +![Kubernetes Snapshots](/images/kubernetes-helm.png) + +!!! note + Given enough interest, I may provide a helm-compatible version of the pre-mix repository for [supporters](/support/). [Hit me up](/whoami/#contact-me) if you're interested! + +## Ingredients + +1. [Kubernetes cluster](/kubernetes/cluster/) +2. Geek-Fu required : 🐤 (_easy - copy and paste_) + +## Preparation + +### Install Helm + +This section is from the Helm README: + +Binary downloads of the Helm client can be found on [the Releases page](https://github.com/helm/helm/releases/latest). + +Unpack the `helm` binary and add it to your PATH and you are good to go! + +If you want to use a package manager: + +- [Homebrew](https://brew.sh/) users can use `brew install kubernetes-helm`. +- [Chocolatey](https://chocolatey.org/) users can use `choco install kubernetes-helm`. +- [Scoop](https://scoop.sh/) users can use `scoop install helm`. +- [GoFish](https://gofi.sh/) users can use `gofish install helm`. + +To rapidly get Helm up and running, start with the [Quick Start Guide](https://docs.helm.sh/using_helm/#quickstart-guide). + +See the [installation guide](https://docs.helm.sh/using_helm/#installing-helm) for more options, +including installing pre-releases. + + +## Serving + +### Initialise Helm + +After installing Helm, initialise it by running ```helm init```. This will install "tiller" pod into your cluster, which works with the locally installed helm binaries to launch/update/delete Kubernetes elements based on helm charts. + +That's it - not very exciting I know, but we'll need helm for the next and final step in building our Kubernetes cluster - deploying the [Traefik ingress controller (via helm)](/kubernetes/traefik/)! + +## Move on.. + +Still with me? Good. Move on to understanding Helm charts... + +* [Start](/kubernetes/start/) - Why Kubernetes? +* [Design](/kubernetes/design/) - How does it fit together? +* [Cluster](/kubernetes/cluster/) - Setup a basic cluster +* [Load Balancer](/kubernetes/loadbalancer/) Setup inbound access +* [Snapshots](/kubernetes/snapshots/) - Automatically backup your persistent data +* Helm (this page) - Uber-recipes from fellow geeks +* [Traefik](/kubernetes/traefik/) - Traefik Ingress via Helm + + + +## Chef's Notes + +1. Of course, you can have lots of fun deploying all sorts of things via Helm. Check out https://github.com/helm/charts for some examples. \ No newline at end of file diff --git a/manuscript/kubernetes/loadbalancer.md b/manuscript/kubernetes/loadbalancer.md index b3ae322..b6974b1 100644 --- a/manuscript/kubernetes/loadbalancer.md +++ b/manuscript/kubernetes/loadbalancer.md @@ -14,7 +14,7 @@ This recipe details a simple design to permit the exposure of as many ports as y 1. [Kubernetes cluster](https://geek-cookbook.funkypenguin.co.nz/)kubernetes/cluster/) 2. VM _outside_ of Kubernetes cluster, with a fixed IP address. Perhaps, on a [$5/month Digital Ocean Droplet](https://www.digitalocean.com/?refcode=e33b78ad621b).. (_yes, another referral link. Mooar for me!_) -3. Geek-Fu required : 🐧🐧🐧 (_complex - inline adjustments required_) +3. Geek-Fu required : (_complex - inline adjustments required_) ## Preparation @@ -331,4 +331,4 @@ Still with me? Good. Move on to setting up an ingress SSL terminating proxy with ## Chef's Notes -1. This is MVP of the load balancer solution. Any suggestions for improvements are welcome 😉 \ No newline at end of file +1. This is MVP of the load balancer solution. Any suggestions for improvements are welcome \ No newline at end of file diff --git a/manuscript/kubernetes/loadbalancer.mde b/manuscript/kubernetes/loadbalancer.mde new file mode 100644 index 0000000..436b686 --- /dev/null +++ b/manuscript/kubernetes/loadbalancer.mde @@ -0,0 +1,334 @@ +# Load Balancer + +One of the issues I encountered early on in migrating my Docker Swarm workloads to Kubernetes on GKE, was how to reliably permit inbound traffic into the cluster. + +There were several complications with the "traditional" mechanisms of providing a load-balanced ingress, not the least of which was cost. I also found that even if I paid my cloud provider (_Google_) for a load-balancer Kubernetes service, this service required a unique IP per exposed port, which was incompatible with my mining pool empire (_mining pools need to expose multiple ports on the same DNS name_). + +See further examination of the problem and possible solutions in the [Kubernetes design](kubernetes/design/#the-challenges-of-external-access) page. + +This recipe details a simple design to permit the exposure of as many ports as you like, on a single public IP, to a cluster of Kubernetes nodes running as many pods/containers as you need, with services exposed via NodePort. + +![Kubernetes Design](/images/kubernetes-cluster-design.png) + +## Ingredients + +1. [Kubernetes cluster](/kubernetes/cluster/) +2. VM _outside_ of Kubernetes cluster, with a fixed IP address. Perhaps, on a [$5/month Digital Ocean Droplet](https://www.digitalocean.com/?refcode=e33b78ad621b).. (_yes, another referral link. Mooar 🍷 for me!_) +3. Geek-Fu required : 🐧🐧🐧 (_complex - inline adjustments required_) + + +## Preparation + +### Summary + +### Create LetsEncrypt certificate + +!!! warning + Safety first, folks. You wouldn't run a webhook exposed to the big bad ol' internet without first securing it with a valid SSL certificate? Of course not, I didn't think so! + +Use whatever method you prefer to generate (and later, renew) your LetsEncrypt cert. The example below uses the CertBot docker image for CloudFlare DNS validation, since that's what I've used elsewhere. + +We **could** run our webhook as a simple HTTP listener, but really, in a world where LetsEncrypt cacn assign you a wildcard certificate in under 30 seconds, thaht's unforgivable. Use the following **general** example to create a LetsEncrypt wildcard cert for your host: + +In my case, since I use CloudFlare, I create /etc/webhook/letsencrypt/cloudflare.ini: + +``` +dns_cloudflare_email=davidy@funkypenguin.co.nz +dns_cloudflare_api_key=supersekritnevergonnatellyou +``` + +I request my cert by running: +``` +cd /etc/webhook/ +docker run -ti --rm -v "$(pwd)"/letsencrypt:/etc/letsencrypt certbot/dns-cloudflare --preferred-challenges dns certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d ''*.funkypenguin.co.nz' +``` + +!!! question + Why use a wildcard cert? So my enemies can't examine my certs to enumerate my various services and discover my weaknesses, of course! + +I add the following as a cron command to renew my certs every day: + +``` +cd /etc/webhook && docker run -ti --rm -v "$(pwd)"/letsencrypt:/etc/letsencrypt certbot/dns-cloudflare renew --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini +``` + +Once you've confirmed you've got a valid LetsEncrypt certificate stored in ```/etc/webhook/letsencrypt/live//fullcert.pem```, proceed to the next step.. + +### Install webhook + +We're going to use https://github.com/adnanh/webhook to run our webhook. On some distributions (_❤️ ya, Debian!_), webhook and its associated systemd config can be installed by running ```apt-get install webhook```. + +### Create webhook config + +We'll create a single webhook, by creating ```/etc/webhook/hooks.json``` as follows. Choose a nice secure random string for your MY_TOKEN value! + +``` +mkdir /etc/webhook +export MY_TOKEN=ilovecheese +echo << EOF > /etc/webhook/hooks.json +[ + { + "id": "update-haproxy", + "execute-command": "/etc/webhook/update-haproxy.sh", + "command-working-directory": "/etc/webhook", + "pass-arguments-to-command": + [ + { + "source": "payload", + "name": "name" + }, + { + "source": "payload", + "name": "frontend-port" + }, + { + "source": "payload", + "name": "backend-port" + }, + { + "source": "payload", + "name": "dst-ip" + }, + { + "source": "payload", + "name": "action" + } + ], + "trigger-rule": + { + "match": + { + "type": "value", + "value": "$MY_TOKEN", + "parameter": + { + "source": "header", + "name": "X-Funkypenguin-Token" + } + } + } + } +] +EOF +``` + +!!! note + Note that to avoid any bozo from calling our we're matching on a token header in the request called ```X-Funkypenguin-Token```. Webhook will **ignore** any request which doesn't include a matching token in the request header. + +### Update systemd for webhook + +!!! note + This section is particular to Debian Stretch and its webhook package. If you're using another OS for your VM, just ensure that you can start webhook with a config similar to the one illustrated below. + +Since we want to force webhook to run in secure mode (_no point having a token if it can be extracted from a simple packet capture!_) I ran ```systemctl edit webhook```, and pasted in the following: + +``` +[Service] +# Override the default (non-secure) behaviour of webhook by passing our certificate details and custom hooks.json location +ExecStart= +ExecStart=/usr/bin/webhook -hooks /etc/webhook/hooks.json -verbose -secure -cert /etc/webhook/letsencrypt/live/funkypenguin.co.nz/fullchain.pem -key /etc/webhook/letsencrypt/live/funkypenguin.co.nz/privkey.pem +``` + +Then I restarted webhook by running ```systemctl enable webhook && systemctl restart webhook```. I watched the subsequent logs by running ```journalctl -u webhook -f``` + +### Create /etc/webhook/update-haproxy.sh + +When successfully authenticated with our top-secret token, our webhook will execute a local script, defined as follows (_yes, you should create this file_): + +``` +#!/bin/bash + +NAME=$1 +FRONTEND_PORT=$2 +BACKEND_PORT=$3 +DST_IP=$4 +ACTION=$5 + +# Bail if we haven't received our expected parameters +if [[ "$#" -ne 5 ]] +then + echo "illegal number of parameters" + exit 2; +fi + +# Either add or remove a service based on $ACTION +case $ACTION in + add) + # Create the portion of haproxy config + cat << EOF > /etc/webhook/haproxy/$FRONTEND_PORT.inc +### >> Used to run $NAME:${FRONTEND_PORT} +frontend ${FRONTEND_PORT}_frontend + bind *:$FRONTEND_PORT + mode tcp + default_backend ${FRONTEND_PORT}_backend + +backend ${FRONTEND_PORT}_backend + mode tcp + balance roundrobin + stick-table type ip size 200k expire 30m + stick on src + server s1 $DST_IP:$BACKEND_PORT +### << Used to run $NAME:$FRONTEND_PORT +EOF + ;; + delete) + rm /etc/webhook/haproxy/$FRONTEND_PORT.inc + ;; + *) + echo "Invalid action $ACTION" + exit 2 +esac + +# Concatenate all the haproxy configs into a single file +cat /etc/webhook/haproxy/global /etc/webhook/haproxy/*.inc > /etc/webhook/haproxy/pre_validate.cfg + +# Validate the generated config +haproxy -f /etc/webhook/haproxy/pre_validate.cfg -c + +# If validation was successful, only _then_ copy it over to /etc/haproxy/haproxy.cfg, and reload +if [[ $? -gt 0 ]] +then + echo "HAProxy validation failed, not continuing" + exit 2 +else + # Remember what the original file looked like + m1=$(md5sum "/etc/haproxy/haproxy.cfg") + + # Overwrite the original file + cp /etc/webhook/haproxy/pre_validate.cfg /etc/haproxy/haproxy.cfg + + # Get MD5 of new file + m2=$(md5sum "/etc/haproxy/haproxy.cfg") + + # Only if file has changed, then we need to reload haproxy + if [ "$m1" != "$m2" ] ; then + echo "HAProxy config has changed, reloading" + systemctl reload haproxy + fi +fi +``` + +### Create /etc/webhook/haproxy/global + +Create ```/etc/webhook/haproxy/global``` and populate with something like the following. This will be the non-dynamically generated part of our HAProxy config: + +``` +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + mode tcp + option tcplog + option dontlognull + timeout connect 5000 + timeout client 5000000 + timeout server 5000000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http +``` + +## Serving + +### Take the bait! + +Whew! We now have all the components of our automated load-balancing solution in place. Browse to your VM's FQDN at https://whatever.it.is:9000/hooks/update-haproxy, and you should see the text "_Hook rules were not satisfied_", with a valid SSL certificate (_You didn't send a token_). + +If you don't see the above, then check the following: + +1. Does the webhook verbose log (```journalctl -u webhook -f```) complain about invalid arguments or missing files? +2. Is port 9000 open to the internet on your VM? + +### Apply to pods + +You'll see me use this design in any Kubernetes-based recipe which requires container-specific ports, like UniFi. Here's an excerpt of the .yml which defines the UniFi controller: + +``` + +spec: + containers: + - image: linuxserver/unifi + name: controller + volumeMounts: + - name: controller-volumeclaim + mountPath: /config + - image: funkypenguin/poor-mans-k8s-lb + imagePullPolicy: Always + name: 8080-phone-home + env: + - name: REPEAT_INTERVAL + value: "600" + - name: FRONTEND_PORT + value: "8080" + - name: BACKEND_PORT + value: "30808" + - name: NAME + value: "unifi-adoption" + - name: WEBHOOK + value: "https://my-secret.url.wouldnt.ya.like.to.know:9000/hooks/update-haproxy" + - name: WEBHOOK_TOKEN + valueFrom: + secretKeyRef: + name: unifi-credentials + key: webhook_token.secret + +``` + +The takeaways here are: + +1. We add the funkypenguin/poor-mans-k8s-lb containier to any pod which has special port requirements, forcing the container to run on the same node as the other containers in the pod (_in this case, the UniFi controller_) +2. We use a Kubernetes secret for the webhook token, so that our .yml can be shared without exposing sensitive data + +Here's what the webhook logs look like when the above is added to the UniFi deployment: + +``` +Feb 06 23:04:28 haproxy2 webhook[1433]: [webhook] 2019/02/06 23:04:28 Started POST /hooks/update-haproxy +Feb 06 23:04:28 haproxy2 webhook[1433]: [webhook] 2019/02/06 23:04:28 update-haproxy got matched +Feb 06 23:04:28 haproxy2 webhook[1433]: [webhook] 2019/02/06 23:04:28 update-haproxy hook triggered successfully +Feb 06 23:04:28 haproxy2 webhook[1433]: [webhook] 2019/02/06 23:04:28 Completed 200 OK in 2.123921ms +Feb 06 23:04:28 haproxy2 webhook[1433]: [webhook] 2019/02/06 23:04:28 executing /etc/webhook/update-haproxy.sh (/etc/webhook/update-haproxy.sh) with arguments ["/etc/webhook/update-haproxy.sh" "unifi-adoption" "8080" "30808" "35.244.91.178" "add"] and environment [] using /etc/webhook as cwd +Feb 06 23:04:28 haproxy2 webhook[1433]: [webhook] 2019/02/06 23:04:28 command output: Configuration file is valid + +``` + + +## Move on.. + +Still with me? Good. Move on to setting up an ingress SSL terminating proxy with Traefik.. + +* [Start](/kubernetes/start/) - Why Kubernetes? +* [Design](/kubernetes/design/) - How does it fit together? +* [Cluster](/kubernetes/cluster/) - Setup a basic cluster +* Load Balancer (this page) - Setup inbound access +* [Snapshots](/kubernetes/snapshots/) - Automatically backup your persistent data +* [Helm](/kubernetes/helm/) - Uber-recipes from fellow geeks +* [Traefik](/kubernetes/traefik/) - Traefik Ingress via Helm + + +## Chef's Notes + +1. This is MVP of the load balancer solution. Any suggestions for improvements are welcome 😉 \ No newline at end of file diff --git a/manuscript/kubernetes/snapshots.md b/manuscript/kubernetes/snapshots.md index 25aca3b..7bcb3bd 100644 --- a/manuscript/kubernetes/snapshots.md +++ b/manuscript/kubernetes/snapshots.md @@ -15,7 +15,7 @@ This recipe employs a clever tool ([miracle2k/k8s-snapshots](https://github.com/ ## Ingredients 1. [Kubernetes cluster](https://geek-cookbook.funkypenguin.co.nz/)kubernetes/cluster/) with either AWS or GKE (currently, but apparently other providers are [easy to implement](https://github.com/miracle2k/k8s-snapshots/blob/master/k8s_snapshots/backends/abstract.py)) -2. Geek-Fu required : 🐒🐒 (_medium - minor adjustments may be required_) +2. Geek-Fu required : (_medium - minor adjustments may be required_) ## Preparation diff --git a/manuscript/kubernetes/snapshots.mde b/manuscript/kubernetes/snapshots.mde new file mode 100644 index 0000000..69dd02c --- /dev/null +++ b/manuscript/kubernetes/snapshots.mde @@ -0,0 +1,180 @@ +# Snapshots + +Before we get carried away creating pods, services, deployments etc, let's spare a thought for _security_... (_DevSecPenguinOps, here we come!_). In the context of this recipe, security refers to safe-guarding your data from accidental loss, as well as malicious impact. + +Under [Docker Swarm](/ha-docker-swarm/design/), we used [shared storage](/ha-docker-swarm/shared-storage-ceph/) with [Duplicity](/recipes/duplicity/) (or [ElkarBackup](recipes/elkarbackup/)) to automate backups of our persistent data. + +Now that we're playing in the deep end with Kubernetes, we'll need a Cloud-native backup solution... + +It bears repeating though - don't be like [Cameron](http://haltandcatchfire.wikia.com/wiki/Cameron_Howe). Backup your stuff. + + + +This recipe employs a clever tool ([miracle2k/k8s-snapshots](https://github.com/miracle2k/k8s-snapshots)), running _inside_ your cluster, to trigger automated snapshots of your persistent volumes, using your cloud provider's APIs. + +## Ingredients + +1. [Kubernetes cluster](/kubernetes/cluster/) with either AWS or GKE (currently, but apparently other providers are [easy to implement](https://github.com/miracle2k/k8s-snapshots/blob/master/k8s_snapshots/backends/abstract.py)) +2. Geek-Fu required : 🐒🐒 (_medium - minor adjustments may be required_) + +## Preparation + +### Create RoleBinding (GKE only) + +If you're running GKE, run the following to create a RoleBinding, allowing your user to grant rights-it-doesn't-currently-have to the service account responsible for creating the snapshots: + +```kubectl create clusterrolebinding your-user-cluster-admin-binding \ + --clusterrole=cluster-admin --user=``` + +!!! question + Why do we have to do this? Check [this blog post](https://www.funkypenguin.co.nz/workaround-blocked-attempt-to-grant-extra-privileges-on-gke/) for details + +### Apply RBAC + +If your cluster is RBAC-enabled (_it probably is_), you'll need to create a ClusterRole and ClusterRoleBinding to allow k8s_snapshots to see your PVs and friends: + +``` +kubectl apply -f https://raw.githubusercontent.com/miracle2k/k8s-snapshots/master/rbac.yaml +``` + +## Serving + +### Deploy the pod + +Ready? Run the following to create a deployment in to the kube-system namespace: + +``` +cat <``` + +### Pick PVs to snapshot + +k8s-snapshots relies on annotations to tell it how frequently to snapshot your PVs. A PV requires the ```backup.kubernetes.io/deltas``` annotation in order to be snapshotted. + +From the k8s-snapshots README: + +``` +The generations are defined by a list of deltas formatted as ISO 8601 durations (this differs from tarsnapper). PT60S or PT1M means a minute, PT12H or P0.5D is half a day, P1W or P7D is a week. The number of backups in each generation is implied by it's and the parent generation's delta. + +For example, given the deltas PT1H P1D P7D, the first generation will consist of 24 backups each one hour older than the previous (or the closest approximation possible given the available backups), the second generation of 7 backups each one day older than the previous, and backups older than 7 days will be discarded for good. + +The most recent backup is always kept. + +The first delta is the backup interval. +``` + +To add the annotation to an existing PV, run something like this: + +``` +kubectl patch pv pvc-01f74065-8fe9-11e6-abdd-42010af00148 -p \ + '{"metadata": {"annotations": {"backup.kubernetes.io/deltas": "P1D P30D P360D"}}}' +``` + +To add the annotation to a _new_ PV, add the following annotation to your **PVC**: + +``` +backup.kubernetes.io/deltas: PT1H P2D P30D P180D +``` + +Here's an example of the PVC for the UniFi recipe, which includes 7 daily snapshots of the PV: + +``` +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: controller-volumeclaim + namespace: unifi + annotations: + backup.kubernetes.io/deltas: P1D P7D +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +``` + +And here's what my snapshot list looks like after a few days: + +![Kubernetes Snapshots](/images/kubernetes-snapshots.png) + +### Snapshot a non-Kubernetes volume (optional) + +If you're running traditional compute instances with your cloud provider (I do this for my poor man's load balancer), you might want to backup _these_ volumes as well. + +To do so, first create a custom resource, ```SnapshotRule```: + +``` +cat < + +## Wait, what? + +Why would you want to use Kubernetes for your self-hosted recipes over simple Docker Swarm? Here's my personal take.. + +I use Docker swarm both at home (_on a single-node swarm_), and on a trio of Ubuntu 16.04 VPSs in a shared lab OpenStack environment. + +In both cases above, I'm responsible for maintaining the infrastructure supporting Docker - either the physical host, or the VPS operating systems. + +I started experimenting with Kubernetes as a plan to improve the reliability of my cryptocurrency mining pools (_the contended lab VPSs negatively impacted the likelihood of finding a block_), and as a long-term replacement for my aging home server. + +What I enjoy about building recipes and self-hosting is **not** the operating system maintenance, it's the tools and applications that I can quickly launch in my swarms. If I could **only** play with the applications, and not bother with the maintenance, I totally would. + +Kubernetes (_on a cloud provider, mind you!_) does this for me. I feed Kubernetes a series of YAML files, and it takes care of all the rest, including version upgrades, node failures/replacements, disk attach/detachments, etc. + +## Uggh, it's so complicated! + +Yes, but that's a necessary sacrifice for the maturity, power and flexibility it offers. Like docker-compose syntax, Kubernetes uses YAML to define its various, interworking components. + +Let's talk some definitions. Kubernetes.io provides a [glossary](https://kubernetes.io/docs/reference/glossary/?fundamental=true). My definitions are below: + +* **Node** : A compute instance which runs docker containers, managed by a cluster master. + +* **Cluster** : One or more "worker nodes" which run containers. Very similar to a Docker Swarm node. In most cloud provider deployments, the [master node for your cluster is provided free of charge](https://www.sdxcentral.com/articles/news/google-eliminates-gke-management-fees-kubernetes-clusters/2017/11/), but you don't get to access it. + +* **Pod** : A collection of one or more the containers. If a pod runs multiple containers, these containers always run on the same node. + +* **Deployment** : A definition of a desired state. I.e., "I want a pod with containers A and B running". The Kubernetes master then ensures that any changes necessary to maintain the state are taken. (_I.e., if a pod crashes, but is supposed to be running, a new pod will be started_) + +* **Service** : Unlike Docker Swarm, service discovery is not _built in_ to Kubernetes. For your pods to discover each other (say, to have "webserver" talk to "database"), you create a service for each pod, and refer to these services when you want your containers (_in pods_) to talk to each other. Complicated, yes, but the abstraction allows you to do powerful things, like auto-scale-up a bunch of database "pods" behind a service called "database", or perform a rolling container image upgrade with zero impact. + +* **External access** : Services not only allow pods to discover each other, but they're also the mechanism through which the outside world can talk to a container. At the simplest level, this is akin to exposing a container port on a docker host. + +* **Ingress** : When mapping ports to applications is inadequate (think virtual web hosts), an ingress is a sort of "inbound router" which can receive requests on one port (i.e., HTTPS), and forward them to a variety of internal pods, based on things like VHOST, etc. For us, this is the functional equivalent of what Traefik does in Docker Swarm. In fact, we use a Traefik Ingress in Kubernetes to accomplish the same. + +* **Persistent Volume** : A virtual disk which is attached to a pod, storing persistent data. Meets the requirement for shared storage from Docker Swarm. I.e., if a persistent volume (PV) is bound to a pod, and the pod dies and is recreated, or get upgraded to a new image, the PV the data is bound to the new container. PVs can be "claimed" in a YAML definition, so that your Kubernetes provider will auto-create a PV when you launch your pod. PVs can be snapshotted. + +* **Namespace** : An abstraction to separate a collection of pods, services, ingresses, etc. A "virtual cluster within a cluster". Can be used for security, or simplicity. For example, since we don't have individual docker stacks anymore, if you commonly name your database container "db", and you want to deploy two applications which both use a database container, how will you name your services? Use namespaces to keep each application ("nextcloud" vs "kanboard") separate. Namespaces also allow you to allocate resources **limits** to the aggregate of containers in a namespace, so you could, for example, limit the "nextcloud" namespace to 2.3 CPUs and 1200MB RAM. + +## Mm.. maaaaybe, how do I start? + +If you're like me, and you learn by doing, either play with the examples at https://labs.play-with-k8s.com/, or jump right in by setting up a Google Cloud trial (_you get $300 credit for 12 months_), or a small cluster on [Digital Ocean](/kubernetes/digitalocean/). + +If you're the learn-by-watching type, just search for "Kubernetes introduction video". There's a **lot** of great content available. + +## I'm ready, gimme some recipes! + +As of Jan 2019, our first (_and only!_) Kubernetes recipe is a WIP for the Mosquitto [MQTT](/recipes/mqtt/) broker. It's a good, simple starter if you're into home automation (_shoutout to [Home Assistant](/recipes/homeassistant/)!_), since it only requires a single container, and a simple NodePort service. + +I'd love for your [feedback](/support/) on the Kubernetes recipes, as well as suggestions for what to add next. The current rough plan is to replicate the Chef's Favorites recipes (_see the left-hand panel_) into Kubernetes first. + +## Move on.. + +Still with me? Good. Move on to reviewing the design elements + +* Start (this page) - Why Kubernetes? +* [Design](/kubernetes/design/) - How does it fit together? +* [Cluster](/kubernetes/cluster/) - Setup a basic cluster +* [Load Balancer](/kubernetes/loadbalancer/) - Setup inbound access +* [Snapshots](/kubernetes/snapshots/) - Automatically backup your persistent data +* [Helm](/kubernetes/helm/) - Uber-recipes from fellow geeks +* [Traefik](/kubernetes/traefik/) - Traefik Ingress via Helm \ No newline at end of file diff --git a/manuscript/kubernetes/traefik.md b/manuscript/kubernetes/traefik.md index 0862fb5..44d597d 100644 --- a/manuscript/kubernetes/traefik.md +++ b/manuscript/kubernetes/traefik.md @@ -188,7 +188,7 @@ helm upgrade --values values.yml traefik stable/traefik --recreate-pods ## Review -We're doneburgers! 🍔 We now have all the pieces to safely deploy recipes into our Kubernetes cluster, knowing: +We're doneburgers! We now have all the pieces to safely deploy recipes into our Kubernetes cluster, knowing: 1. Our HTTPS traffic will be secured with LetsEncrypt (thanks Traefik!) 2. Our non-HTTPS ports (like UniFi adoption) will be load-balanced using an free-to-scale [external load balancer](https://geek-cookbook.funkypenguin.co.nz/)kubernetes/loadbalancer/) diff --git a/manuscript/kubernetes/traefik.mde b/manuscript/kubernetes/traefik.mde new file mode 100644 index 0000000..8a7dfd9 --- /dev/null +++ b/manuscript/kubernetes/traefik.mde @@ -0,0 +1,214 @@ +# Traefik + +This recipe utilises the [traefik helm chart](https://github.com/helm/charts/tree/master/stable/traefik) to proving LetsEncrypt-secured HTTPS access to multiple containers within your cluster. + +## Ingredients + +1. [Kubernetes cluster](/kubernetes/cluster/) +2. [Helm](/kubernetes/helm/) installed and initialised in your cluster + +## Preparation + +### Clone helm charts + +Clone the helm charts, by running: + +``` +git clone https://github.com/helm/charts +``` + +Change to stable/traefik: + +``` +cd charts/stable/traefik +``` + +### Edit values.yaml + +The beauty of the helm approach is that all the complexity of the Kubernetes elements' YAML files are hidden from you (created using templates), and all your changes go into values.yaml. + +These are my values, you'll need to adjust for your own situation: + +``` +imageTag: alpine +serviceType: NodePort +# yes, we're not listening on 80 or 443 because we don't want to pay for a loadbalancer IP to do this. I use poor-mans-k8s-lb instead +service: + nodePorts: + http: 30080 + https: 30443 +cpuRequest: 1m +memoryRequest: 100Mi +cpuLimit: 1000m +memoryLimit: 500Mi + +ssl: + enabled: true + enforced: true +debug: + enabled: false + +rbac: + enabled: true +dashboard: + enabled: true + domain: traefik.funkypenguin.co.nz +kubernetes: + # set these to all the namespaces you intend to use. I standardize on one-per-stack. You can always add more later + namespaces: + - kube-system + - unifi + - kanboard + - nextcloud + - huginn + - miniflux +accessLogs: + enabled: true +acme: + persistence: + enabled: true + # Add the necessary annotation to backup ACME store with k8s-snapshots + annotations: { "backup.kubernetes.io/deltas: P1D P7D" } + staging: false + enabled: true + logging: true + email: "" + challengeType: "dns-01" + dnsProvider: + name: cloudflare + cloudflare: + CLOUDFLARE_EMAIL: "" + domains: + enabled: true + domainsList: + - main: "*.funkypenguin.co.nz" # name of the wildcard domain name for the certificate + - sans: + - "funkypenguin.co.nz" +metrics: + prometheus: + enabled: true +``` + +!!! note + The helm chart doesn't enable the Traefik dashboard by default. I intend to add an oauth_proxy pod to secure this, in a future recipe update. + +### Prepare phone-home pod + +[Remember](/kubernetes/loadbalancer/) how our load balancer design ties a phone-home container to another container using a pod, so that the phone-home container can tell our external load balancer (_using a webhook_) where to send our traffic? + +Since we deployed Traefik using helm, we need to take a slightly different approach, so we'll create a pod with an affinity which ensures it runs on the same host which runs the Traefik container (_more precisely, containers with the label app=traefik_). + +Create phone-home.yaml as follows: + +``` +apiVersion: v1 +kind: Pod +metadata: + name: phonehome-traefik +spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - traefik + topologyKey: failure-domain.beta.kubernetes.io/zone + containers: + - image: funkypenguin/poor-mans-k8s-lb + imagePullPolicy: Always + name: phonehome-traefik + env: + - name: REPEAT_INTERVAL + value: "600" + - name: FRONTEND_PORT + value: "443" + - name: BACKEND_PORT + value: "30443" + - name: NAME + value: "traefik" + - name: WEBHOOK + value: "https://:9000/hooks/update-haproxy" + - name: WEBHOOK_TOKEN + valueFrom: + secretKeyRef: + name: traefik-credentials + key: webhook_token.secret +``` + +Create your webhook token secret by running: + +``` +echo -n "imtoosecretformyshorts" > webhook_token.secret +kubectl create secret generic traefik-credentials --from-file=webhook_token.secret +``` + +!!! warning + Yes, the "-n" in the echo statement is needed. [Read here for why](https://www.funkypenguin.co.nz/beware-the-hidden-newlines-in-kubernetes-secrets/). + +## Serving + +### Install the chart + +To install the chart, simply run ```helm install stable/traefik --name traefik --namespace kube-system``` + +That's it, traefik is running. + +You can confirm this by running ```kubectl get pods```, and even watch the traefik logs, by running ```kubectl logs -f traefik``` + +### Deploy the phone-home pod + +We still can't access traefik yet, since it's listening on port 30443 on node it happens to be running on. We'll launch our phone-home pod, to tell our [load balancer](/kubernetes/loadbalancer/) where to send incoming traffic on port 443. + +Optionally, on your loadbalancer VM, run ```journalctl -u webhook -f``` to watch for the container calling the webhook. + +Run ```kubectl create -f phone-home.yaml``` to create the pod. + +Run ```kubectl get pods -o wide``` to confirm that both the phone-home pod and the traefik pod are on the same node: + +``` +# kubectl get pods -o wide +NAME READY STATUS RESTARTS AGE IP NODE +phonehome-traefik 1/1 Running 0 20h 10.56.2.55 gke-penguins-are-sexy-8b85ef4d-2c9g +traefik-69db67f64c-5666c 1/1 Running 0 10d 10.56.2.30 gkepenguins-are-sexy-8b85ef4d-2c9g +``` + +Now browse to https://, and you should get a valid SSL cert, along with a 404 error (_you haven't deployed any other recipes yet_) + +### Making changes + +If you change a value in values.yaml, and want to update the traefik pod, run: + +``` +helm upgrade --values values.yml traefik stable/traefik --recreate-pods +``` + +## Review + +We're doneburgers! 🍔 We now have all the pieces to safely deploy recipes into our Kubernetes cluster, knowing: + +1. Our HTTPS traffic will be secured with LetsEncrypt (thanks Traefik!) +2. Our non-HTTPS ports (like UniFi adoption) will be load-balanced using an free-to-scale [external load balancer](/kubernetes/loadbalancer/) +3. Our persistent data will be [automatically backed up](/kubernetes/snapshots/) + +Here's a recap: + +* [Start](/kubernetes/start/) - Why Kubernetes? +* [Design](/kubernetes/design/) - How does it fit together? +* [Cluster](/kubernetes/cluster/) - Setup a basic cluster +* [Load Balancer](/kubernetes/loadbalancer/) Setup inbound access +* [Snapshots](/kubernetes/snapshots/) - Automatically backup your persistent data +* [Helm](/kubernetes/helm/) - Uber-recipes from fellow geeks +* Traefik (this page) - Traefik Ingress via Helm + +## Where to next? + +I'll be adding more Kubernetes versions of existing recipes soon. Check out the [MQTT](/recipes/mqtt/) recipe for a start! + + +## Chef's Notes + +1. It's kinda lame to be able to bring up Traefik but not to use it. I'll be adding the oauth_proxy element shortly, which will make this last step a little more conclusive and exciting! \ No newline at end of file diff --git a/manuscript/recipes/autopirate.mde b/manuscript/recipes/autopirate.mde new file mode 100644 index 0000000..cb05c6e --- /dev/null +++ b/manuscript/recipes/autopirate.mde @@ -0,0 +1,126 @@ +hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and organising your media 📺 🎥 🎵 📖 + +# AutoPirate + +Once the cutting edge of the "internet" (_pre-world-wide-web and mosiac days_), Usenet is now a murky, geeky alternative to torrents for file-sharing. However, it's **cool** geeky, especially if you're into having a fully automated media platform. + +A good starter for the usenet scene is https://www.reddit.com/r/usenet/. Because it's so damn complicated, a host of automated tools exist to automate the process of finding, downloading, and managing content. The tools included in this recipe are as follows: + +![Autopirate Screenshot](../images/autopirate.png) + +This recipe presents a method to combine these tools into a single swarm deployment, and make them available securely. + +## Menu + +Tools included in the AutoPirate stack are: + +* **[SABnzbd](http://sabnzbd.org)** : downloads data from usenet servers based on .nzb definitions +* **[NZBGet](https://nzbget.net/)** : downloads data from usenet servers based on .nzb definitions, but written in C++ and designed with performance in mind to achieve maximum download speed by using very little system resources (_this is a popular alternative to SABnzbd_) +* **[RTorrent](https://github.com/rakshasa/rtorrent/wiki)** is a CLI-based torrent client, which when combined with **[ruTorrent](https://github.com/Novik/ruTorrent)** becomes a powerful and fully browser-managed torrent client. (_Yes, it's not Usenet, but Sonarr/Radarr will let fulfill your watchlist using either Usenet **or** torrents, so it's worth including_) +* **[NZBHydra](https://github.com/theotherp/nzbhydra)** : acts as a "meta-indexer", so that your downloading tools (_radarr, sonarr, etc_) only need to be setup for a single indexes. Also produces interesting stats on indexers, which helps when evaluating which indexers are performing well. +* **[NZBHydra2](https://github.com/theotherp/nzbhydra2)** : is a high-performance rewrite of the original NZBHydra, with extra features. While still in beta, this NZBHydra2 will eventually supercede NZBHydra +* **[Sonarr](https://sonarr.tv)** : finds, downloads and manages TV shows +* **[Radarr](https://radarr.video)** : finds, downloads and manages movies +* **[Mylar](https://github.com/evilhero/mylar)** : finds, downloads and manages comic books +* **[Headphones](https://github.com/rembo10/headphones)** : finds, downloads and manages music +* **[Lazy Librarian](https://github.com/itsmegb/LazyLibrarian)** : finds, downloads and manages ebooks +* **[Ombi](https://github.com/tidusjar/Ombi)** : provides an interface to request additions to a [Plex](/recipes/plex/)/[Emby](/recipes/emby/) library using the above tools +* **[Jackett](https://github.com/Jackett/Jackett)** : Provides an local, caching, API-based interface to torrent trackers, simplifying the way your tools search for torrents. + +Since this recipe is so long, and so many of the tools are optional to the final result (_i.e., if you're not interested in comics, you won't want Mylar_), I've described each individual tool on its own sub-recipe page (_below_), even though most of them are deployed very similarly. + + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design +3. Access to NZB indexers and Usenet servers +4. DNS entries configured for each of the NZB tools in this recipe that you want to use + +## Preparation + +### Setup data locations + +We'll need a unique directories for each tool in the stack, bind-mounted into our containers, so create them upfront, in /var/data/autopirate: + +``` +mkdir /var/data/autopirate +cd /var/data/autopirate +mkdir -p {lazylibrarian,mylar,ombi,sonarr,radarr,headphones,plexpy,nzbhydra,sabnzbd,nzbget,rtorrent,jackett} +``` + +Create a directory for the storage of your downloaded media, i.e., something like: + +``` +mkdir /var/data/media +``` + +Create a user to "own" the above directories, and note the uid and gid of the created user. You'll need to specify the UID/GID in the environment variables passed to the container (in the example below, I used 4242 - twice the meaning of life). + +### Secure public access + +What you'll quickly notice about this recipe is that __every__ web interface is protected by an [OAuth proxy](/reference/oauth_proxy/). + +Why? Because these tools are developed by a handful of volunteer developers who are focused on adding features, not necessarily implementing robust security. Most users wouldn't expose these tools directly to the internet, so the tools have rudimentary (if any) access control. + +To mitigate the risk associated with public exposure of these tools (_you're on your smartphone and you want to add a movie to your watchlist, what do you do, hotshot?_), in order to gain access to each tool you'll first need to authenticate against your given OAuth provider. + +This is tedious, but you only have to do it once. Each tool (Sonarr, Radarr, etc) to be protected by an OAuth proxy, requires unique configuration. I use github to provide my oauth, giving each tool a unique logo while I'm at it (make up your own random string for OAUTH2PROXYCOOKIE_SECRET) + +For each tool, create /var/data/autopirate/.env, and set the following: + +``` +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_COOKIE_SECRET= +PUID=4242 +PGID=4242 +``` + +Create at least /var/data/autopirate/authenticated-emails.txt, containing at least your own email address with your OAuth provider. If you wanted to grant access to a specific tool to other users, you'd need a unique authenticated-emails-.txt which included both normal email address as well as any addresses to be granted tool-specific access. + +### Setup components + +#### Stack basics + +**Start** with a swarm config file in docker-compose syntax, like this: + +``` +version: '3' + +services: +``` + +And **end** with a stanza like this: + +``` +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.11.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + +#### Assemble the tools.. + +Now work your way through the list of tools below, adding whichever tools your want to use, and finishing with the **end** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd/) +* [NZBGet](/recipes/autopirate/nzbget/) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [End](/recipes/autopirate/end/) (launch the stack) \ No newline at end of file diff --git a/manuscript/recipes/autopirate/end.md b/manuscript/recipes/autopirate/end.md index d40d645..edb77cd 100644 --- a/manuscript/recipes/autopirate/end.md +++ b/manuscript/recipes/autopirate/end.md @@ -9,6 +9,6 @@ Confirm the container status by running "docker stack ps autopirate", and wait f Log into each of your new tools at its respective HTTPS URL. You'll be prompted to authenticate against your OAuth provider, and upon success, redirected to the tool's UI. -## Chef's Notes 📓 +## Chef's Notes 1. This is a complex stack. Sing out in the comments if you found a flaw or need a hand :) \ No newline at end of file diff --git a/manuscript/recipes/autopirate/end.mde b/manuscript/recipes/autopirate/end.mde new file mode 100644 index 0000000..f40b4f8 --- /dev/null +++ b/manuscript/recipes/autopirate/end.mde @@ -0,0 +1,14 @@ +!!! warning + This is not a complete recipe - it's the conclusion to the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +### Launch Autopirate stack + +Launch the AutoPirate stack by running ```docker stack deploy autopirate -c ``` + +Confirm the container status by running "docker stack ps autopirate", and wait for all containers to enter the "Running" state. + +Log into each of your new tools at its respective HTTPS URL. You'll be prompted to authenticate against your OAuth provider, and upon success, redirected to the tool's UI. + +## Chef's Notes 📓 + +1. This is a complex stack. Sing out in the comments if you found a flaw or need a hand :) \ No newline at end of file diff --git a/manuscript/recipes/autopirate/headphones.md b/manuscript/recipes/autopirate/headphones.md index 5b178a3..4d2e177 100644 --- a/manuscript/recipes/autopirate/headphones.md +++ b/manuscript/recipes/autopirate/headphones.md @@ -5,7 +5,7 @@ hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and # Headphones -[Headphones](https://github.com/rembo10/headphones) is an automated music downloader for NZB and Torrent, written in Python. It supports SABnzbd, NZBget, Transmission, µTorrent, Deluge and Blackhole. +[Headphones](https://github.com/rembo10/headphones) is an automated music downloader for NZB and Torrent, written in Python. It supports SABnzbd, NZBget, Transmission, Torrent, Deluge and Blackhole. ![Headphones Screenshot](../../images/headphones.png) @@ -70,6 +70,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/headphones.mde b/manuscript/recipes/autopirate/headphones.mde new file mode 100644 index 0000000..2ed6deb --- /dev/null +++ b/manuscript/recipes/autopirate/headphones.mde @@ -0,0 +1,75 @@ +hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and organising your media 📺 🎥 🎵 📖 + +!!! warning + This is not a complete recipe - it's a component of the [autopirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# Headphones + +[Headphones](https://github.com/rembo10/headphones) is an automated music downloader for NZB and Torrent, written in Python. It supports SABnzbd, NZBget, Transmission, µTorrent, Deluge and Blackhole. + +![Headphones Screenshot](../../images/headphones.png) + +## Inclusion into AutoPirate + +To include Headphones in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +headphones: + image: linuxserver/headphones:latest + env_file : /var/data/config/autopirate/headphones.env + volumes: + - /var/data/autopirate/headphones:/config + - /var/data/media:/media + networks: + - internal + +headphones_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/headphones.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:headphones.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://headphones:8181 + -redirect-url=https://headphones.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](https://github.com/evilhero/mylar) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* Headphones (this page) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/heimdall.md b/manuscript/recipes/autopirate/heimdall.md index 7985f79..813532b 100644 --- a/manuscript/recipes/autopirate/heimdall.md +++ b/manuscript/recipes/autopirate/heimdall.md @@ -5,7 +5,7 @@ [Heimdall Application Dashboard](https://heimdall.site/) is a dashboard for all your web applications. It doesn't need to be limited to applications though, you can add links to anything you like. -Heimdall is an elegant solution to organise all your web applications. It’s dedicated to this purpose so you won’t lose your links in a sea of bookmarks. +Heimdall is an elegant solution to organise all your web applications. Its dedicated to this purpose so you wont lose your links in a sea of bookmarks. Heimdall provides a single URL to manage access to all of your autopirate tools, and includes "enhanced" (_i.e., display stats within Heimdall without launching the app_) access to [NZBGet](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/nzbget.md), [SABnzbd](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/sabnzbd/), and friends. @@ -76,7 +76,7 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. 2. The inclusion of Heimdall was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks gkoerk! \ No newline at end of file diff --git a/manuscript/recipes/autopirate/heimdall.mde b/manuscript/recipes/autopirate/heimdall.mde new file mode 100644 index 0000000..26d78c9 --- /dev/null +++ b/manuscript/recipes/autopirate/heimdall.mde @@ -0,0 +1,82 @@ +!!! warning + This is not a complete recipe - it's a component of the [autopirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# Heimdall + +[Heimdall Application Dashboard](https://heimdall.site/) is a dashboard for all your web applications. It doesn't need to be limited to applications though, you can add links to anything you like. + +Heimdall is an elegant solution to organise all your web applications. It’s dedicated to this purpose so you won’t lose your links in a sea of bookmarks. + +Heimdall provides a single URL to manage access to all of your autopirate tools, and includes "enhanced" (_i.e., display stats within Heimdall without launching the app_) access to [NZBGet](/recipes/autopirate/nzbget.md), [SABnzbd](/recipes/autopirate/sabnzbd/), and friends. + +![Heimdall Screenshot](../../images/heimdall.jpg) + +## Inclusion into AutoPirate + +To include Heimdall in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` + heimdall: + image: linuxserver/heimdall:latest + env_file: /var/data/config/autopirate/heimdall.env + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/data/heimdall:/config + networks: + - internal + + heimdall_proxy: + image: funkypenguin/oauth2_proxy:latest + env_file : /var/data/config/autopirate/heimdall.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:heimdall.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://heimdall:80 + -redirect-url=https://heimdall.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt + + + +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylarr/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* Heimdall (this page) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. +2. The inclusion of Heimdall was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks gkoerk! \ No newline at end of file diff --git a/manuscript/recipes/autopirate/jackett.md b/manuscript/recipes/autopirate/jackett.md index 10d9d3d..01af6de 100644 --- a/manuscript/recipes/autopirate/jackett.md +++ b/manuscript/recipes/autopirate/jackett.md @@ -70,6 +70,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/jackett.mde b/manuscript/recipes/autopirate/jackett.mde new file mode 100644 index 0000000..16cc6ea --- /dev/null +++ b/manuscript/recipes/autopirate/jackett.mde @@ -0,0 +1,75 @@ +!!! warning + This is not a complete recipe - it's a component of the [autopirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# Jackett + +[Jackett](https://github.com/Jackett/Jackett) works as a proxy server: it translates queries from apps (Sonarr, Radarr, Mylar, etc) into tracker-site-specific http queries, parses the html response, then sends results back to the requesting software. + +This allows for getting recent uploads (like RSS) and performing searches. Jackett is a single repository of maintained indexer scraping & translation logic - removing the burden from other apps. + +![Jackett Screenshot](../../images/jackett.png) + +## Inclusion into AutoPirate + +To include Jackett in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +jackett: + image: linuxserver/jackett:latest + env_file : /var/data/config/autopirate/jackett.env + volumes: + - /var/data/autopirate/jackett:/config + networks: + - internal + +jackett_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/jackett.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:jackett.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://jackett:9117 + -redirect-url=https://jackett.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt + +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylarr/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* Jackett (this page) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/lazylibrarian.md b/manuscript/recipes/autopirate/lazylibrarian.md index 452e88c..722f2cc 100644 --- a/manuscript/recipes/autopirate/lazylibrarian.md +++ b/manuscript/recipes/autopirate/lazylibrarian.md @@ -82,7 +82,7 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. The calibre-server container co-exists within the Lazy Librarian (LL) containers so that LL can automatically add a book to Calibre using the calibre-server interface. The calibre library can then be properly viewed using the [calibre-web](https://geek-cookbook.funkypenguin.co.nz/)recipes/calibre-web) recipe. 2. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/lazylibrarian.mde b/manuscript/recipes/autopirate/lazylibrarian.mde new file mode 100644 index 0000000..04dce95 --- /dev/null +++ b/manuscript/recipes/autopirate/lazylibrarian.mde @@ -0,0 +1,88 @@ +!!! warning + This is not a complete recipe - it's a component of the [autopirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# LazyLibrarian + +[LazyLibrarian](https://github.com/DobyTang/LazyLibrarian) is a tool to follow authors and grab metadata for all your digital reading needs. It uses a combination of Goodreads Librarything and optionally GoogleBooks as sources for author info and book info. Features include: + +* Find authors and add them to the database +* List all books of an author and mark ebooks or audiobooks as 'wanted'. +* When processing the downloaded books it will save a cover picture (if available) and save all metadata into metadata.opf next to the bookfile (calibre compatible format) +* AutoAdd feature for book management tools like Calibre which must have books in flattened directory structure, or use calibre to import your books into an existing calibre library +* LazyLibrarian can also be used to search for and download magazines, and monitor for new issues + +![Lazy Librarian Screenshot](../../images/lazylibrarian.png) + +## Inclusion into AutoPirate + +To include LazyLibrarian in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +lazylibrarian: + image: linuxserver/lazylibrarian:latest + env_file : /var/data/config/autopirate/lazylibrarian.env + volumes: + - /var/data/autopirate/lazylibrarian:/config + - /var/data/media:/media + networks: + - internal + +lazylibrarian_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/lazylibrarian.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:lazylibrarian.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://lazylibrarian:5299 + -redirect-url=https://lazylibrarian.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt + +calibre-server: + image: regueiro/calibre-server + volumes: + - /var/data/media/Ebooks/calibre/:/opt/calibre/library + networks: + - internal + +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](https://github.com/evilhero/mylar) +* Lazy Librarian (this page) +* [Headphones](/recipes/autopirate/headphones) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. The calibre-server container co-exists within the Lazy Librarian (LL) containers so that LL can automatically add a book to Calibre using the calibre-server interface. The calibre library can then be properly viewed using the [calibre-web](/recipes/calibre-web) recipe. +2. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/lidarr.md b/manuscript/recipes/autopirate/lidarr.md index 4efd007..3066bb4 100644 --- a/manuscript/recipes/autopirate/lidarr.md +++ b/manuscript/recipes/autopirate/lidarr.md @@ -5,7 +5,7 @@ hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and # Lidarr -[Lidarr](https://lidarr.audio/) is an automated music downloader for NZB and Torrent. It performs the same function as [Headphones](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/headphones), but is written using the same(ish) codebase as [Radarr](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/radarr/) and [Sonarr](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/sonarr). It's blazingly fast, and includes beautiful album/artist art. Lidarr supports [SABnzbd](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/sabnzbd/), [NZBGet](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/nzbget/), Transmission, µTorrent, Deluge and Blackhole (_just like Sonarr / Radarr_) +[Lidarr](https://lidarr.audio/) is an automated music downloader for NZB and Torrent. It performs the same function as [Headphones](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/headphones), but is written using the same(ish) codebase as [Radarr](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/radarr/) and [Sonarr](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/sonarr). It's blazingly fast, and includes beautiful album/artist art. Lidarr supports [SABnzbd](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/sabnzbd/), [NZBGet](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/nzbget/), Transmission, Torrent, Deluge and Blackhole (_just like Sonarr / Radarr_) ![Lidarr Screenshot](../../images/lidarr.png) @@ -71,7 +71,7 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. 2. The addition of the Lidarr recipe was contributed by our very own @gpulido in Discord (http://chat.funkypenguin.co.nz) - Thanks Gabriel! \ No newline at end of file diff --git a/manuscript/recipes/autopirate/lidarr.mde b/manuscript/recipes/autopirate/lidarr.mde new file mode 100644 index 0000000..109fa18 --- /dev/null +++ b/manuscript/recipes/autopirate/lidarr.mde @@ -0,0 +1,77 @@ +hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and organising your media 📺 🎥 🎵 📖 + +!!! warning + This is not a complete recipe - it's a component of the [autopirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# Lidarr + +[Lidarr](https://lidarr.audio/) is an automated music downloader for NZB and Torrent. It performs the same function as [Headphones](/recipes/autopirate/headphones), but is written using the same(ish) codebase as [Radarr](/recipes/autopirate/radarr/) and [Sonarr](/recipes/autopirate/sonarr). It's blazingly fast, and includes beautiful album/artist art. Lidarr supports [SABnzbd](/recipes/autopirate/sabnzbd/), [NZBGet](/recipes/autopirate/nzbget/), Transmission, µTorrent, Deluge and Blackhole (_just like Sonarr / Radarr_) + +![Lidarr Screenshot](../../images/lidarr.png) + +## Inclusion into AutoPirate + +To include Lidarr in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +lidarr: + image: linuxserver/lidarr:latest + env_file : /var/data/config/autopirate/lidarr.env + volumes: + - /var/data/autopirate/lidarr:/config + - /var/data/media:/media + networks: + - internal + +lidarr_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/lidarr.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:lidarr.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://lidarr:8181 + -redirect-url=https://lidarr.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](https://github.com/evilhero/mylar) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* Lidarr (this page) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. +2. The addition of the Lidarr recipe was contributed by our very own @gpulido in Discord (http://chat.funkypenguin.co.nz) - Thanks Gabriel! \ No newline at end of file diff --git a/manuscript/recipes/autopirate/mylar.md b/manuscript/recipes/autopirate/mylar.md index 07af1bd..9b5fdf2 100644 --- a/manuscript/recipes/autopirate/mylar.md +++ b/manuscript/recipes/autopirate/mylar.md @@ -68,7 +68,7 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. diff --git a/manuscript/recipes/autopirate/mylar.mde b/manuscript/recipes/autopirate/mylar.mde new file mode 100644 index 0000000..1452f81 --- /dev/null +++ b/manuscript/recipes/autopirate/mylar.mde @@ -0,0 +1,77 @@ +!!! warning + This is not a complete recipe - it's a component of the [autopirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# Mylar + +[Mylar](https://github.com/evilhero/mylar) is a tool for downloading and managing digital comic books. + +![Mylar Screenshot](../../images/mylar.jpg) + +## Inclusion into AutoPirate + +To include Mylar in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +mylar: + image: linuxserver/mylar:latest + env_file : /var/data/config/autopirate/mylar.env + volumes: + - /var/data/autopirate/mylar:/config + - /var/data/media:/media + networks: + - internal + +mylar_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/mylar.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:mylar.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://mylar:8090 + -redirect-url=https://mylar.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* Mylar (this page) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. + +2. If you intend to configure Mylar to perform its own NZB searches and push the hits to a downloader such as SABnzbd, then in addition to configuring the connection to SAB with host, port and api key, you will need to set the parameter `host_return` parameter to the fully qualified Mylar address (e.g. `http://mylar:8090`). + + This will provide the link to the downloader necessary to initiate the download. This parameter is not presented in the user interface so the config file (`$MYLAR_HOME/config.ini`) will need to be manually updated. The parameter can be found under the [Interface] section of the file. ([Details](https://github.com/evilhero/mylar/issues/2242)) \ No newline at end of file diff --git a/manuscript/recipes/autopirate/nzbget.md b/manuscript/recipes/autopirate/nzbget.md index 2b03549..0c5461d 100644 --- a/manuscript/recipes/autopirate/nzbget.md +++ b/manuscript/recipes/autopirate/nzbget.md @@ -75,6 +75,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/nzbget.mde b/manuscript/recipes/autopirate/nzbget.mde new file mode 100644 index 0000000..624342f --- /dev/null +++ b/manuscript/recipes/autopirate/nzbget.mde @@ -0,0 +1,80 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# NZBGet + +## Introduction + +NZBGet performs the same function as [SABnzbd](/recipes/autopirate/sabnzbd.md) (_downloading content from Usenet servers_), but it's lightweight and fast(er), written in C++ (_as opposed to Python_). + +![NZBGet Screenshot](../../images/nzbget.jpg) + +## Inclusion into AutoPirate + +To include NZBGet in your [AutoPirate](/recipes/autopirate/) stack +(_The only reason you **wouldn't** use NZBGet, would be if you were using [SABnzbd](/recipes/autopirate/sabnzbd/) instead_), include the following in your autopirate.yml stack definition file: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +``` +nzbget: + image: linuxserver/nzbget + env_file : /var/data/config/autopirate/nzbget.env + volumes: + - /var/data/autopirate/nzbget:/config + - /var/data/media:/data + networks: + - internal + +nzbget_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/nzbget.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:nzbget.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://nzbget:6789 + -redirect-url=https://nzbget.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! note + NZBGet uses a 401 header to prompt for authentication. When you use OAuth2_proxy, this seems to break. Since we trust OAuth to authenticate us, we can just disable NZGet's own authentication, by changing ControlPassword to null in nzbget.conf (i.e. ```ControlPassword=```) + + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* NZBGet (this page) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/nzbhydra.md b/manuscript/recipes/autopirate/nzbhydra.md index 286c63d..1cf3ae8 100644 --- a/manuscript/recipes/autopirate/nzbhydra.md +++ b/manuscript/recipes/autopirate/nzbhydra.md @@ -74,6 +74,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/nzbhydra.mde b/manuscript/recipes/autopirate/nzbhydra.mde new file mode 100644 index 0000000..c699fa5 --- /dev/null +++ b/manuscript/recipes/autopirate/nzbhydra.mde @@ -0,0 +1,79 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + + +# NZBHydra + +[NZBHydra](https://github.com/theotherp/nzbhydra) is a meta search for NZB indexers. It provides easy access to a number of raw and newznab based indexers. You can search all your indexers from one place and use it as indexer source for tools like Sonarr or CouchPotato. Features include: + +* Search by IMDB, TMDB, TVDB, TVRage and TVMaze ID (including season and episode) and filter by age and size. If an ID is not supported by an indexer it is attempted to be converted (e.g. TMDB to IMDB) +* Query generation, meaning when you search for a movie using e.g. an IMDB ID a query will be generated for raw indexers. Searching for a series season 1 episode 2 will also generate queries for raw indexers, like s01e02 and 1x02 +* Grouping of results with the same title and of duplicate results, accounting for result posting time, size, group and poster. By default only one of the duplicates is shown. You can provide an indexer score to influence which one that might be +* Compatible with Sonarr, CP, NZB 360, SickBeard, Mylar and Lazy Librarian (and others) +* Statistics on indexers (average response time, share of results, access errors), searches and downloads per time of day and day of week, NZB download history and search history (both via internal GUI and API) + +![NZBHydra Screenshot](../../images/nzbhydra.png) + +## Inclusion into AutoPirate + +To include NZBHydra in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +nzbhydra: + image: linuxserver/hydra:latest + env_file : /var/data/config/autopirate/nzbhydra.env + volumes: + - /var/data/autopirate/nzbhydra:/config + networks: + - internal + +nzbhydra_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/nzbhydra.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:nzbhydra.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://nzbhydra:5075 + -redirect-url=https://nzbhydra.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* NZBHydra (this page) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/nzbhydra2.md b/manuscript/recipes/autopirate/nzbhydra2.md index 871fe17..63c6d38 100644 --- a/manuscript/recipes/autopirate/nzbhydra2.md +++ b/manuscript/recipes/autopirate/nzbhydra2.md @@ -89,7 +89,7 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra2, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. 2. Note that NZBHydra2 _can_ co-exist with NZBHydra (1), but if you want your tools (Sonarr, Radarr, etc) to use NZBHydra2, you'll need to change both the target hostname (_to "hydra2"_) and the target port (_to 5076_). \ No newline at end of file diff --git a/manuscript/recipes/autopirate/nzbhydra2.mde b/manuscript/recipes/autopirate/nzbhydra2.mde new file mode 100644 index 0000000..d291a81 --- /dev/null +++ b/manuscript/recipes/autopirate/nzbhydra2.mde @@ -0,0 +1,95 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + + +# NZBHydra 2 + +[NZBHydra 2](https://github.com/theotherp/nzbhydra2) is a meta search for NZB indexers. It provides easy access to a number of raw and newznab based indexers. You can search all your indexers from one place and use it as an indexer source for tools like Sonarr, Radarr or CouchPotato. + +!!! note + NZBHydra 2 is a complete rewrite of [NZBHydra (1)](/recipes/autopirate/nzbhybra/). It's currently in Beta. It works mostly fine but some functions might not be completely done and incompatibilities with some tools might still exist. You might want to run both in parallel for migration / testing purposes, but ultimately you'll probably want to switch over to NZBHydra 2 exclusively. + +![NZBHydra Screenshot](../../images/nzbhydra2.png) + +Features include: + +* Searches Anizb, BinSearch, NZBIndex and any newznab compatible indexers. Merges all results, filters them by a number of configurable restrictions, recognizes duplicates and returns them all in one place +* Add results to [NZBGet](/recipes/autopirate/nzbget/) or [SABnzbd](/recipes/autopirate/sabnzbd/) +* Support for all relevant media IDs (IMDB, TMDB, TVDB, TVRage, TVMaze) and conversion between them +* Query generation, meaning a query will be generated if only a media ID is provided in the search and the indexer doesn't support the ID or if no results were found +* Compatible with [Sonarr](/recipes/autopirate/sonarr/), [Radarr](/recipes/autopirate/radarr/), [NZBGet](/recipes/autopirate/nzbget.md), [SABnzbd](/recipes/autopirate/sabnzbd/), nzb360, CouchPotato, [Mylar](/recipes/autopirate/mylar/), [Lazy Librarian](/recipes/autopirate/lazylibrarian/), Sick Beard, [Jackett/Cardigann](/recipes/autopirate/jackett/), Watcher, etc. +* Search and download history and extensive stats. E.g. indexer response times, download shares, NZB age, etc. +* Authentication and multi-user support +* Automatic update of NZB download status by querying configured downloaders +* RSS support with configurable cache times +* Torrent support (_Although I prefer [Jackett](/recipes/autopirate/jackett/) for this_): + * For GUI searches, allowing you to download torrents to a blackhole folder + * A separate Torznab compatible endpoint for API requests, allowing you to merge multiple trackers +* Extensive configurability +* Migration of database and settings from v1 + + +## Inclusion into AutoPirate + +To include NZBHydra2 in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +nzbhydra2: + image: linuxserver/hydra2:latest + env_file : /var/data/config/autopirate/nzbhydra2.env + volumes: + - /var/data/autopirate/nzbhydra2:/config + networks: + - internal + +nzbhydra2_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/nzbhydra2.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:nzbhydra2.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://nzbhydra2:5076 + -redirect-url=https://nzbhydra2.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* NZBHydra2 (this page) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra2, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. +2. Note that NZBHydra2 _can_ co-exist with NZBHydra (1), but if you want your tools (Sonarr, Radarr, etc) to use NZBHydra2, you'll need to change both the target hostname (_to "hydra2"_) and the target port (_to 5076_). \ No newline at end of file diff --git a/manuscript/recipes/autopirate/ombi.md b/manuscript/recipes/autopirate/ombi.md index a240ee6..1c52ff9 100644 --- a/manuscript/recipes/autopirate/ombi.md +++ b/manuscript/recipes/autopirate/ombi.md @@ -75,6 +75,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/ombi.mde b/manuscript/recipes/autopirate/ombi.mde new file mode 100644 index 0000000..703ca91 --- /dev/null +++ b/manuscript/recipes/autopirate/ombi.mde @@ -0,0 +1,80 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# Ombi + +[Ombi](https://github.com/tidusjar/Ombi) is a useful addition to the [autopirate](/recipes/autopirate/) stack. Features include: + +* Lets users request Movies and TV Shows (_whether it being the entire series, an entire season, or even single episodes._) +* Easily manage your requests +User management system (_supports plex.tv, Emby and local accounts_) +* A landing page that will give you the availability of your Plex/Emby server and also add custom notification text to inform your users of downtime. +* Allows your users to get custom notifications! +* Will show if the request is already on plex or even if it's already monitored. +Automatically updates the status of requests when they are available on Plex/Emby + +![Ombi Screenshot](../../images/ombi.png) + +## Inclusion into AutoPirate + +To include Ombi in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +ombi: + image: linuxserver/ombi:latest + env_file : /var/data/config/autopirate/ombi.env + volumes: + - /var/data/autopirate/ombi:/config + networks: + - internal + +ombi_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/ombi.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:ombi.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://ombi:3579 + -redirect-url=https://ombi.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* Ombi (this page) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/radarr.md b/manuscript/recipes/autopirate/radarr.md index e7e0784..7c39568 100644 --- a/manuscript/recipes/autopirate/radarr.md +++ b/manuscript/recipes/autopirate/radarr.md @@ -86,6 +86,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/radarr.mde b/manuscript/recipes/autopirate/radarr.mde new file mode 100644 index 0000000..d3773b7 --- /dev/null +++ b/manuscript/recipes/autopirate/radarr.mde @@ -0,0 +1,91 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# Radarr + + +[Radarr](https://radarr.video/) is a tool for finding, downloading and managing movies. Features include: + +* Adding new movies with lots of information, such as trailers, ratings, etc. +* Can watch for better quality of the movies you have and do an automatic upgrade. eg. from DVD to Blu-Ray +* Automatic failed download handling will try another release if one fails +* Manual search so you can pick any release or to see why a release was not downloaded automatically +* Full integration with SABnzbd and NZBGet +* Automatically searching for releases as well as RSS Sync +* Automatically importing downloaded movies +* Recognizing Special Editions, Director's Cut, etc. +* Identifying releases with hardcoded subs +* Importing movies from various online sources, such as IMDb Watchlists (A complete list can be found here) +* Full integration with Kodi, Plex (notification, library update) +* And a beautiful UI +* Importing Metadata such as trailers or subtitles + +![Radarr Screenshot](../../images/radarr.png) + +!!! tip "Sponsored Project" + Sonarr is one of my [sponsored projects](/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I forget it's there until I (reliably) receive an email with new and exciting updates 😁 + +## Inclusion into AutoPirate + +To include Radarr in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +radarr: + image: linuxserver/radarr:latest + env_file : /var/data/config/autopirate/radarr.env + volumes: + - /var/data/autopirate/radarr:/config + - /var/data/media:/media + networks: + - internal + +radarr_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/radarr.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:radarr.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://radarr:7878 + -redirect-url=https://radarr.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* Radarr (this page) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/rtorrent.md b/manuscript/recipes/autopirate/rtorrent.md index f279afa..4e512e0 100644 --- a/manuscript/recipes/autopirate/rtorrent.md +++ b/manuscript/recipes/autopirate/rtorrent.md @@ -75,6 +75,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/rtorrent.mde b/manuscript/recipes/autopirate/rtorrent.mde new file mode 100644 index 0000000..2a5cc5e --- /dev/null +++ b/manuscript/recipes/autopirate/rtorrent.mde @@ -0,0 +1,80 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# RTorrent / ruTorrent + +[RTorrent](http://rakshasa.github.io/rtorrent) is a popular CLI-based bittorrent client, and [ruTorrent](https://github.com/Novik/ruTorrent) is a powerful web interface for rtorrent. + +![Rtorrent Screenshot](../../images/rtorrent.png) + +## Choose incoming port + +When using a torrent client from behind NAT (_which swarm, by nature, is_), you typically need to set a static port for inbound torrent communications. In the example below, I've set the port to 36258. You'll need to configure /var/data/autopirate/rtorrent/rtorrent/rtorrent.rc with the equivalent port. + +## Inclusion into AutoPirate + +To include ruTorrent in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +rtorrent: + image: linuxserver/rutorrent + env_file : /var/data/config/autopirate/rtorrent.env + ports: + - 36258:36258 + volumes: + - /var/data/media/:/media + - /var/data/autopirate/rtorrent:/config + networks: + - internal + +rtorrent_proxy: + image: skippy/oauth2_proxy + env_file : /var/data/config/autopirate/rtorrent.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:rtorrent.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://rtorrent:80 + -redirect-url=https://rtorrent.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* RTorrent (this page) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/sabnzbd.md b/manuscript/recipes/autopirate/sabnzbd.md index 110845f..1c7abaa 100644 --- a/manuscript/recipes/autopirate/sabnzbd.md +++ b/manuscript/recipes/autopirate/sabnzbd.md @@ -82,6 +82,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/sabnzbd.mde b/manuscript/recipes/autopirate/sabnzbd.mde new file mode 100644 index 0000000..4c3bee5 --- /dev/null +++ b/manuscript/recipes/autopirate/sabnzbd.mde @@ -0,0 +1,87 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + +# SABnzbd + +## Introduction + +SABnzbd is the workhorse of the stack. It takes .nzb files as input (_manually or from other [autopirate](/recipes/autopirate/) stack tools_), then connects to your chosen Usenet provider, downloads all the individual binaries referenced by the .nzb, and then tests/repairs/combines/uncompresses them all into the final result - media files. + +![SABNZBD Screenshot](../../images/sabnzbd.png) + +!!! tip "Sponsored Project" + SABnzbd is one of my [sponsored projects](/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. It's not sexy, but it's consistent and reliable, and I enjoy the fruits of its labor near-daily. + +## Inclusion into AutoPirate + +To include SABnzbd in your [AutoPirate](/recipes/autopirate/) stack +(_The only reason you **wouldn't** use SABnzbd, would be if you were using [NZBGet](/recipes/autopirate/nzbget.md) instead_), include the following in your autopirate.yml stack definition file: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +``` +sabnzbd: + image: linuxserver/sabnzbd:latest + env_file : /var/data/config/autopirate/sabnzbd.env + volumes: + - /var/data/autopirate/sabnzbd:/config + - /var/data/media:/media + networks: + - internal + +sabnzbd_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/sabnzbd.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:sabnzbd.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://sabnzbd:8080 + -redirect-url=https://sabnzbd.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! warning "Important Note re hostname validation" + + (**Updated 10 June 2018**) : In SABnzbd [2.3.3](https://sabnzbd.org/wiki/extra/hostname-check.html), hostname verification was added as a mandatory check. SABnzbd will refuse inbound connections which weren't addressed to its own (_initially, autodetected_) hostname. This presents a problem within Docker Swarm, where container hostnames are random and disposable. + + You'll need to edit sabnzbd.ini (_only created after your first launch_), and **replace** the value in ```host_whitelist``` configuration (_it's comma-separated_) with the name of your service within the swarm definition, as well as your FQDN as accessed via traefik. + + For example, mine simply reads ```host_whitelist = sabnzbd.funkypenguin.co.nz, sabnzbd``` + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* SABnzbd (this page) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* [Sonarr](/recipes/autopirate/sonarr/) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/sonarr.md b/manuscript/recipes/autopirate/sonarr.md index 10eabcd..fac35a4 100644 --- a/manuscript/recipes/autopirate/sonarr.md +++ b/manuscript/recipes/autopirate/sonarr.md @@ -72,6 +72,6 @@ Continue through the list of tools below, adding whichever tools your want to us * [End](https://geek-cookbook.funkypenguin.co.nz/)recipes/autopirate/end/) (launch the stack) -## Chef's Notes 📓 +## Chef's Notes 1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/autopirate/sonarr.mde b/manuscript/recipes/autopirate/sonarr.mde new file mode 100644 index 0000000..5a6de72 --- /dev/null +++ b/manuscript/recipes/autopirate/sonarr.mde @@ -0,0 +1,77 @@ +!!! warning + This is not a complete recipe - it's a component of the [AutoPirate](/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity. + + +# Sonarr + +[Sonarr](https://sonarr.tv/) is a tool for finding, downloading and managing your TV series. + +![Sonarr Screenshot](../../images/sonarr.png) + +!!! tip "Sponsored Project" + Sonarr is one of my [sponsored projects](/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I forget it's there until I (reliably) receive an email with new and exciting updates 😁 + +## Inclusion into AutoPirate + +To include Sonarr in your [AutoPirate](/recipes/autopirate/) stack, include the following in your autopirate.yml stack definition file: + +``` +sonarr: + image: linuxserver/sonarr:latest + env_file : /var/data/config/autopirate/sonarr.env + volumes: + - /var/data/autopirate/sonarr:/config + - /var/data/media:/media + networks: + - internal + +sonarr_proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/autopirate/sonarr.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:sonarr.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/autopirate/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://sonarr:8989 + -redirect-url=https://sonarr.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +## Assemble more tools.. + +Continue through the list of tools below, adding whichever tools your want to use, and finishing with the **[end](/recipes/autopirate/end/)** section: + +* [SABnzbd](/recipes/autopirate/sabnzbd.md) +* [NZBGet](/recipes/autopirate/nzbget.md) +* [RTorrent](/recipes/autopirate/rtorrent/) +* Sonarr (this page) +* [Radarr](/recipes/autopirate/radarr/) +* [Mylar](/recipes/autopirate/mylar/) +* [Lazy Librarian](/recipes/autopirate/lazylibrarian/) +* [Headphones](/recipes/autopirate/headphones/) +* [Lidarr](/recipes/autopirate/lidarr/) +* [NZBHydra](/recipes/autopirate/nzbhydra/) +* [NZBHydra2](/recipes/autopirate/nzbhydra2/) +* [Ombi](/recipes/autopirate/ombi/) +* [Jackett](/recipes/autopirate/jackett/) +* [Heimdall](/recipes/autopirate/heimdall/) +* [End](/recipes/autopirate/end/) (launch the stack) + + +## Chef's Notes 📓 + +1. In many cases, tools will integrate with each other. I.e., Radarr needs to talk to SABnzbd and NZBHydra, Ombi needs to talk to Radarr, etc. Since each tool runs within the stack under its own name, just refer to each tool by name (i.e. "radarr"), and docker swarm will resolve the name to the appropriate container. You can identify the tool-specific port by looking at the docker-compose service definition. \ No newline at end of file diff --git a/manuscript/recipes/bitwarden.md b/manuscript/recipes/bitwarden.md index e118098..9bef778 100644 --- a/manuscript/recipes/bitwarden.md +++ b/manuscript/recipes/bitwarden.md @@ -94,7 +94,7 @@ Browse to your new instance at https://**YOUR-FQDN**, and create a new user acco Once you've created your account, jump over to https://bitwarden.com/#download and download the apps for your mobile and browser, and start adding your logins! -## Chef's Notes 📓 +## Chef's Notes 1. You'll notice we're not using the *official* container images (*[all 6 of them required](https://help.bitwarden.com/article/install-on-premise/#install-bitwarden)!)*, but rather a [more lightweight version ideal for self-hosting](https://hub.docker.com/r/bitwardenrs/server). All of the elements are contained within a single container, and SQLite is used for the database backend. 2. As mentioned above, readers should refer to the [dani-garcia/bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs) for details on customizing the behaviour of Bitwarden. diff --git a/manuscript/recipes/bitwarden.mde b/manuscript/recipes/bitwarden.mde new file mode 100644 index 0000000..42f8193 --- /dev/null +++ b/manuscript/recipes/bitwarden.mde @@ -0,0 +1,101 @@ +# Bitwarden + +Heard about the [latest password breach](https://www.databreaches.net) (*since lunch*)? [HaveYouBeenPowned](http://haveibeenpwned.com) yet (*today*)? [Passwords are broken](https://www.theguardian.com/technology/2008/nov/13/internet-passwords), and as the amount of sites for which you need to store credentials grows exponetially, so does the risk of using a common password. + +"*Duh, use a password manager*", you say. Sure, but be aware that [even password managers have security flaws](https://www.securityevaluators.com/casestudies/password-manager-hacking/). + +**OK, look smartass..** no software is perfect, and there will always be a risk of your credentials being exposed in ways you didn't intend. You can at least **minimize** the impact of such exposure by using a password manager to store unique credentials per-site. While [1Password](http://1password.com) is king of the commercial password manager, [BitWarden](https://bitwarden.com) is king of the open-source, self-hosted password manager. + +Enter Bitwarden.. + +![BitWarden Screenshot](../images/bitwarden.png) + +Bitwarden is a free and open source password management solution for individuals, teams, and business organizations. While Bitwarden does offer a paid / hosted version, the free version comes with the following (*better than any other free password manager!*): + +* Access & install all Bitwarden apps +* Sync all of your devices, no limits! +* Store unlimited items in your vault +* Logins, secure notes, credit cards, & identities +* Two-step authentication (2FA) +* Secure password generator +* Self-host on your own server (optional) + +## Ingredients + +!!! summary "Ingredients" + Existing: + + 1. [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) + 2. [X] [Traefik](/ha-docker-swarm/traefik_public) configured per design + 3. [X] DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need to create a directory to bind-mount into our container, so create `/var/data/bitwarden`: + +``` +mkdir /var/data/bitwarden +``` +### Setup environment + +Create `/var/data/config/bitwarden/bitwarden.env`, and **leave it empty for now**. + +!!! question + What, why an empty env file? Well, the container supports lots of customizations via environment variables, for things like toggling self-registration, 2FA, etc. These are too complex to go into for this recipe, but readers are recommended to review the [dani-garcia/bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs), and customize their installation to suite. + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: "3" +services: + bitwarden: + image: bitwardenrs/server + env_file: /var/data/config/bitwarden/bitwarden.env + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/data/bitwarden:/data/:rw + deploy: + labels: + - traefik.enable=true + - traefik.web.frontend.rule=Host:bitwarden.example.com + - traefik.web.port=80 + - traefik.hub.frontend.rule=Host:bitwarden.example.com;Path:/notifications/hub + - traefik.hub.port=3012 + - traefik.docker.network=traefik_public + networks: + - traefik_public + +networks: + traefik_public: + external: true +``` + +!!! note + Note the clever use of two Traefik frontends to expose the notifications hub on port 3012. Thanks @gkoerk! + + +## Serving + +### Launch Bitwarden stack + +Launch the Bitwarden stack by running ```docker stack deploy bitwarden -c ``` + +Browse to your new instance at https://**YOUR-FQDN**, and create a new user account and master password (*Just click the **Create Account** button without filling in your email address or master password*) + +### Get the apps / extensions + +Once you've created your account, jump over to https://bitwarden.com/#download and download the apps for your mobile and browser, and start adding your logins! + +## Chef's Notes 📓 + +1. You'll notice we're not using the *official* container images (*[all 6 of them required](https://help.bitwarden.com/article/install-on-premise/#install-bitwarden)!)*, but rather a [more lightweight version ideal for self-hosting](https://hub.docker.com/r/bitwardenrs/server). All of the elements are contained within a single container, and SQLite is used for the database backend. +2. As mentioned above, readers should refer to the [dani-garcia/bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs) for details on customizing the behaviour of Bitwarden. +3. The inclusion of Bitwarden was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz)- Thanks Gerry! diff --git a/manuscript/recipes/bookstack.md b/manuscript/recipes/bookstack.md index 459aad1..7d0431e 100644 --- a/manuscript/recipes/bookstack.md +++ b/manuscript/recipes/bookstack.md @@ -139,6 +139,6 @@ Launch the BookStack stack by running ```docker stack deploy bookstack -c /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz + (ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.33.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Bookstack stack + +Launch the BookStack stack by running ```docker stack deploy bookstack -c ``` + +Log into your new instance at https://**YOUR-FQDN**, authenticate with oauth_proxy, and then login with username 'admin@admin.com' and password 'password'. + +## Chef's Notes 📓 + +1. If you wanted to expose the BookStack UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the bookstack container. You'd also need to add the traefik_public network to the bookstack container. \ No newline at end of file diff --git a/manuscript/recipes/calibre-web.md b/manuscript/recipes/calibre-web.md index bd20a30..3f286ca 100644 --- a/manuscript/recipes/calibre-web.md +++ b/manuscript/recipes/calibre-web.md @@ -122,7 +122,7 @@ Launch the Calibre-Web stack by running ```docker stack deploy calibre-web -c

+PUID= +PGID= +``` + +Follow the [instructions](https://github.com/bitly/oauth2_proxy) to setup your oauth provider. You need to setup a unique key/secret for each instance of the proxy you want to run, since in each case the callback URL will differ. + + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3' + +services: + app: + image: technosoft2000/calibre-web + env_file : /var/data/config/calibre-web/calibre-web.env + volumes: + - /var/data/calibre-web:/config + - /srv/data/Archive/Ebooks/calibre:/books + networks: + - internal + + proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/calibre-web/calibre-web.env + dns_search: hq.example.com + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:calibre-web.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/calibre-web/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://app:8083 + -redirect-url=https://calibre-web.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.18.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Calibre-Web + +Launch the Calibre-Web stack by running ```docker stack deploy calibre-web -c ``` + +Log into your new instance at https://**YOUR-FQDN**. You'll be directed to the initial GUI configuraition. Set the first field (_Location of Calibre database_) to "_/books/_", and when complete, login using defaults username of "**admin**" with password "**admin123**". + +## Chef's Notes 📓 + +1. Yes, Calibre does provide a server component. But it's not as fully-featured as Calibre-Web (_i.e., you can't use it to send ebooks directly to your Kindle_) +2. A future enhancement might be integrating this recipe with the filestore for [NextCloud](/recipes/nextcloud/), so that the desktop database (Calibre) can be kept synced with Calibre-Web. \ No newline at end of file diff --git a/manuscript/recipes/collabora-online.md b/manuscript/recipes/collabora-online.md index edbd60e..fc5bcee 100644 --- a/manuscript/recipes/collabora-online.md +++ b/manuscript/recipes/collabora-online.md @@ -58,7 +58,7 @@ Create /var/data/config/collabora/collabora.env, and populate with the following 1. Variables are in lower-case, unlike our standard convention. This is to align with the CODE container 2. Set domain to your [NextCloud](https://geek-cookbook.funkypenguin.co.nz/)recipes/nextcloud/) domain, and escape all the periods as per the example 3. Set your server_name to collabora.. Escaping periods is unnecessary - 4. Your password cannot include triangular brackets - the entrypoint script will insert this password into an XML document, and triangular brackets will make bad(tm) things happen 🔥 + 4. Your password cannot include triangular brackets - the entrypoint script will insert this password into an XML document, and triangular brackets will make bad(tm) things happen ``` username=admin @@ -300,7 +300,7 @@ Now browse your NextCloud files. Click the plus (+) sign to create a new documen [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) -## Chef's Notes 📓 +## Chef's Notes 1. Yes, this recipe is complicated. And you probably only care if you feel strongly about using Open Source rich document editing in the browser, vs using something like Google Docs. It works impressively well however, once it works. I hope to make this recipe simpler once the CODE developers have documented how to pass optional parameters as environment variables. diff --git a/manuscript/recipes/collabora-online.mde b/manuscript/recipes/collabora-online.mde new file mode 100644 index 0000000..229201c --- /dev/null +++ b/manuscript/recipes/collabora-online.mde @@ -0,0 +1,306 @@ +# Collabora Online + +!!! important + Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +Collabora Online Development Edition (or "[CODE](https://www.collaboraoffice.com/code/#what_is_code)"), is the lightweight, or "home" edition of the commercially-supported [Collabora Online](https://www.collaboraoffice.com/collabora-online/) platform. It + +It's basically the [LibreOffice](https://www.libreoffice.org/) interface in a web-browser. CODE is not a standalone app, it's a backend intended to be accessed via "WOPI" from an existing interface (_in our case, [NextCloud](/recipes/nextcloud/)_) + +![CODE Screenshot](../images/collabora-online.png) + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik_public) configured per design +3. DNS entry for the hostname (_i.e. "collabora.your-domain.com"_) you intend to use for LDAP Account Manager, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP +4. [NextCloud](/recipes/nextcloud/) installed and operational +5. [Docker-compose](https://docs.docker.com/compose/install/) installed on your node(s) - this is a special case which needs to run outside of Docker Swarm + +## Preparation + +### Explanation for complexity + +Due to the clever magic that Collabora does to present a "headless" LibreOffice UI to the browser, the CODE docker container requires system capabilities which cannot be granted under Docker Swarm (_specifically, MKNOD_). + +So we have to run Collabora itself in the next best thing to Docker swarm - a docker-compose stack. Using docker-compose will at least provide us with consistent and version-able configuration files. + +This presents another problem though - Docker Swarm with Traefik is superb at making all our stacks "just work" with ingress routing and LetsEncyrpt certificates. We don't want to have to do this manually (_like a cave-man_), so we engage in some trickery to allow us to still use our swarmed Traefik to terminate SSL. + +We run a single swarmed Nginx instance, which forwards all requests to an upstream, with the target IP of the docker0 interface, on port 9980 (_the port exposed by the CODE container_) + +We attach the necessary labels to the Nginx container to instruct Trafeik to setup a front/backend for collabora.. Now incoming requests to **https://collabora.** will hit Traefik, be forwarded to nginx (_wherever in the swarm it's running_), and then to port 9980 on the same node that nginx is running on. + +What if we're running multiple nodes in our swarm, and nginx ends up on a different node to the one running Collabora via docker-compose? Well, either constrain nginx to the same node as Collabora (_example below_), or just launch an instance of Collabora on _every_ node then. It's just a rendering / GUI engine after all, it doesn't hold any persistent data. + +Here's a (_highly technical_) diagram to illustrate: + +![CODE traffic flow](../images/collabora-traffic-flow.png) + +### Setup data locations + +We'll need a directory for holding config to bind-mount into our containers, so create ```/var/data/collabora```, and ```/var/data/config/collabora``` for holding the docker/swarm config + +``` +mkdir /var/data/collabora/ +mkdir /var/data/config/collabora/ +``` + +### Prepare environment + +Create /var/data/config/collabora/collabora.env, and populate with the following variables, customized for your installation. + +!!! warning + Note the following: + + 1. Variables are in lower-case, unlike our standard convention. This is to align with the CODE container + 2. Set domain to your [NextCloud](/recipes/nextcloud/) domain, and escape all the periods as per the example + 3. Set your server_name to collabora.. Escaping periods is unnecessary + 4. Your password cannot include triangular brackets - the entrypoint script will insert this password into an XML document, and triangular brackets will make bad(tm) things happen 🔥 + +``` +username=admin +password=ilovemypassword +domain=nextcloud\.batcave\.com +server_name=collabora.batcave.com +termination=true +``` + +### Create docker-compose.yml + +Create ```/var/data/config/collabora/docker-compose.yml``` as follows: + +``` +version: "3.0" + +services: + local-collabora: + image: funkypenguin/collabora + # the funkypenguin version has a patch to include "termination" behind SSL-terminating reverse proxy (traefik), see CODE PR #50. + # Once merged, the official container can be used again. + #image: collabora/code + env_file: /var/data/config/collabora/collabora.env + volumes: + - /var/data/collabora/loolwsd.xml:/etc/loolwsd/loolwsd.xml-new + cap_add: + - MKNOD + ports: + - 9980:9980 +``` + +### Create nginx.conf + +Create ```/var/data/config/collabora/nginx.conf``` as follows, changing the ```server_name``` value to match the environment variable you established above. + +``` +upstream collabora-upstream { + # Run collabora under docker-compose, since it needs MKNOD cap, which can't be provided by Docker Swarm. + # The IP here is the typical IP of docker0 - change if yours is different. + server 172.17.0.1:9980; +} + +server { + listen 80; + server_name collabora.batcave.com; + + # static files + location ^~ /loleaflet { + proxy_pass http://collabora-upstream; + proxy_set_header Host $http_host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass http://collabora-upstream; + proxy_set_header Host $http_host; + } + + # Main websocket + location ~ /lool/(.*)/ws$ { + proxy_pass http://collabora-upstream; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # Admin Console websocket + location ^~ /lool/adminws { + proxy_buffering off; + proxy_pass http://collabora-upstream; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ /lool { + proxy_pass https://collabora-upstream; + proxy_set_header Host $http_host; + } +} +``` +### Create loolwsd.xml + +[Until we understand](https://github.com/CollaboraOnline/Docker-CODE/pull/50) how to [pass trusted network parameters to the entrypoint script using environment variables](https://github.com/CollaboraOnline/Docker-CODE/issues/49), we have to maintain a manually edited version of ```loolwsd.xml```, and bind-mount it into our collabora container. + +The way we do this is we mount +```/var/data/collabora/loolwsd.xml``` as ```/etc/loolwsd/loolwsd.xml-new```, then allow the container to create its default ```/etc/loolwsd/loolwsd.xml```, copy this default **over** our ```/var/data/collabora/loolwsd.xml``` as ```/etc/loolwsd/loolwsd.xml-new```, and then update the container to use **our** ```/var/data/collabora/loolwsd.xml``` as ```/etc/loolwsd/loolwsd.xml``` instead (_confused yet?_) + +Create an empty ```/var/data/collabora/loolwsd.xml``` by running ```touch /var/data/collabora/loolwsd.xml```. We'll populate this in the next section... + +### Setup Docker Swarm + +Create ```/var/data/config/collabora/collabora.yml``` as follows, changing the traefik frontend_rule as necessary: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +``` +version: "3.0" + +services: + + nginx: + image: nginx:latest + networks: + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:collabora.batcave.com + - traefik.docker.network=traefik_public + - traefik.port=80 + - traefik.frontend.passHostHeader=true + # uncomment this line if you want to force nginx to always run on one node (i.e., the one running collabora) + #placement: + # constraints: + # - node.hostname == ds1 + volumes: + - /var/data/collabora/nginx.conf:/etc/nginx/conf.d/default.conf:ro + +networks: + traefik_public: + external: true +``` + +## Serving + +### Generate loolwsd.xml + +Well. This is awkward. There's no documented way to make Collabora work with Docker Swarm, so we're doing a bit of a hack here, until I understand [how to pass these arguments](https://github.com/CollaboraOnline/Docker-CODE/issues/49) via environment variables. + +Launching Collabora is (_for now_) a 2-step process. First.. we launch collabora itself, by running: + +``` +cd /var/data/config/collabora/ +docker-compose -d up +``` + +Output looks something like this: + +``` +root@ds1:/var/data/config/collabora# docker-compose up -d +WARNING: The Docker Engine you're using is running in swarm mode. + +Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node. + +To deploy your application across the swarm, use `docker stack deploy`. + +Pulling local-collabora (funkypenguin/collabora:latest)... +latest: Pulling from funkypenguin/collabora +7b8b6451c85f: Pull complete +ab4d1096d9ba: Pull complete +e6797d1788ac: Pull complete +e25c5c290bde: Pull complete +4b8e1b074e06: Pull complete +f51a3d1fb75e: Pull complete +8b826e2ae5ad: Pull complete +Digest: sha256:6cd38cb5cbd170da0e3f0af85cecf07a6bc366e44555c236f81d5b433421a39d +Status: Downloaded newer image for funkypenguin/collabora:latest +Creating collabora_local-collabora_1 ... +Creating collabora_local-collabora_1 ... done +root@ds1:/var/data/config/collabora# +``` + +Now exec into the container (_from another shell session_), by running ```exec -it /bin/bash```. Make a copy of /etc/loolwsd/loolwsd, by running ```cp /etc/loolwsd/loolwsd.xml /etc/loolwsd/loolwsd.xml-new```, and then exit the container with ```exit```. + +Delete the collabora container by hitting CTRL-C in the docker-compose shell, running ```docker-compose rm```, and then altering this line in docker-compose.yml: + +``` + - /var/data/collabora/loolwsd.xml:/etc/loolwsd/loolwsd.xml-new +``` + +To this: + +``` + - /var/data/collabora/loolwsd.xml:/etc/loolwsd/loolwsd.xml +``` + +Edit /var/data/collabora/loolwsd.xml, find the **storage.filesystem.wopi** section, and add lines like this to the existing allow rules (_to allow IPv6-enabled hosts to still connect with their IPv4 addreses_): + +``` +::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3} +``` + +Find the **net.post_allow** section, and add a line like this: + +``` +::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3} +::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3} +``` + +Find these 2 lines: + +``` + + true +``` + +And change to: + +``` + + false +``` + +Now re-launch collabora (_with the correct with loolwsd.xml_) under docker-compose, by running: + +``` +docker-compose -d up +``` + +Once collabora is up, we launch the swarm stack, by running: + +``` +docker stack deploy collabora -c /var/data/config/collabora/collabora.yml +``` + +Visit **https://collabora./l/loleaflet/dist/admin/admin.html** and confirm you can login with the user/password you specified in collabora.env + +### Integrate into NextCloud + +In NextCloud, Install the **Collabora Online** app (https://apps.nextcloud.com/apps/richdocuments), and then under **Settings -> Collabora Online**, set your Collabora Online Server to ```https://collabora.``` + +![CODE Screenshot](../images/collabora-online-in-nextcloud.png) + +Now browse your NextCloud files. Click the plus (+) sign to create a new document, and create either a new document, spreadsheet, or presentation. Name your document and then click on it. If Collabora is setup correctly, you'll shortly enter into the rich editing interface provided by Collabora :) + +!!! important + Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +## Chef's Notes 📓 + +1. Yes, this recipe is complicated. And you probably only care if you feel strongly about using Open Source rich document editing in the browser, vs using something like Google Docs. It works impressively well however, once it works. I hope to make this recipe simpler once the CODE developers have documented how to pass optional parameters as environment variables. + diff --git a/manuscript/recipes/cryptonote-mining-pool.mde b/manuscript/recipes/cryptonote-mining-pool.mde new file mode 100644 index 0000000..135f6e7 --- /dev/null +++ b/manuscript/recipes/cryptonote-mining-pool.mde @@ -0,0 +1,16 @@ +# CryptoNote Mining Pool + +[Cryptocurrency miners](/recipes/cryptominer) will "pool" their GPU resources ("_hashpower_") into aggregate "_mining pools_", so that by the combined effort of all the miners, the pool will receive a reward for the blocks "mined" into the blockchain, and this reward will be distributed among the miners. + +[CryptoNote](https://cryptonote.org/) is an open-source toolset designed to facilitate the creation of new privacy-focused [cryptocurrencies](https://cryptonote.org/coins) + +(_CryptoNote = 'Kryptonite'. In a pool. Get it?_) + +![CryptoNote Mining Pool Screenshot](/images/cryptonote-mining-pool.png) + +The fact that all these currencies share a common ancestry means that a common mining pool platform can be used for miners. The following recipes all use variations of [Dvandal's cryptonote-nodejs-pool ](https://github.com/dvandal/cryptonote-nodejs-pool) + +## Mining Pool Recipies + +* [TurtleCoin](/recipes/turtle-pool/), the no-BS, fun baby cryptocurrency +* [Athena](/recipes/cryptonote-mining-pool/athena/), TurtleCoin's newborn baby sister diff --git a/manuscript/recipes/duplicity.md b/manuscript/recipes/duplicity.md index b01aa97..13ebd88 100644 --- a/manuscript/recipes/duplicity.md +++ b/manuscript/recipes/duplicity.md @@ -160,7 +160,7 @@ Launch Duplicity stack by running ```docker stack deploy duplicity -c "[Settings](https://console.cloud.google.com/project/_/storage/settings)" > "Interoperability" tab > click "Enable interoperable access" and then "Create a new key" button and note both Access Key and Secret. + + +### Prepare environment + +1. Generate a random passphrase to use to encrypt your data. **Save this somewhere safe**, without it you won't be able to restore! +2. Seriously, **save**. **it**. **somewhere**. **safe**. +3. Create duplicity.env, and populate with the following variables +``` +SRC=/var/data/ +DST=gs://jack-and-jills-bucket/yes-you-can-have-subdirectories +TMPDIR=/tmp +GS_ACCESS_KEY_ID= +GS_SECRET_ACCESS_KEY= + +OPTIONS=--allow-source-mismatch --exclude /var/data/runtime --exclude /var/data/registry --exclude /var/data/duplicity --archive-dir=/archive +PASSPHRASE= +``` + +!!! note + See the [data layout reference](/reference/data_layout/) for an explanation of the included/excluded paths above. + +### Run a test backup + +Before we launch the automated daily backups, let's run a test backup, as follows: + +``` +docker run --env-file duplicity.env -it --rm -v \ +/var/data:/var/data:ro -v /var/data/duplicity/tmp:/tmp -v \ +/var/data/duplicity/archive:/archive tecnativa/duplicity \ +/etc/periodic/daily/jobrunner +``` + +You should see some activity, with a summary of bytes transferred at the end. + +### Run a test restore + +Repeat after me: "If you don't verify your backup, **it's not a backup**". + +!!! warning + Depending on what tier of storage you chose from your provider (_i.e., Google Coldline, or Amazon S3_), you may be charged for downloading data. + +Run a variation of the following to confirm a file you expect to be backed up, **is** backed up. (_I used traefik.yml from the [traefik recipie](/recipie/traefik/), since this is likely to exist for every reader_). + +``` +docker run --env-file duplicity.env -it --rm \ +-v /var/data:/var/data:ro \ +-v /var/data/duplicity/tmp:/tmp \ +-v /var/data/duplicity/archive:/archive tecnativa/duplicity \ +duplicity list-current-files \ +\$DST | grep traefik.yml +``` +Once you've identified a file to test-restore, use a variation of the following to restore it to /tmp (_from the perspective of the container - it's actually /var/data/duplicity/tmp_) + +``` +docker run --env-file duplicity.env -it --rm \ +-v /var/data:/var/data:ro \ +-v /var/data/duplicity/tmp:/tmp \ +-v /var/data/duplicity/archive:/archive \ +tecnativa/duplicity duplicity restore \ +--file-to-restore config/traefik/traefik.yml \ +\$DST /tmp/traefik-restored.yml +``` + +Examine the contents of /var/data/duplicity/tmp/traefik-restored.yml to confirm it contains valid data. + + +### Setup Docker Swarm + +Now that we have confidence in our backup/restore process, let's automate it by creating a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: "3" + +services: + backup: + image: tecnativa/duplicity + env_file: /var/data/config/duplicity/duplicity.env + networks: + - internal + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/data:/var/data:ro + - /var/data/duplicity/tmp:/tmp + - /var/data/duplicity/archive:/archive + + +networks: + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.10.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Duplicity stack + +Launch Duplicity stack by running ```docker stack deploy duplicity -c ``` + +Nothing will happen. Very boring. But when the cron script fires (daily), duplicity will do its thing, and backup everything in /var/data to your cloud destination. + +## Chef's Notes 📓 + +1. Automatic backup can still fail if nobody checks that it's running successfully. I'll be working on an upcoming recipe to monitor the elements of the stack, including the success/failure of duplicity jobs. +2. The container provides the facility to specify an SMTP host and port, but not credentials, which makes it close to useless. As a result, I've left SMTP out of this recipe. To enable email notifications (if your SMTP server doesn't require auth), add ```SMTP_HOST```, ```SMTP_PORT```, ```EMAIL_FROM``` and ```EMAIL_TO``` variables to duplicity.env \ No newline at end of file diff --git a/manuscript/recipes/elkarbackup.md b/manuscript/recipes/elkarbackup.md index 80849e7..82fa1f8 100644 --- a/manuscript/recipes/elkarbackup.md +++ b/manuscript/recipes/elkarbackup.md @@ -1,4 +1,4 @@ -hero: Real heroes backup their 💾 +hero: Real heroes backup their # Elkar Backup @@ -243,7 +243,7 @@ This takes you to a list of backup names and file paths. You can choose to downl [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) -## Chef's Notes 📓 +## Chef's Notes 1. If you wanted to expose the ElkarBackup UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the app service. You'd also need to add the traefik_public network to the app service. 2. The original inclusion of ElkarBackup was due to the efforts of @gpulido in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Gabriel! diff --git a/manuscript/recipes/elkarbackup.mde b/manuscript/recipes/elkarbackup.mde new file mode 100644 index 0000000..30cd24b --- /dev/null +++ b/manuscript/recipes/elkarbackup.mde @@ -0,0 +1,249 @@ +hero: Real heroes backup their 💾 + +# Elkar Backup + +Don't be like [Cameron](http://haltandcatchfire.wikia.com/wiki/Cameron_Howe). Backup your stuff. + + + +!!! important + Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +ElkarBackup is a free open-source backup solution based on RSync/RSnapshot. It's basically a web wrapper around rsync/rsnapshot, which means that your backups are just files on a filesystem, utilising hardlinks for tracking incremental changes. I find this result more reassuring than a blob of compressed, (encrypted?) data that [more sophisticated backup solutions](/recipes/duplicity/) would produce for you. + +![ElkarBackup Screenshot](../images/elkarbackup.png) + +## Details + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik_public) configured per design +3. DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need several directories to bind-mount into our container, so create them in /var/data/elkarbackup: + +``` +mkdir -p /var/data/elkarbackup/{backups,uploads,sshkeys,database-dump} +mkdir -p /var/data/runtime/elkarbackup/db +mkdir -p /var/data/config/elkarbackup +``` + +### Prepare environment + +Create /var/data/config/elkarbackup/elkarbackup.env, and populate with the following variables +``` +SYMFONY__DATABASE__PASSWORD=password +EB_CRON=enabled +TZ='Etc/UTC' + +#SMTP - Populate these if you want email notifications +#SYMFONY__MAILER__HOST= +#SYMFONY__MAILER__USER= +#SYMFONY__MAILER__PASSWORD= +#SYMFONY__MAILER__FROM= + +# For mysql +MYSQL_ROOT_PASSWORD=password + +#oauth2_proxy +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_COOKIE_SECRET= +``` + +Create ```/var/data/config/elkarbackup/elkarbackup-db-backup.env```, and populate with the following, to setup the nightly database dump. + +!!! note + Running a daily database dump might be considered overkill, since ElkarBackup can be configured to backup its own database. However, making my own backup keeps the operation of this stack consistent with **other** stacks which employ MariaDB. + + Also, did you ever hear about the guy who said "_I wish I had fewer backups"? + + No, me either :shrug: + +``` +# For database backup (keep 7 days daily backups) +MYSQL_PWD= +MYSQL_USER=root +BACKUP_NUM_KEEP=7 +BACKUP_FREQUENCY=1d +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: "3" + +services: + db: + image: mariadb:10.4 + env_file: /var/data/config/elkarbackup/elkarbackup.env + networks: + - internal + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/data/runtime/elkarbackup/db:/var/lib/mysql + + db-backup: + image: mariadb:10.4 + env_file: /var/data/config/elkarbackup/elkarbackup-db-backup.env + volumes: + - /var/data/elkarbackup/database-dump:/dump + - /etc/localtime:/etc/localtime:ro + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz + (ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + + app: + image: elkarbackup/elkarbackup + env_file: /var/data/config/elkarbackup/elkarbackup.env + networks: + - internal + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/data/:/var/data + - /var/data/elkarbackup/backups:/app/backups + - /var/data/elkarbackup/uploads:/app/uploads + - /var/data/elkarbackup/sshkeys:/app/.ssh + + proxy: + image: funkypenguin/oauth2_proxy + env_file: /var/data/config/elkarbackup/elkarbackup.env + networks: + - traefik_public + - internal + deploy: + labels: + - traefik.frontend.rule=Host:elkarbackup.example.com + - traefik.port=4180 + volumes: + - /var/data/config/traefik/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://app:80 + -redirect-url=https://elkarbackup.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.36.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch ElkarBackup stack + +Launch the ElkarBackup stack by running ```docker stack deploy elkarbackup -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password default password "root": + +![ElkarBackup Login Screen](/images/elkarbackup-setup-1.png) + +First thing you do, change your password, using the gear icon, and "Change Password" link: + +![ElkarBackup Login Screen](/images/elkarbackup-setup-2.png) + +Have a read of the [Elkarbackup Docs](https://docs.elkarbackup.org/docs/introduction.html) - they introduce the concept of **clients** (_hosts containing data to be backed up_), **jobs** (_what data gets backed up_), **policies** (_when is data backed up and how long is it kept_). + +At the very least, you want to setup a **client** called "_localhost_" with an empty path (_i.e., the job path will be accessed locally, without SSH_), and then add a job to this client to backup /var/data, **excluding** ```/var/data/runtime``` and ```/var/data/elkarbackup/backup``` (_unless you **like** "backup-ception"_) + +### Copying your backup data offsite + +From the WebUI, you can download a script intended to be executed on a remote host, to backup your backup data to an offsite location. This is a **Good Idea**(tm), but needs some massaging for a Docker swarm deployment. + +Here's a variation to the standard script, which I've employed: + +``` +#!/bin/bash + +REPOSITORY=/var/data/elkarbackup/backups +SERVER= +SERVER_USER=elkarbackup +UPLOADS=/var/data/elkarbackup/uploads +TARGET=/srv/backup/elkarbackup + +echo "Starting backup..." +echo "Date: " `date "+%Y-%m-%d (%H:%M)"` + +ssh "$SERVER_USER@$SERVER" "cd '$REPOSITORY'; find . -maxdepth 2 -mindepth 2" | sed s/^..// | while read jobId +do + echo Backing up job $jobId + mkdir -p $TARGET/$jobId 2>/dev/null + rsync -aH --delete "$SERVER_USER@$SERVER:$REPOSITORY/$jobId/" $TARGET/$jobId +done + +echo Backing up uploads +rsync -aH --delete "$SERVER_USER@$SERVER":"$UPLOADS/" $TARGET/uploads + +USED=`df -h . | awk 'NR==2 { print $3 }'` +USE=`df -h . | awk 'NR==2 { print $5 }'` +AVAILABLE=`df -h . | awk 'NR==2 { print $4 }'` + +echo "Backup finished succesfully!" +echo "Date: " `date "+%Y-%m-%d (%H:%M)"` +echo "" +echo "**** INFO ****" +echo "Used disk space: $USED ($USE)" +echo "Available disk space: $AVAILABLE" +echo "" +``` + +!!! note + You'll note that I don't use the script to create a mysql dump (_since Elkar is running within a container anyway_), rather I just rely on the database dump which is made nightly into ```/var/data/elkarbackup/database-dump/``` + +### Restoring data + +Repeat after me : "**It's not a backup unless you've tested a restore**" + +!!! note + I had some difficulty making restoring work well in the webUI. My attempts to "Restore to client" failed with an SSH error about "localhost" not found. I **was** able to download the backup from my web browser, so I considered it a successful restore, since I can retrieve the backed-up data either from the webUI or from the filesystem directly. + +To restore files form a job, click on the "Restore" button in the WebUI, while on the **Jobs** tab: + +![ElkarBackup Login Screen](/images/elkarbackup-setup-3.png) + +This takes you to a list of backup names and file paths. You can choose to download the entire contents of the backup from your browser as a .tar.gz, or to restore the backup to the client. If you click on the **name** of the backup, you can also drill down into the file structure, choosing to restore a single file or directory. + +!!! important + Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +## Chef's Notes 📓 + +1. If you wanted to expose the ElkarBackup UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the app service. You'd also need to add the traefik_public network to the app service. +2. The original inclusion of ElkarBackup was due to the efforts of @gpulido in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Gabriel! diff --git a/manuscript/recipes/emby.md b/manuscript/recipes/emby.md index 1020f85..07885d0 100644 --- a/manuscript/recipes/emby.md +++ b/manuscript/recipes/emby.md @@ -83,7 +83,7 @@ Launch the stack by running ```docker stack deploy emby -c ``` + +Log into your new instance at https://**YOUR-FQDN**, and complete the wizard-based setup to complete deploying your Emby. + +## Chef's Notes 📓 + +1. I didn't use an [oauth2_proxy](/reference/oauth_proxy/) for this stack, because it would interfere with mobile client support. +2. Got an NVIDIA GPU? See [this blog post](https://www.funkypenguin.co.nz/note/gpu-transcoding-with-emby-plex-using-docker-nvidia/) re how to use your GPU to transcode your media! +3. We don't bother exposing the HTTPS port for Emby, since [Traefik](/ha-docker-swarm/traefik/) is doing the SSL termination for us already. \ No newline at end of file diff --git a/manuscript/recipes/flightairmap.mde b/manuscript/recipes/flightairmap.mde new file mode 100644 index 0000000..ea9f1d8 --- /dev/null +++ b/manuscript/recipes/flightairmap.mde @@ -0,0 +1,60 @@ +version: '3' +services: + flightairmap: + image: richarvey/nginx-php-fpm + volumes: + - "/var/data/flightairmap/conf:/var/www/html/conf" + - "/var/data/flightairmap/scripts:/var/www/html/scripts" + - "/var/data/flightairmap/html:/var/www/flightairmap/" + env_file: + - "/var/data/config/flightairmap/flightairmap.env" + environment: + - PHP_MEM_LIMIT=256 + - RUN_SCRIPTS=1 + - MYSQL_HOST=${MYSQL_HOST} + - MYSQL_DATABASE=${MYSQL_DATABASE} + - MYSQL_USER=${MYSQL_USER} + - MYSQL_PASSWORD=${MYSQL_PASSWORD} + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:www.observe.global + - traefik.docker.network=traefik_public + - traefik.port=80 + + db: + image: mariadb:10 + env_file: /var/data/config/flightairmap/flightairmap.env + networks: + - internal + volumes: + - /var/data/runtime/flightairmap/db:/var/lib/mysql + + db-backup: + image: mariadb:10 + env_file: /var/data/config/flightairmap/flightairmap.env + volumes: + - /var/data/flightairmap/database-dump:/dump + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz + (ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.44.0/24 diff --git a/manuscript/recipes/general/ipad-pro-geeking.mde b/manuscript/recipes/general/ipad-pro-geeking.mde new file mode 100644 index 0000000..5ab2f8a --- /dev/null +++ b/manuscript/recipes/general/ipad-pro-geeking.mde @@ -0,0 +1 @@ +Hello \ No newline at end of file diff --git a/manuscript/recipes/general/kid-safe-wifi.mde b/manuscript/recipes/general/kid-safe-wifi.mde new file mode 100644 index 0000000..5ab2f8a --- /dev/null +++ b/manuscript/recipes/general/kid-safe-wifi.mde @@ -0,0 +1 @@ +Hello \ No newline at end of file diff --git a/manuscript/recipes/general/start.mde b/manuscript/recipes/general/start.mde new file mode 100644 index 0000000..e69de29 diff --git a/manuscript/recipes/ghost.md b/manuscript/recipes/ghost.md index 78f605b..0bfae18 100644 --- a/manuscript/recipes/ghost.md +++ b/manuscript/recipes/ghost.md @@ -64,7 +64,7 @@ Launch the Ghost stack by running ```docker stack deploy ghost -c ``` + +Create your first administrative account at https://**YOUR-FQDN**/admin/ + +## Chef's Notes 📓 + +1. If I wasn't committed to a [static-site-generated blog](https://www.funkypenguin.co.nz/blog/), Ghost is the platform I'd use for my blog. +2. A default using the SQlite database takes 548k of space: +``` +[root@ds1 ghost]# du -sh /var/data/ghost/ +548K /var/data/ghost/ +[root@ds1 ghost]# +``` diff --git a/manuscript/recipes/gitlab-runner.md b/manuscript/recipes/gitlab-runner.md index 00db409..912e32d 100644 --- a/manuscript/recipes/gitlab-runner.md +++ b/manuscript/recipes/gitlab-runner.md @@ -94,7 +94,7 @@ Launch the mail server stack by running ```docker stack deploy gitlab-runner -c Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. -## Chef's Notes 📓 +## Chef's Notes 1. You'll note that I setup 2 runners. One is locked to a single project (*this cookbook build*), and the other is a shared runner. I wanted to ensure that one runner was always available to run CI for this project, even if I'd tied up another runner on something heavy-duty, like a container build. Customize this to your use case. 2. Originally I deployed runners in the same stack as GitLab, but I found that they would frequently fail to start properly when I launched the stack. I think that this was because the runners started so quickly (*and GitLab starts **sooo** slowly!*), that they always started up reporting that the GitLab instance was invalid or unavailable. I had issues with CI builds stuck permanently in a "pending" state, which were only resolved by restarting the runner. Having the runners deployed in a separate stack to GitLab avoids this problem. \ No newline at end of file diff --git a/manuscript/recipes/gitlab-runner.mde b/manuscript/recipes/gitlab-runner.mde new file mode 100644 index 0000000..b0c50f0 --- /dev/null +++ b/manuscript/recipes/gitlab-runner.mde @@ -0,0 +1,100 @@ +# Gitlab Runner + +Some features of GitLab require a "[runner](https://docs.gitlab.com/runner/)" (_in the sense of a "gopher" or a "minion"_). A runner "registers" itself with a GitLab instance, and is given tasks to run. Tasks include running Continuous Integration (CI) builds, and building container images. + +While a runner isn't strictly required to use GitLab, if you want to do CI, you'll need at least one. There are many ways to deploy a runner - this recipe focuses on the docker container model. + +## Ingredients + +!!! summary "Ingredients" + Existing: + + 1. [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) + 2. [X] [Traefik](/ha-docker-swarm/traefik_public) configured per design + 3. [X] DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + 4. [X] [GitLab](/ha-docker-swarm/gitlab) installation (see previous recipe) + +## Preparation + +### Setup data locations + +We'll need several directories to bind-mount into our runner containers, so create them in `/var/data/gitlab`: + +``` +cd /var/data +mkdir gitlab +cd gitlab +mkdir -p {runners/1,runners/2} +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +``` +version: '3' + +services: + thing1: + image: gitlab/gitlab-runner + volumes: + - /var/data/gitlab/runners/1:/etc/gitlab-runner + networks: + - internal + + thing2: + image: gitlab/gitlab-runner + volumes: + - /var/data/gitlab/runners/2:/etc/gitlab-runner + networks: + - internal + +networks: + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.23.0/24 +``` + + +### Configure runners + +From your GitLab UI, you can retrieve a "token" necessary to register a new runner. To register the runner, you can either create config.toml in each runner's bind-mounted folder (example below), or just `docker exec` into each runner container and execute ```gitlab-runner register``` to interactively generate config.toml. + +Sample runner config.toml: + +``` +concurrent = 1 +check_interval = 0 + +[[runners]] + name = "myrunner1" + url = "https://gitlab.example.com" + token = "" + executor = "docker" + [runners.docker] + tls_verify = false + image = "ruby:2.1" + privileged = false + disable_cache = false + volumes = ["/cache"] + shm_size = 0 + [runners.cache] +``` + +## Serving + +### Launch runners + +Launch the mail server stack by running ```docker stack deploy gitlab-runner -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes 📓 + +1. You'll note that I setup 2 runners. One is locked to a single project (*this cookbook build*), and the other is a shared runner. I wanted to ensure that one runner was always available to run CI for this project, even if I'd tied up another runner on something heavy-duty, like a container build. Customize this to your use case. +2. Originally I deployed runners in the same stack as GitLab, but I found that they would frequently fail to start properly when I launched the stack. I think that this was because the runners started so quickly (*and GitLab starts **sooo** slowly!*), that they always started up reporting that the GitLab instance was invalid or unavailable. I had issues with CI builds stuck permanently in a "pending" state, which were only resolved by restarting the runner. Having the runners deployed in a separate stack to GitLab avoids this problem. \ No newline at end of file diff --git a/manuscript/recipes/gitlab.md b/manuscript/recipes/gitlab.md index 11cc17a..014fda2 100644 --- a/manuscript/recipes/gitlab.md +++ b/manuscript/recipes/gitlab.md @@ -133,7 +133,7 @@ Launch the mail server stack by running ```docker stack deploy gitlab -c ``` + +Log into your new instance at https://[your FQDN], with user "root" and the password you specified in gitlab.env. + + +## Chef's Notes 📓 + +A few comments on decisions taken in this design: + +1. I use the **sameersbn/gitlab:latest** image, rather than a specific version. This lets me execute updates simply by redeploying the stack (and why **wouldn't** I want the latest version?) \ No newline at end of file diff --git a/manuscript/recipes/gollum.md b/manuscript/recipes/gollum.md index 859f815..312e3d1 100644 --- a/manuscript/recipes/gollum.md +++ b/manuscript/recipes/gollum.md @@ -129,6 +129,6 @@ Launch the Gollum stack by running ```docker stack deploy gollum -c ``` + +Authenticate against your OAuth provider, and then start editing your wiki! + +## Chef's Notes 📓 + +1. In the current implementation, Gollum is a "single user" tool only. The contents of the wiki are saved as markdown files under /var/data/gollum, and all the git commits are currently "Anonymous" \ No newline at end of file diff --git a/manuscript/recipes/homeassistant.md b/manuscript/recipes/homeassistant.md index 1556259..0d5fdd2 100644 --- a/manuscript/recipes/homeassistant.md +++ b/manuscript/recipes/homeassistant.md @@ -128,6 +128,6 @@ Launch the Home Assistant stack by running ```docker stack deploy homeassistant Log into your new instance at https://**YOUR-FQDN**, the password you created in configuration.yml as "frontend - api_key". Then setup a bunch of sensors, and log into https://grafana.**YOUR FQDN** and create some beautiful graphs :) -## Chef's Notes 📓 +## Chef's Notes 1. I **tried** to protect Home Assistant using [oauth2_proxy](https://geek-cookbook.funkypenguin.co.nz/)reference/oauth_proxy), but HA is incompatible with the websockets implementation used by Home Assistant. Until this can be fixed, I suggest that geeks set frontend: api_key to a long and complex string, and rely on this to prevent malevolent internet miscreants from turning their lights on at 2am! \ No newline at end of file diff --git a/manuscript/recipes/homeassistant.mde b/manuscript/recipes/homeassistant.mde new file mode 100644 index 0000000..9ab3ac0 --- /dev/null +++ b/manuscript/recipes/homeassistant.mde @@ -0,0 +1,133 @@ +# Home Assistant + +Home Assistant is a home automation platform written in Python, with extensive support for 3rd-party home-automation platforms including Xaomi, Phillips Hue, and a [bazillion](https://home-assistant.io/components/) others. + +![Home Assistant Screenshot](../images/homeassistant.png) + +This recipie combines the [extensibility](https://home-assistant.io/components/) of [Home Assistant](https://home-assistant.io/) with the flexibility of [InfluxDB](https://docs.influxdata.com/influxdb/v1.4/) (_for time series data store_) and [Grafana](https://grafana.com/) (_for **beautiful** visualisation of that data_). + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design +3. DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need several directories to bind-mount into our container, so create them in /var/data/homeassistant: + +``` +mkdir /var/data/homeassistant +cd /var/data/homeassistant +mkdir -p {homeassistant,grafana,influxdb-backup} +``` + +Now create a directory for the influxdb realtime data: + + +``` +mkdir /var/data/runtime/homeassistant/influxdb +``` + +### Prepare environment + +Create /var/data/config/homeassistant/grafana.env, and populate with the following - this is to enable grafana to work with oauth2_proxy without requiring an additional level of authentication: +``` +GF_AUTH_BASIC_ENABLED=false +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: "3" + +services: + influxdb: + image: influxdb + networks: + - internal + volumes: + - /var/data/homeassistant/influxdb:/var/lib/influxdb + - /etc/localtime:/etc/localtime:ro + + homeassistant: + image: homeassistant/home-assistant + dns_search: hq.example.com + volumes: + - /var/data/homeassistant/homeassistant:/config + - /etc/localtime:/etc/localtime:ro + deploy: + labels: + - traefik.frontend.rule=Host:homeassistant.example.com + - traefik.docker.network=traefik_public + - traefik.port=8123 + networks: + - traefik_public + - internal + ports: + - 8123:8123 + + grafana-app: + image: grafana/grafana + env_file : /var/data/config/homeassistant/grafana.env + volumes: + - /var/data/homeassistant/grafana:/var/lib/grafana + - /etc/localtime:/etc/localtime:ro + networks: + - internal + + grafana-proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/config/homeassistant/grafana.env + dns_search: hq.example.com + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:grafana.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/homeassistant/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://grafana-app:3000 + -redirect-url=https://grafana.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.13.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + +## Serving + +### Launch Home Assistant stack + +Launch the Home Assistant stack by running ```docker stack deploy homeassistant -c ``` + +Log into your new instance at https://**YOUR-FQDN**, the password you created in configuration.yml as "frontend - api_key". Then setup a bunch of sensors, and log into https://grafana.**YOUR FQDN** and create some beautiful graphs :) + +## Chef's Notes 📓 + +1. I **tried** to protect Home Assistant using [oauth2_proxy](/reference/oauth_proxy), but HA is incompatible with the websockets implementation used by Home Assistant. Until this can be fixed, I suggest that geeks set frontend: api_key to a long and complex string, and rely on this to prevent malevolent internet miscreants from turning their lights on at 2am! \ No newline at end of file diff --git a/manuscript/recipes/homeassistant/ibeacon.md b/manuscript/recipes/homeassistant/ibeacon.md index 9c0a123..13a5857 100644 --- a/manuscript/recipes/homeassistant/ibeacon.md +++ b/manuscript/recipes/homeassistant/ibeacon.md @@ -23,4 +23,4 @@ Plug in your iBeacon, launch LightBlue Explorer, and find your iBeacon. The firs Having paired, you'll be able to see the vital statistics of your iBeacon. -## Chef's Notes 📓 +## Chef's Notes diff --git a/manuscript/recipes/homeassistant/ibeacon.mde b/manuscript/recipes/homeassistant/ibeacon.mde new file mode 100644 index 0000000..460029a --- /dev/null +++ b/manuscript/recipes/homeassistant/ibeacon.mde @@ -0,0 +1,26 @@ +# iBeacons with Home assistant + +!!! warning + This is not a complete recipe - it's an optional additional of the [HomeAssistant](/recipes/homeassistant/) "recipe", since it only applies to a subset of users + +One of the most useful features of Home Assistant is location awareness. I don't care if someone opens my office door when I'm home, but you bet I care about (_and want to be notified_) it if I'm away! + +## Ingredients + +1. [HomeAssistant](/recipes/home-assistant/) per recipe +2. iBeacon(s) - This recipe is for https://s.click.aliexpress.com/e/bzyLCnAp +4. [LightBlue Explorer](https://itunes.apple.com/nz/app/lightblue-explorer/id557428110?mt=8) + +## Preparation + +### Write UUID to iBeacon + +The iBeacons come with no UUID. We use the LightBlue Explorer app to pair with them (_code is "123456"_), and assign own own UUID. + +Generate your own UUID, or get a random one at https://www.uuidgenerator.net/ + +Plug in your iBeacon, launch LightBlue Explorer, and find your iBeacon. The first time you attempt to interrogate it, you'll be prompted to pair. Although it's not recorded anywhere in the documentation (_grr!_), the pairing code is **123456** + +Having paired, you'll be able to see the vital statistics of your iBeacon. + +## Chef's Notes 📓 diff --git a/manuscript/recipes/huginn.md b/manuscript/recipes/huginn.md index 7b7403e..04997ee 100644 --- a/manuscript/recipes/huginn.md +++ b/manuscript/recipes/huginn.md @@ -142,6 +142,6 @@ Launch the Huginn stack by running ```docker stack deploy huginn -c + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design + +## Preparation + +### Setup data locations + +Create the location for the bind-mount of the database, so that it's persistent: + +``` +mkdir -p /var/data/huginn/database +``` + +### Create email address + +Strictly speaking, you don't **have** to integrate Huginn with email. However, since we created our own mailserver stack earlier, it's worth using it to enable emails within Huginn. + +``` +cd /var/data/docker-mailserver/ +./setup.sh email add huginn@huginn.example.com my-password-here +# Setup MX and DKIM if they don't already exist: +./setup.sh config dkim +cat config/opendkim/keys/huginn.example.com/mail.txt +``` + +### Prepare environment + +Create /var/data/huginn/huginn.env, and populate with the following variables. Set the "INVITATION_CODE" variable if you want to require users to enter a code to sign up (protects the UI from abuse) (The full list of Huginn environment variables is available [here](https://github.com/huginn/huginn/blob/master/.env.example)) + +``` +# For huginn/huginn - essential +SMTP_DOMAIN=your-domain-here.com +SMTP_USER_NAME=you@gmail.com +SMTP_PASSWORD=somepassword +SMTP_SERVER=your-mailserver-here.com +SMTP_PORT=587 +SMTP_AUTHENTICATION=plain +SMTP_ENABLE_STARTTLS_AUTO=true +INVITATION_CODE= +POSTGRES_PORT_5432_TCP_ADDR=db +POSTGRES_PORT_5432_TCP_PORT=5432 +DATABASE_USERNAME=huginn +DATABASE_PASSWORD= +DATABASE_ADAPTER=postgresql + +# Optional extras for huginn/huginn, customize or append based on .env.example lined above +TWITTER_OAUTH_KEY= +TWITTER_OAUTH_SECRET= + +# For postgres/postgres +POSTGRES_USER=huginn +POSTGRES_PASSWORD= +BACKUP_NUM_KEEP=7 +BACKUP_FREQUENCY=1d +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3' + +services: + + huginn: + image: huginn/huginn + env_file: /var/data/config/huginn/huginn.env + volumes: + - /etc/localtime:/etc/localtime:ro + networks: + - internal + - traefik + deploy: + labels: + - traefik.frontend.rule=Host:huginn.funkypenguin.co.nz + - traefik.docker.network=traefik + - traefik.port=3000 + + db: + env_file: /var/data/config/huginn/huginn.env + image: postgres:latest + volumes: + - /var/data/runtime/huginn/database:/var/lib/postgresql/data + - /etc/localtime:/etc/localtime:ro + networks: + - internal + + db-backup: + image: postgres:latest + env_file: /var/data/config/huginn/huginn.env + volumes: + - /var/data/huginn/database-dump:/dump + - /etc/localtime:/etc/localtime:ro + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql + (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.6.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Huginn stack + +Launch the Huginn stack by running ```docker stack deploy huginn -c ``` + +Log into your new instance at https://**YOUR-FQDN**. You'll need to use the "Sign Up" button, and (optionally) enter your invitation code in order to create your account. + +## Chef's Notes 📓 + +1. I initially considered putting an oauth proxy in front of Huginn, but since the invitation code logic prevents untrusted access, and since using a proxy would break oauth for sevices like Twitter integration, I left it out. \ No newline at end of file diff --git a/manuscript/recipes/instapy.md b/manuscript/recipes/instapy.md index 6e89767..5bea8e6 100644 --- a/manuscript/recipes/instapy.md +++ b/manuscript/recipes/instapy.md @@ -129,6 +129,6 @@ After swarm deploys, you won't see much, but you can monitor what InstaPy is doi You can **also** watch the bot at work by VNCing to your docker swarm, password "secret". You'll see Selenium browser window cycling away, interacting with all your real/fake friends on Instagram :) -## Chef's Notes 📓 +## Chef's Notes 1. Amazingly, my bot has ended up tagging more _non-penguins_ than actual penguins. I don't understand how Instagrammers come up with their hashtags! diff --git a/manuscript/recipes/instapy.mde b/manuscript/recipes/instapy.mde new file mode 100644 index 0000000..17dd8d4 --- /dev/null +++ b/manuscript/recipes/instapy.mde @@ -0,0 +1,134 @@ +# InstaPy + +[InstaPy](https://github.com/timgrossmann/InstaPy) is an Instagram bot, developed by [Tim Grossman](https://github.com/timgrossmann). Tim describes his motivation and experiences developing the bot [here](https://medium.freecodecamp.org/my-open-source-instagram-bot-got-me-2-500-real-followers-for-5-in-server-costs-e40491358340). + +What's an Instagram bot? Basically, you feed the bot your Instagram user/password, and it executes follows/unfollows/likes/comments on your behalf based on rules you set. (_I set my bot to like one photo tagged with "[#penguin](https://www.instagram.com/explore/tags/penguin/?hl=en)" per-run_) + +![InstaPy Screenshot](../images/instapy.png) + +Great power, right? A client (_yes, you can [hire](https://www.funkypenguin.co.nz/) me!_) asked me to integrate InstaPy into their swarm, and this recipe is the result. + +## Ingredients + +!!! summary "Ingredients" + Existing: + + 1. [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) + 2. [X] [Traefik](/ha-docker-swarm/traefik_public) configured per design + 3. [X] DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + + +## Preparation + +### Setup data locations + +We need a data location to store InstaPy's config, as well as its log files. Create /var/data/instapy per below + +``` +mkdir -p /var/data/instapy/logs +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3' +services: + web: + command: ["./wait-for", "selenium:4444", "--", "python", "docker_quickstart.py"] + environment: + - PYTHONUNBUFFERED=0 + + # Modify the image to whatever Tim's image tag ends up as. I used funkypenguin/instapy for my build + image: funkypenguin/instapy:latest + + # When using swarm, you can't use relative paths, so the following needs to be set to the full filesystem path to your logs and docker_quickstart.py + # Bind-mount docker_quickstart.py, since now that we're using a public image, we can't "bake" our credentials into the image anymore + volumes: + - /var/data/instapy/logs:/code/logs + - var/data/instapy/instapy.py:/code/docker_quickstart.py:ro + + # This section allows docker to restart the container when it exits (either normally or abnormally), which ensures that + # InstaPy keeps re-running. Tweak the delay to avoid being banned for excessive activity + deploy: + restart_policy: + condition: any + delay: 3600s + + + selenium: + image: selenium/standalone-chrome-debug + ports: + - "5900:5900" +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + +### Command your bot + +Create a variation of https://github.com/timgrossmann/InstaPy/blob/master/docker_quickstart.py at /var/data/instapy/instapy.py (the file we bind-mounted in the swarm config above) + +Change at least the following: +``` +insta_username = '' +insta_password = '' +``` + +Here's an example of my config, set to like a single penguin-pic per run: + +``` +insta_username = 'funkypenguin' +insta_password = 'followmemypersonalbrandisawesome' + +dont_like = ['food','girl','batman','gotham','dead','nsfw','porn','slut','baby','tv','athlete','nhl','hockey','estate','music','band','clothes'] +friend_list = ['therock','ruinporn'] + +# If you want to enter your Instagram Credentials directly just enter +# username= and password= into InstaPy +# e.g like so InstaPy(username="instagram", password="test1234") + +bot = InstaPy(username='insta_username', password='insta_password', selenium_local_session=False) +bot.set_selenium_remote_session(selenium_url='http://selenium:4444/wd/hub') +bot.login() +bot.set_upper_follower_count(limit=10000) +bot.set_lower_follower_count(limit=10) +bot.set_comments([u'Cool :penguin:!', u'Awesome :penguin:!!', u'Nice :penguin:!!']) +bot.set_dont_include(friend_list) +bot.set_dont_like(dont_like) +#bot.set_ignore_if_contains(ignore_words) + +# OK, so go through my feed and like stuff, interacting with people I follow +# bot.like_by_feed(amount=3, randomize=True, unfollow=True, interact=True) + +# Now find posts tagged as #penguin, and like 'em, commenting 50% of the time +bot.set_do_comment(True, percentage=50) +bot.set_comments([u'Cool :penguin:!', u'Awesome :penguin:!!', u'Nice :penguin:!!']) +bot.like_by_tags(['#penguin'], amount=1) + +# goodnight, sweet bot +bot.end() +``` + +## Serving + +### Destroy all humans + +Launch the bot by running ```docker stack deploy instapy -c ``` + +While you're waiting for Docker to pull down the images, educate yourself on the risk of a robotic uprising: + + + +After swarm deploys, you won't see much, but you can monitor what InstaPy is doing, by running ```docker service logs instapy_web```. + +You can **also** watch the bot at work by VNCing to your docker swarm, password "secret". You'll see Selenium browser window cycling away, interacting with all your real/fake friends on Instagram :) + +## Chef's Notes 📓 + +1. Amazingly, my bot has ended up tagging more _non-penguins_ than actual penguins. I don't understand how Instagrammers come up with their hashtags! diff --git a/manuscript/recipes/ipfs-cluster.md b/manuscript/recipes/ipfs-cluster.md index 95fabc9..3f56bc3 100644 --- a/manuscript/recipes/ipfs-cluster.md +++ b/manuscript/recipes/ipfs-cluster.md @@ -21,7 +21,7 @@ Description. IPFS is a peer-to-peer distributed file system that seeks to connec ### Setup data locations (per-node) -Since IPFS may _replace_ ceph or glusterfs as a shared-storage provider for the swarm, we can't use sharded storage to store its persistent data. (🐔, meet :egg:) +Since IPFS may _replace_ ceph or glusterfs as a shared-storage provider for the swarm, we can't use sharded storage to store its persistent data. (, meet :egg:) On _each_ node, therefore run the following, to create the persistent data storage for ipfs and ipfs-cluster: @@ -180,6 +180,6 @@ QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx | 28c13ec68f33 | Sees 2 other pee ``` -## Chef's Notes 📓 +## Chef's Notes 1. I'm still trying to work out how to _mount_ the ipfs data in my filesystem in a usable way. Which is why this is still a WIP :) \ No newline at end of file diff --git a/manuscript/recipes/ipfs-cluster.mde b/manuscript/recipes/ipfs-cluster.mde new file mode 100644 index 0000000..dac8a63 --- /dev/null +++ b/manuscript/recipes/ipfs-cluster.mde @@ -0,0 +1,185 @@ +!!! danger "This recipe is a work in progress" + This recipe is **incomplete**, and remains a work in progress. + So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 😁 + +!!! important + Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/) + +# IPFS + +The intention of this recipe is to provide a local IPFS cluster for the purpose of providing persistent storage for the various components of the recipes + +![IPFS Screenshot](../images/ipfs.png) + +Description. IPFS is a peer-to-peer distributed file system that seeks to connect all computing devices with the same system of files. In some ways, IPFS is similar to the World Wide Web, but IPFS could be seen as a single BitTorrent swarm, exchanging objects within one Git repository. + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) + +## Preparation + +### Setup data locations (per-node) + +Since IPFS may _replace_ ceph or glusterfs as a shared-storage provider for the swarm, we can't use sharded storage to store its persistent data. (🐔, meet :egg:) + +On _each_ node, therefore run the following, to create the persistent data storage for ipfs and ipfs-cluster: + +``` +mkdir -p {/var/ipfs/daemon,/var/ipfs/cluster} +``` + +### Setup environment + +ipfs-cluster nodes require a common secret, a 32-bit hex-encoded string, in order to "trust" each other, so generate one, and add it to ipfs.env on your first node, by running ```od -vN 32 -An -tx1 /dev/urandom | tr -d ' \n'; echo``` + +Now on _each_ node, create ```/var/ipfs/cluster:/data/ipfs-cluster```, including both the secret, *and* the IP of docker0 interface on your hosts (_on my hosts, this is always 172.17.0.1_). We do this (_the trick with docker0)_ to allow ipfs-cluster to talk to the local ipfs daemon, per-node: + +``` +SECRET= + +# Use docker0 to access daemon +IPFS_API=/ip4/172.17.0.1/tcp/5001 +``` + +### Create docker-compose file + +Yes, I know. It's not as snazzy as docker swarm. Maybe we'll get there. But this implementation uses docker-compose, so create the following (_identical_) docker-compose.yml on each node: + +``` +version: "3" + +services: + cluster: + image: ipfs/ipfs-cluster + volumes: + - /var/ipfs/cluster:/data/ipfs-cluster + env_file: /var/data/config/ipfs/ipfs.env + ports: + - 9095:9095 + - 9096:9096 + depends_on: + - daemon + + daemon: + image: ipfs/go-ipfs + ports: + - 4001:4001 + - 5001:5001 + - 8080:8080 + volumes: + - /var/ipfs/daemon:/data/ipfs +``` + +### Launch independent nodes + +Launch all nodes independently with ```docker-compose -f ipfs.yml up```. At this point, the nodes are each running independently, unaware of each other. But we do this to ensure that service.json is populated on each node, using the IPFS_API environment variable we specified in ipfs.env. (_it's only used on the first run_) + + +The output looks something like this: + +``` +cluster_1 | 11:03:33.272 INFO restapi: REST API (libp2p-http): ENABLED. Listening on: +cluster_1 | /ip4/127.0.0.1/tcp/9096/ipfs/QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx +cluster_1 | /ip4/172.18.0.3/tcp/9096/ipfs/QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx +cluster_1 | /p2p-circuit/ipfs/QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx +daemon_1 | Swarm listening on /ip4/127.0.0.1/tcp/4001 +daemon_1 | Swarm listening on /ip4/172.19.0.2/tcp/4001 +daemon_1 | Swarm listening on /p2p-circuit +daemon_1 | Swarm announcing /ip4/127.0.0.1/tcp/4001 +daemon_1 | Swarm announcing /ip4/172.19.0.2/tcp/4001 +daemon_1 | Swarm announcing /ip4/202.170.161.77/tcp/4001 +daemon_1 | API server listening on /ip4/0.0.0.0/tcp/5001 +daemon_1 | Gateway (readonly) server listening on /ip4/0.0.0.0/tcp/8080 +daemon_1 | Daemon is ready +cluster_1 | 10:49:19.720 INFO consensus: Current Raft Leader: QmaAiMDP7PY3CX1xqzgAoNQav5M29P5WPWVqqSBdNu1Nsp raft.go:293 +cluster_1 | 10:49:19.721 INFO cluster: Cluster Peers (without including ourselves): cluster.go:403 +cluster_1 | 10:49:19.721 INFO cluster: - No other peers cluster.go:405 +cluster_1 | 10:49:19.722 INFO cluster: ** IPFS Cluster is READY ** cluster.go:418 +``` + +### Pick a leader + +Pick a node to be your primary node, and CTRL-C the others. + +Look for a line like this in the output of the primary node: + +``` +/ip4/127.0.0.1/tcp/9096/ipfs/QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx +``` + +You'll note several addresses listed, all ending in the same hash. None of these addresses will be your docker node's actual IP address, however, since we exposed port 9096, we can substitute your docker node's IP. + +### Bootstrap the followers + +On each of the non-primary nodes, run the following, replacing **IP-OF-PRIMARY-NODE** with the actual IP of the primary node, and **HASHY-MC-HASHFACE** with your own hash from primary output above. + + +``` +docker run --rm -it -v /var/ipfs/cluster:/data/ipfs-cluster \ + --entrypoint ipfs-cluster-service ipfs/ipfs-cluster \ + daemon --bootstrap \ /ip4/IP-OF-PRIMARY-NODE/tcp/9096/ipfs/HASHY-MC-HASHFACE +``` + +You'll see output like this: + +``` +10:55:26.121 INFO service: Bootstrapping to /ip4/192.168.31.13/tcp/9096/ipfs/QmPrmQvW5knXLBE94jzpxvdtLSwXZeFE5DSY3FuMxypDsT daemon.go:153 +10:55:26.121 INFO ipfshttp: IPFS Proxy: /ip4/0.0.0.0/tcp/9095 -> /ip4/172.17.0.1/tcp/5001 ipfshttp.go:221 +10:55:26.304 ERROR ipfshttp: error posting to IPFS: Post http://172.17.0.1:5001/api/v0/id: dial tcp 172.17.0.1:5001: connect: connection refused ipfshttp.go:708 +10:55:26.622 INFO consensus: Current Raft Leader: QmPrmQvW5knXLBE94jzpxvdtLSwXZeFE5DSY3FuMxypDsT raft.go:293 +10:55:26.623 INFO cluster: Cluster Peers (without including ourselves): cluster.go:403 +10:55:26.623 INFO cluster: - QmPrmQvW5knXLBE94jzpxvdtLSwXZeFE5DSY3FuMxypDsT cluster.go:410 +10:55:26.624 INFO cluster: - QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx cluster.go:410 +10:55:26.625 INFO cluster: ** IPFS Cluster is READY ** cluster.go:418 +``` + +!!! note + You can ignore the warnings about port 5001 refused - this is because we weren't running the ipfs daemon while bootstrapping the cluster. Its harmless. + +I haven't worked out why yet, but running the bootstrap in docker-run format reset the permissions on /var/ipfs/cluster/, so look at /var/ipfs/daemon, and make the permissions of /var/ipfs/cluster the same. + +You can now run ```docker-compose -f ipfs.yml up``` on the "follower" nodes, to bring your cluster online. + +### Confirm cluster + +docker-exec into one of the cluster containers (_it doesn't matter which one_), and run ```ipfs-cluster-ctl peers ls``` + +You should see output from each node member, indicating it can see its other peers. Here's my output from a 3-node cluster: + +``` +/ # ipfs-cluster-ctl peers ls +QmPrmQvW5knXLBE94jzpxvdtLSwXZeFE5DSY3FuMxypDsT | ef68b1437c56 | Sees 2 other peers + > Addresses: + - /ip4/127.0.0.1/tcp/9096/ipfs/QmPrmQvW5knXLBE94jzpxvdtLSwXZeFE5DSY3FuMxypDsT + - /ip4/172.19.0.3/tcp/9096/ipfs/QmPrmQvW5knXLBE94jzpxvdtLSwXZeFE5DSY3FuMxypDsT + - /p2p-circuit/ipfs/QmPrmQvW5knXLBE94jzpxvdtLSwXZeFE5DSY3FuMxypDsT + > IPFS: QmU6buucy4FX9XqPoj4ZEiJiu7xUq2dnth5puU1rswtrGg + - /ip4/127.0.0.1/tcp/4001/ipfs/QmU6buucy4FX9XqPoj4ZEiJiu7xUq2dnth5puU1rswtrGg + - /ip4/172.19.0.2/tcp/4001/ipfs/QmU6buucy4FX9XqPoj4ZEiJiu7xUq2dnth5puU1rswtrGg + - /ip4/202.170.161.75/tcp/4001/ipfs/QmU6buucy4FX9XqPoj4ZEiJiu7xUq2dnth5puU1rswtrGg +QmaAiMDP7PY3CX1xqzgAoNQav5M29P5WPWVqqSBdNu1Nsp | 6558e1bf32e2 | Sees 2 other peers + > Addresses: + - /ip4/127.0.0.1/tcp/9096/ipfs/QmaAiMDP7PY3CX1xqzgAoNQav5M29P5WPWVqqSBdNu1Nsp + - /ip4/172.19.0.3/tcp/9096/ipfs/QmaAiMDP7PY3CX1xqzgAoNQav5M29P5WPWVqqSBdNu1Nsp + - /p2p-circuit/ipfs/QmaAiMDP7PY3CX1xqzgAoNQav5M29P5WPWVqqSBdNu1Nsp + > IPFS: QmYMUwHHsaeP2H8D2G3iXKhs1fHm2gQV6SKWiRWxbZfxX7 + - /ip4/127.0.0.1/tcp/4001/ipfs/QmYMUwHHsaeP2H8D2G3iXKhs1fHm2gQV6SKWiRWxbZfxX7 + - /ip4/172.19.0.2/tcp/4001/ipfs/QmYMUwHHsaeP2H8D2G3iXKhs1fHm2gQV6SKWiRWxbZfxX7 + - /ip4/202.170.161.77/tcp/4001/ipfs/QmYMUwHHsaeP2H8D2G3iXKhs1fHm2gQV6SKWiRWxbZfxX7 +QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx | 28c13ec68f33 | Sees 2 other peers + > Addresses: + - /ip4/127.0.0.1/tcp/9096/ipfs/QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx + - /ip4/172.18.0.3/tcp/9096/ipfs/QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx + - /p2p-circuit/ipfs/QmbqPBLJNXWpbXEX6bVhYLo2ruEBE7mh1tfT9s6VXUzYYx + > IPFS: QmazkAuAPpWw913HKiGsr1ief2N8cLa6xcqeAZxqDMsWmE + - /ip4/127.0.0.1/tcp/4001/ipfs/QmazkAuAPpWw913HKiGsr1ief2N8cLa6xcqeAZxqDMsWmE + - /ip4/172.18.0.2/tcp/4001/ipfs/QmazkAuAPpWw913HKiGsr1ief2N8cLa6xcqeAZxqDMsWmE + - /ip4/202.170.161.96/tcp/4001/ipfs/QmazkAuAPpWw913HKiGsr1ief2N8cLa6xcqeAZxqDMsWmE +/ # +``` + + +## Chef's Notes 📓 + +1. I'm still trying to work out how to _mount_ the ipfs data in my filesystem in a usable way. Which is why this is still a WIP :) \ No newline at end of file diff --git a/manuscript/recipes/kanboard.md b/manuscript/recipes/kanboard.md index 6a0dfd2..938eebd 100644 --- a/manuscript/recipes/kanboard.md +++ b/manuscript/recipes/kanboard.md @@ -2,10 +2,10 @@ hero: Kanboard - A recipe to get your personal kanban on # Kanboard -Kanboard is a Kanban tool, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](https://geek-cookbook.funkypenguin.co.nz/)recipes/miniflux/)_) +Kanboard is a Kanban tool, developed by [Frdric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](https://geek-cookbook.funkypenguin.co.nz/)recipes/miniflux/)_) !!! tip "Sponsored Project" - Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/)sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 😓 + Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/)sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! Features include: @@ -116,7 +116,7 @@ Launch the Kanboard stack by running ```docker stack deploy kanboard -c ``` + +Log into your new instance at https://**YOUR-FQDN**. Default credentials are admin/admin, after which you can change (_under 'profile'_) and add more users. + +## Chef's Notes 📓 + +1. The default theme can be significantly improved by applying the [ThemePlus](https://github.com/phsteffen/kanboard-themeplus) plugin. +2. Kanboard becomes more useful when you integrate in/outbound email with [MailGun](https://github.com/kanboard/plugin-mailgun), [SendGrid](https://github.com/kanboard/plugin-sendgrid), or [Postmark](https://github.com/kanboard/plugin-postmark). \ No newline at end of file diff --git a/manuscript/recipes/keycloak.mde b/manuscript/recipes/keycloak.mde new file mode 100644 index 0000000..64b3e01 --- /dev/null +++ b/manuscript/recipes/keycloak.mde @@ -0,0 +1,147 @@ +# KeyCloak + +[KeyCloak](https://www.keycloak.org/) is "*an open source identity and access management solution*". Using a local database, or a variety of backends (_think [OpenLDAP](/recipes/openldap/)_), you can provide Single Sign-On (SSO) using OpenID, OAuth 2.0, and SAML. KeyCloak's OpenID provider can be used in combination with [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/), to protect [vulnerable services](/recipe/nzbget/) with an extra layer of authentication. + +!!! important + Initial development of this recipe was sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +![KeyCloak Screenshot](../images/keycloak.png) + +## Ingredients + +!!! Summary + Existing: + + * [X] [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph/) + * [X] [Traefik](/ha-docker-swarm/traefik_public) configured per design + * [X] DNS entry for the hostname (_i.e. "keycloak.your-domain.com"_) you intend to use, pointed to your [keepalived](/ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need several directories to bind-mount into our container for both runtime and backup data, so create them as follows + +``` +mkdir -p /var/data/runtime/keycloak/database +mkdir -p /var/data/keycloak/database-dump +``` + +### Prepare environment + +Create `/var/data/keycloak/keycloak.env`, and populate with the following variables, customized for your own domain structure. + +``` +# Technically, this could be auto-detected, but we prefer to be prescriptive +DB_VENDOR=postgres +DB_DATABASE=keycloak +DB_ADDR=keycloak-db +DB_USER=keycloak +DB_PASSWORD=myuberpassword +KEYCLOAK_USER=admin +KEYCLOAK_PASSWORD=ilovepasswords + +# This is required to run keycloak behind traefik +PROXY_ADDRESS_FORWARDING=true + +# What's our hostname? +KEYCLOAK_HOSTNAME=keycloak.batcave.com + +# Tell Postgress what user/password to create +POSTGRES_USER=keycloak +POSTGRES_PASSWORD=myuberpassword +``` + +Create `/var/data/keycloak/keycloak-backup.env`, and populate with the following, so that your database can be backed up to the filesystem, daily: + +``` +PGHOST=keycloak-db +PGUSER=keycloak +PGPASSWORD=myuberpassword +BACKUP_NUM_KEEP=7 +BACKUP_FREQUENCY=1d +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 +``` +version: '3' + +services: + keycloak: + image: jboss/keycloak + env_file: /var/data/config/keycloak/keycloak.env + volumes: + - /etc/localtime:/etc/localtime:ro + networks: + - traefik_public + - internal + deploy: + labels: + - traefik.frontend.rule=Host:keycloak.batcave.com + - traefik.port=8080 + - traefik.docker.network=traefik_public + + keycloak-db: + env_file: /var/data/config/keycloak/keycloak.env + image: postgres:10.1 + volumes: + - /var/data/runtime/keycloak/database:/var/lib/postgresql/data + - /etc/localtime:/etc/localtime:ro + networks: + - internal + + keycloak-db-backup: + image: postgres:10.1 + env_file: /var/data/config/keycloak/keycloak-backup.env + volumes: + - /var/data/keycloak/database-dump:/dump + - /etc/localtime:/etc/localtime:ro + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql + (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.49.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + +## Serving + +### Launch KeyCloak stack + +Launch the KeyCloak stack by running ```docker stack deploy keycloak -c ``` + +Log into your new instance at https://**YOUR-FQDN**, and login with the user/password you defined in `keycloak.env`. + +!!! important + Initial development of this recipe was sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + + +## Chef's Notes diff --git a/manuscript/recipes/keycloak/authenticate-against-openldap.md b/manuscript/recipes/keycloak/authenticate-against-openldap.md index 0b683d4..28adc15 100644 --- a/manuscript/recipes/keycloak/authenticate-against-openldap.md +++ b/manuscript/recipes/keycloak/authenticate-against-openldap.md @@ -65,4 +65,4 @@ We've setup a new realm in KeyCloak, and configured read-write federation to an * [X] KeyCloak realm in read-write federation with [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/)recipes/openldap/) directory -## Chef's Notes 📓 \ No newline at end of file +## Chef's Notes \ No newline at end of file diff --git a/manuscript/recipes/keycloak/authenticate-against-openldap.mde b/manuscript/recipes/keycloak/authenticate-against-openldap.mde new file mode 100644 index 0000000..4c77fb8 --- /dev/null +++ b/manuscript/recipes/keycloak/authenticate-against-openldap.mde @@ -0,0 +1,68 @@ +# Authenticate KeyCloak against OpenLDAP + +!!! warning + This is not a complete recipe - it's an **optional** component of the [Keycloak recipe](/recipes/keycloak/), but has been split into its own page to reduce complexity. + +KeyCloak gets really sexy when you integrate it into your [OpenLDAP](/recipes/openldap/) stack (_also, it's great not to have to play with ugly LDAP tree UIs_). Note that OpenLDAP integration is **not necessary** if you want to use KeyCloak with [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/) - all you need for that is [local users](/recipes/keycloak/create-user/), and an [OIDC client](http://localhost:8000/recipes/keycloak/setup-oidc-provider/). + +## Ingredients + +!!! Summary + Existing: + + * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully + + New: + + * [ ] An [OpenLDAP server](/recipes/openldap/) (*assuming you want to authenticate against it*) + +## Preparation + +You'll need to have completed the [OpenLDAP](/recipes/openldap/) recipe + +You start in the "Master" realm - but mouseover the realm name, to a dropdown box allowing you add an new realm: + +### Create Realm + +![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-1.png) + +Enter a name for your new realm, and click "_Create_": + +![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-2.png) + +### Setup User Federation + +Once in the desired realm, click on **User Federation**, and click **Add Provider**. On the next page ("_Required Settings_"), set the following: + +* **Edit Mode** : Writeable +* **Vendor** : Other +* **Connection URL** : ldap://openldap +* **Users DN** : ou=People, +* **Authentication Type** : simple +* **Bind DN** : cn=admin, +* **Bind Credential** : + +Save your changes, and then navigate back to "User Federation" > Your LDAP name > Mappers: + +![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-3.png) + +For each of the following mappers, click the name, and set the "_Read Only_" flag to "_Off_" (_this enables 2-way sync between KeyCloak and OpenLDAP_) + +* last name +* username +* email +* first name + +![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-4.png) + + +## Summary + +We've setup a new realm in KeyCloak, and configured read-write federation to an [OpenLDAP](/recipes/openldap/) backend. We can now manage our LDAP users using either KeyCloak or LDAP directly, and we can protect vulnerable services using [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/). + +!!! Summary + Created: + + * [X] KeyCloak realm in read-write federation with [OpenLDAP](/recipes/openldap/) directory + +## Chef's Notes 📓 \ No newline at end of file diff --git a/manuscript/recipes/keycloak/create-user.mde b/manuscript/recipes/keycloak/create-user.mde new file mode 100644 index 0000000..603107d --- /dev/null +++ b/manuscript/recipes/keycloak/create-user.mde @@ -0,0 +1,38 @@ +# Create KeyCloak Users + +!!! warning + This is not a complete recipe - it's an optional component of the [Keycloak recipe](/recipes/keycloak/), but has been split into its own page to reduce complexity. + +Unless you plan to authenticate against an outside provider (*[OpenLDAP](/recipes/keycloak/openldap/), below, for example*), you'll want to create some local users.. + +## Ingredients + +!!! Summary + Existing: + + * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully + +### Create User + +Within the "Master" realm (*no need for more realms yet*), navigate to **Manage** -> **Users**, and then click **Add User** at the top right: + +![Navigating to the add user interface in Keycloak](/images/keycloak-add-user-1.png) + +Populate your new user's username (it's the only mandatory field) + +![Populating a username in the add user interface in Keycloak](/images/keycloak-add-user-2.png) + +### Set User Credentials + +Once your user is created, to set their password, click on the "**Credentials**" tab, and procede to reset it. Set the password to non-temporary, unless you like extra work! + +![Resetting a user's password in Keycloak](/images/keycloak-add-user-3.png) + +## Summary + +We've setup users in KeyCloak, which we can now use to authenticate to KeyCloak, when it's used as an [OIDC Provider](/recipes/keycloak/setup-oidc-provider/), potentially to secure vulnerable services using [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/). + +!!! Summary + Created: + + * [X] Username / password to authenticate against [KeyCloak](/recipes/keycloak/) diff --git a/manuscript/recipes/keycloak/setup-oidc-provider.md b/manuscript/recipes/keycloak/setup-oidc-provider.md index 3422370..0dc0a8c 100644 --- a/manuscript/recipes/keycloak/setup-oidc-provider.md +++ b/manuscript/recipes/keycloak/setup-oidc-provider.md @@ -52,4 +52,4 @@ We've setup an OIDC client in KeyCloak, which we can now use to protect vulnerab * [X] Client ID and Client Secret used to authenticate against KeyCloak with OpenID Connect -## Chef's Notes 📓 \ No newline at end of file +## Chef's Notes \ No newline at end of file diff --git a/manuscript/recipes/keycloak/setup-oidc-provider.mde b/manuscript/recipes/keycloak/setup-oidc-provider.mde new file mode 100644 index 0000000..188107e --- /dev/null +++ b/manuscript/recipes/keycloak/setup-oidc-provider.mde @@ -0,0 +1,55 @@ +# Add OIDC Provider to KeyCloak + +!!! warning + This is not a complete recipe - it's an optional component of the [Keycloak recipe](/recipes/keycloak/), but has been split into its own page to reduce complexity. + +Having an authentication provider is not much use until you start authenticating things against it! In order to authenticate against KeyCloak using OpenID Connect (OIDC), which is required for [Traefik Forward Auth](/recipe/traefik-forward-auth/), we'll setup a client in KeyCloak... + +## Ingredients + +!!! Summary + Existing: + + * [X] [KeyCloak](/recipes/keycloak/) recipe deployed successfully + + New: + + * [ ] The URI(s) to protect with the OIDC provider. Refer to the [Traefik Forward Auth](/recipe/traefik-forward-auth/) recipe for more information + +## Preparation + +### Create Client + +Within the "Master" realm (*no need for more realms yet*), navigate to **Clients**, and then click **Create** at the top right: + +![Navigating to the add user interface in Keycloak](/images/keycloak-add-client-1.png) + +Enter a name for your client (*remember, we're authenticating **applications** now, not users, so use an application-specific name*): + +![Adding a client in KeyCloak](/images/keycloak-add-client-2.png) + +### Configure Client + +Once your client is created, set at **least** the following, and click **Save** + +* **Access Type** : Confidential +* **Valid Redirect URIs** : + +![Set KeyCloak client to confidential access type, add redirect URIs](/images/keycloak-add-client-3.png) + +### Retrieve Client Secret + +Now that you've changed the access type, and clicked **Save**, an additional **Credentials** tab appears at the top of the window. Click on the tab, and capture the KeyCloak-generated secret. This secret, plus your client name, is required to authenticate against KeyCloak via OIDC. + +![Capture client secret from KeyCloak](/images/keycloak-add-client-4.png) + +## Summary + +We've setup an OIDC client in KeyCloak, which we can now use to protect vulnerable services using [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/). The OIDC URL provided by KeyCloak in the master realm, is *https:///realms/master/.well-known/openid-configuration* + +!!! Summary + Created: + + * [X] Client ID and Client Secret used to authenticate against KeyCloak with OpenID Connect + +## Chef's Notes 📓 \ No newline at end of file diff --git a/manuscript/recipes/kubernetes/kanboard.md b/manuscript/recipes/kubernetes/kanboard.md index 7993da1..b6b6106 100644 --- a/manuscript/recipes/kubernetes/kanboard.md +++ b/manuscript/recipes/kubernetes/kanboard.md @@ -1,11 +1,11 @@ #Kanboard -Kanboard is a Kanban tool, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](https://geek-cookbook.funkypenguin.co.nz/)recipes/miniflux/)_) +Kanboard is a Kanban tool, developed by [Frdric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](https://geek-cookbook.funkypenguin.co.nz/)recipes/miniflux/)_) ![Kanboard Screenshot](https://geek-cookbook.funkypenguin.co.nz/)images/kanboard.png) !!! tip "Sponsored Project" - Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/)sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 😓 + Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/)sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! Features include: diff --git a/manuscript/recipes/kubernetes/kanboard.mde b/manuscript/recipes/kubernetes/kanboard.mde new file mode 100644 index 0000000..a3ff918 --- /dev/null +++ b/manuscript/recipes/kubernetes/kanboard.mde @@ -0,0 +1,265 @@ +#Kanboard + +Kanboard is a Kanban tool, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](/recipes/miniflux/)_) + +![Kanboard Screenshot](/images/kanboard.png) + +!!! tip "Sponsored Project" + Kanboard is one of my [sponsored projects](/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 😓 + +Features include: + +* Visualize your work +* Limit your work in progress to be more efficient +* Customize your boards according to your business activities +* Multiple projects with the ability to drag and drop tasks +* Reports and analytics +* Fast and simple to use +* Access from anywhere with a modern browser +* Plugins and integrations with external services +* Free, open source and self-hosted +* Super simple installation + +## Ingredients + +1. A [Kubernetes Cluster](/kubernetes/design/) including [Traefik Ingress](/kubernetes/traefik/) +2. A DNS name for your kanboard instance (*kanboard.example.com*, below) pointing to your [load balancer](/kubernetes/loadbalancer/), fronting your Traefik ingress + +## Preparation + +### Prepare traefik for namespace + +When you deployed [Traefik via the helm chart](/kubernetes/traefik/), you would have customized ```values.yml``` for your deployment. In ```values.yml``` is a list of namespaces which Traefik is permitted to access. Update ```values.yml``` to include the *kanboard* namespace, as illustrated below: + +``` + +kubernetes: + namespaces: + - kube-system + - nextcloud + - kanboard + - miniflux + +``` + +If you've updated ```values.yml```, upgrade your traefik deployment via helm, by running ```helm upgrade --values values.yml traefik stable/traefik --recreate-pods``` + +### Create data locations + +Although we could simply bind-mount local volumes to a local Kubuernetes cluster, since we're targetting a cloud-based Kubernetes deployment, we only need a local path to store the YAML files which define the various aspects of our Kubernetes deployment. + +``` +mkdir /var/data/config/kanboard +``` + +### Create namespace + +We use Kubernetes namespaces for service discovery and isolation between our stacks, so create a namespace for the kanboard stack with the following .yml: + +``` +cat < /var/data/config/kanboard/namespace.yml +apiVersion: v1 +kind: Namespace +metadata: + name: kanboard +EOF +kubectl create -f /var/data/config/kanboard/namespace.yaml +``` + +### Create persistent volume claim + +Persistent volume claims are a streamlined way to create a persistent volume and assign it to a container in a pod. Create a claim for the kanboard app and plugin data: + +``` +cat < /var/data/config/kanboard/persistent-volumeclaim.yml +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: kanboard-volumeclaim + namespace: kanboard + annotations: + backup.kubernetes.io/deltas: P1D P7D +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +EOF +kubectl create -f /var/data/config/kanboard/kanboard-volumeclaim.yaml +``` + +!!! question "What's that annotation about?" + The annotation is used by [k8s-snapshots](/kubernetes/snapshots/) to create daily incremental snapshots of your persistent volumes. In this case, our volume is snapshotted daily, and copies kept for 7 days. + +### Create ConfigMap + +Kanboard's configuration is all contained within ```config.php```, which needs to be presented to the container. We _could_ maintain ```config.php``` in the persistent volume we created above, but this would require manually accessing the pod every time we wanted to make a change. + +Instead, we'll create ```config.php``` as a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/), meaning it "lives" within the Kuberetes cluster and can be **presented** to our pod. When we want to make changes, we simply update the ConfigMap (*delete and recreate, to be accurate*), and relaunch the pod. + +Grab a copy of [config.default.php](https://github.com/kanboard/kanboard/blob/master/config.default.php), save it to ```/var/data/config/kanboard/config.php```, and customize it per [the guide](https://docs.kanboard.org/en/latest/admin_guide/config_file.html). + +At the very least, I'd suggest making the following changes: +``` +define('PLUGIN_INSTALLER', true); // Yes, I want to install plugins using the UI +define('ENABLE_URL_REWRITE', false); // Yes, I want pretty URLs +``` + +Now create the configmap from config.php, by running ```kubectl create configmap -n kanboard kanboard-config --from-file=config.php``` + +## Serving + +Now that we have a [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/), a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/), and a [configmap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/), we can create a [deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), [service](https://kubernetes.io/docs/concepts/services-networking/service/), and [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) for the kanboard [pod](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). + +### Create deployment + +Create a deployment to tell Kubernetes about the desired state of the pod (*which it will then attempt to maintain*). Note below that we mount the persistent volume **twice**, to both ```/var/www/app/data``` and ```/var/www/app/plugins```, using the subPath value to differentiate them. This trick avoids us having to provision **two** persistent volumes just for data mounted in 2 separate locations. + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 👍 + +``` +cat < /var/data/kanboard/deployment.yml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + namespace: kanboard + name: app + labels: + app: app +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - image: kanboard/kanboard + name: app + volumeMounts: + - name: kanboard-config + mountPath: /var/www/app/config.php + subPath: config.php + - name: kanboard-app + mountPath: /var/www/app/data + subPath: data + - name: kanboard-app + mountPath: /var/www/app/plugins + subPath: plugins + volumes: + - name: kanboard-app + persistentVolumeClaim: + claimName: kanboard-app + - name: kanboard-config + configMap: + name: kanboard-config +EOF +kubectl create -f /var/data/kanboard/deployment.yml +``` + +Check that your deployment is running, with ```kubectl get pods -n kanboard```. After a minute or so, you should see a "Running" pod, as illustrated below: + +``` +[funkypenguin:~] % kubectl get pods -n kanboard +NAME READY STATUS RESTARTS AGE +app-79f97f7db6-hsmfg 1/1 Running 0 11d +[funkypenguin:~] % +``` + +### Create service + +The service resource "advertises" the availability of TCP port 80 in your pod, to the rest of the cluster (*constrained within your namespace*). It seems a little like overkill coming from the Docker Swarm's automated "service discovery" model, but the Kubernetes design allows for load balancing, rolling upgrades, and health checks of individual pods, without impacting the rest of the cluster elements. + +``` +cat < /var/data/kanboard/service.yml +kind: Service +apiVersion: v1 +metadata: + name: app + namespace: kanboard +spec: + selector: + app: app + ports: + - protocol: TCP + port: 80 + clusterIP: None +EOF +kubectl create -f /var/data/kanboard/service.yml +``` + +Check that your service is deployed, with ```kubectl get services -n kanboard```. You should see something like this: + +``` +[funkypenguin:~] % kubectl get service -n kanboard +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +app ClusterIP None 80/TCP 38d +[funkypenguin:~] % +``` + +### Create ingress + +The ingress resource tells Traefik what to forward inbound requests for *kanboard.example.com* to your service (defined above), which in turn passes the request to the "app" pod. Adjust the config below for your domain. + +``` +cat < /var/data/kanboard/ingress.yml +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app + namespace: kanboard + annotations: + kubernetes.io/ingress.class: traefik +spec: + rules: + - host: kanboard.example.com + http: + paths: + - backend: + serviceName: app + servicePort: 80 +EOF +kubectl create -f /var/data/kanboard/ingress.yml +``` + +Check that your service is deployed, with ```kubectl get ingress -n kanboard```. You should see something like this: + +``` +[funkypenguin:~] % kubectl get ingress -n kanboard +NAME HOSTS ADDRESS PORTS AGE +app kanboard.funkypenguin.co.nz 80 38d +[funkypenguin:~] % +``` + +### Access Kanboard + +At this point, you should be able to access your instance on your chosen DNS name (*i.e. https://kanboard.example.com*) + + +### Updating config.php + +Since ```config.php``` is a ConfigMap now, to update it, make your local changes, and then delete and recreate the ConfigMap, by running: + +``` +kubectl delete configmap -n kanboard kanboard-config +kubectl create configmap -n kanboard kanboard-config --from-file=config.php +``` + +Then, in the absense of any other changes to the deployement definition, force the pod to restart by issuing a "null patch", as follows: + +``` +kubectl patch -n kanboard deployment app -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}" +``` + +### Troubleshooting + +To look at the Kanboard pod's logs, run ```kubectl logs -n kanboard -f```. For further troubleshooting hints, see [Troubleshooting](/reference/kubernetes/troubleshooting/). + +## Chef's Notes + +1. The simplest deployment of Kanboard uses the default SQLite database backend, stored on the persistent volume. You can convert this to a "real" database running MySQL or PostgreSQL, and running an an additional database pod and service. Contact me if you'd like further details ;) \ No newline at end of file diff --git a/manuscript/recipes/kubernetes/kubernetes-dashboard.mde b/manuscript/recipes/kubernetes/kubernetes-dashboard.mde new file mode 100644 index 0000000..3a3c3b0 --- /dev/null +++ b/manuscript/recipes/kubernetes/kubernetes-dashboard.mde @@ -0,0 +1,35 @@ +# Kubernetes Dashboard + +Yes, Kubernetes is complicated. There are lots of moving parts, and debugging _what's_ gone wrong and _why_, can be challenging. + +Fortunately, to assist in day-to-day operation of our cluster, and in the occasional "how-did-that-ever-work" troubleshooting, we have available to us, the mighty **[Kubernetes Dashboard](https://github.com/kubernetes/dashboard)**: + +![Kubernetes Dashboard Screenshot](/images/kubernetes-dashboard.png) + +Using the dashboard, you can: + +* Visual cluster load, pod distribution +* Examine Kubernetes objects, such as Deployments, Daemonsets, ConfigMaps, etc +* View logs +* Deploy new YAML manifests +* Lots more! + +## Ingredients + +1. A [Kubernetes Cluster](/kubernetes/design/), with +2. OIDC-enabled authentication +3. An Ingress Controller ([Traefik Ingress](/kubernetes/traefik/) or [NGinx Ingress](/kubernetes/nginx-ingress/)) +4. A DNS name for your dashboard instance (*dashboard.example.com*, below) pointing to your [load balancer](/kubernetes/loadbalancer/), fronting your ingress controller +5. A [KeyCloak](/recipes/keycloak/) instance for authentication + +## Preparation + + +### Access Kanboard + +At this point, you should be able to access your instance on your chosen DNS name (*i.e. https://dashboard.example.com*) + + +## Chef's Notes + +1. The simplest deployment of Kanboard uses the default SQLite database backend, stored on the persistent volume. You can convert this to a "real" database running MySQL or PostgreSQL, and running an an additional database pod and service. Contact me if you'd like further details ;) \ No newline at end of file diff --git a/manuscript/recipes/kubernetes/miniflux.md b/manuscript/recipes/kubernetes/miniflux.md index 022829b..eadda19 100644 --- a/manuscript/recipes/kubernetes/miniflux.md +++ b/manuscript/recipes/kubernetes/miniflux.md @@ -1,6 +1,6 @@ #Miniflux -Miniflux is a lightweight RSS reader, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of the favorite Open Source Kanban app, [Kanboard](https://geek-cookbook.funkypenguin.co.nz/)recipes/kanboard/)_) +Miniflux is a lightweight RSS reader, developed by [Frdric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of the favorite Open Source Kanban app, [Kanboard](https://geek-cookbook.funkypenguin.co.nz/)recipes/kanboard/)_) ![Miniflux Screenshot](https://geek-cookbook.funkypenguin.co.nz/)images/miniflux.png) diff --git a/manuscript/recipes/kubernetes/miniflux.mde b/manuscript/recipes/kubernetes/miniflux.mde new file mode 100644 index 0000000..c2deb59 --- /dev/null +++ b/manuscript/recipes/kubernetes/miniflux.mde @@ -0,0 +1,320 @@ +#Miniflux + +Miniflux is a lightweight RSS reader, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of the favorite Open Source Kanban app, [Kanboard](/recipes/kanboard/)_) + +![Miniflux Screenshot](/images/miniflux.png) + +!!! tip "Sponsored Project" + Miniflux is one of my [sponsored projects](/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. Although I get to process my RSS feeds less frequently than I'd like to! + +I've [reviewed Miniflux in detail on my blog](https://www.funkypenguin.co.nz/review/miniflux-lightweight-self-hosted-rss-reader/), but features (among many) that I appreciate: + +* Compatible with the Fever API, read your feeds through existing mobile and desktop clients (_This is the killer feature for me. I hardly ever read RSS on my desktop, I typically read on my iPhone or iPad, using [Fiery Feeds](http://cocoacake.net/apps/fiery/) or my new squeeze, [Unread](https://www.goldenhillsoftware.com/unread/)_) +* Send your bookmarks to Pinboard, Wallabag, Shaarli or Instapaper (_I use this to automatically pin my bookmarks for collection on my [blog](https://www.funkypenguin.co.nz/blog/)_) +* Feeds can be configured to download a "full" version of the content (_rather than an excerpt_) +* Use the Bookmarklet to subscribe to a website directly from any browsers + +!!! abstract "2.0+ is a bit different" + [Some things changed](https://docs.miniflux.net/en/latest/migration.html) when Miniflux 2.0 was released. For one thing, the only supported database is now postgresql (_no more SQLite_). External themes are gone, as is PHP (_in favor of golang_). It's been a controversial change, but I'm keen on minimal and single-purpose, so I'm still very happy with the direction of development. The developer has laid out his [opinions](https://docs.miniflux.net/en/latest/opinionated.html) re the decisions he's made in the course of development. + + +## Ingredients + +1. A [Kubernetes Cluster](/kubernetes/design/) including [Traefik Ingress](/kubernetes/traefik/) +2. A DNS name for your miniflux instance (*miniflux.example.com*, below) pointing to your [load balancer](/kubernetes/loadbalancer/), fronting your Traefik ingress + +## Preparation + +### Prepare traefik for namespace + +When you deployed [Traefik via the helm chart](/kubernetes/traefik/), you would have customized ```values.yml``` for your deployment. In ```values.yml``` is a list of namespaces which Traefik is permitted to access. Update ```values.yml``` to include the *miniflux* namespace, as illustrated below: + +``` + +kubernetes: + namespaces: + - kube-system + - nextcloud + - kanboard + - miniflux + +``` + +If you've updated ```values.yml```, upgrade your traefik deployment via helm, by running ```helm upgrade --values values.yml traefik stable/traefik --recreate-pods``` + +### Create data locations + +Although we could simply bind-mount local volumes to a local Kubuernetes cluster, since we're targetting a cloud-based Kubernetes deployment, we only need a local path to store the YAML files which define the various aspects of our Kubernetes deployment. + +``` +mkdir /var/data/config/miniflux +``` + +### Create namespace + +We use Kubernetes namespaces for service discovery and isolation between our stacks, so create a namespace for the miniflux stack with the following .yml: + +``` +cat < /var/data/config/miniflux/namespace.yml +apiVersion: v1 +kind: Namespace +metadata: + name: miniflux +EOF +kubectl create -f /var/data/config/miniflux/namespace.yaml +``` + +### Create persistent volume claim + +Persistent volume claims are a streamlined way to create a persistent volume and assign it to a container in a pod. Create a claim for the miniflux postgres database: + +``` +cat < /var/data/config/miniflux/db-persistent-volumeclaim.yml +kkind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: miniflux-db + namespace: miniflux + annotations: + backup.kubernetes.io/deltas: P1D P7D +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +EOF +kubectl create -f /var/data/config/miniflux/db-persistent-volumeclaim.yaml +``` + +!!! question "What's that annotation about?" + The annotation is used by [k8s-snapshots](/kubernetes/snapshots/) to create daily incremental snapshots of your persistent volumes. In this case, our volume is snapshotted daily, and copies kept for 7 days. + +### Create secrets + +It's not always desirable to have sensitive data stored in your .yml files. Maybe you want to check your config into a git repository, or share it. Using Kubernetes Secrets means that you can create "secrets", and use these in your deployments by name, without exposing their contents. Run the following, replacing ```imtoosexyformyadminpassword```, and the ```mydbpass``` value in both postgress-password.secret **and** database-url.secret: + +``` +echo -n "imtoosexyformyadminpassword" > admin-password.secret +echo -n "mydbpass" > postgres-password.secret +echo -n "postgres://miniflux:mydbpass@db/miniflux?sslmode=disable" > database-url.secret + +kubectl create secret -n mqtt generic miniflux-credentials \ + --from-file=admin-password.secret \ + --from-file=database-url.secret \ + --from-file=database-url.secret +``` + +!!! tip "Why use ```echo -n```?" + Because. See [my blog post here](https://www.funkypenguin.co.nz/beware-the-hidden-newlines-in-kubernetes-secrets/) for the pain of hunting invisible newlines, that's why! + + +## Serving + +Now that we have a [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/), a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/), and a [configmap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/), we can create [deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), [services](https://kubernetes.io/docs/concepts/services-networking/service/), and an [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) for the miniflux [pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). + +### Create db deployment + +Deployments tell Kubernetes about the desired state of the pod (*which it will then attempt to maintain*). Create the db deployment by excecuting the following. Note that the deployment refers to the secrets created above. + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 👍 + +``` +cat < /var/data/miniflux/db-deployment.yml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + namespace: miniflux + name: db + labels: + app: db +spec: + replicas: 1 + selector: + matchLabels: + app: db + template: + metadata: + labels: + app: db + spec: + containers: + - image: postgres:11 + name: db + volumeMounts: + - name: miniflux-db + mountPath: /var/lib/postgresql/data + env: + - name: POSTGRES_USER + value: "miniflux" + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: miniflux-credentials + key: postgres-password.secret + volumes: + - name: miniflux-db + persistentVolumeClaim: + claimName: miniflux-db +``` + +### Create app deployment + +Create the app deployment by excecuting the following. Again, note that the deployment refers to the secrets created above. + +``` +cat < /var/data/miniflux/app-deployment.yml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + namespace: miniflux + name: app + labels: + app: app +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - image: miniflux/miniflux + name: app + env: + # This is necessary for the miniflux to update the db schema, even on an empty DB + - name: CREATE_ADMIN + value: "1" + - name: RUN_MIGRATIONS + value: "1" + - name: ADMIN_USERNAME + value: "admin" + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: miniflux-credentials + key: admin-password.secret + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: miniflux-credentials + key: database-url.secret +EOF +kubectl create -f /var/data/miniflux/deployment.yml +``` + +### Check pods + +Check that your deployment is running, with ```kubectl get pods -n miniflux```. After a minute or so, you should see 2 "Running" pods, as illustrated below: + +``` +[funkypenguin:~] % kubectl get pods -n miniflux +NAME READY STATUS RESTARTS AGE +app-667c667b75-5jjm9 1/1 Running 0 4d +db-fcd47b88f-9vvqt 1/1 Running 0 4d +[funkypenguin:~] % +``` + +### Create db service + +The db service resource "advertises" the availability of PostgreSQL's port (TCP 5432) in your pod, to the rest of the cluster (*constrained within your namespace*). It seems a little like overkill coming from the Docker Swarm's automated "service discovery" model, but the Kubernetes design allows for load balancing, rolling upgrades, and health checks of individual pods, without impacting the rest of the cluster elements. + +``` +cat < /var/data/miniflux/db-service.yml +kind: Service +apiVersion: v1 +metadata: + name: db + namespace: miniflux +spec: + selector: + app: db + ports: + - protocol: TCP + port: 5432 + clusterIP: None +EOF +kubectl create -f /var/data/miniflux/service.yml +``` + +### Create app service + +The app service resource "advertises" the availability of miniflux's HTTP listener port (TCP 8080) in your pod. This is the service which will be referred to by the ingress (below), so that Traefik can route incoming traffic to the miniflux app. + + +``` +cat < /var/data/miniflux/app-service.yml +kind: Service +apiVersion: v1 +metadata: + name: app + namespace: miniflux +spec: + selector: + app: app + ports: + - protocol: TCP + port: 8080 + clusterIP: None +EOF +kubectl create -f /var/data/miniflux/app-service.yml +``` + +### Check services + +Check that your services are deployed, with ```kubectl get services -n miniflux```. You should see something like this: + +``` +[funkypenguin:~] % kubectl get services -n miniflux +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +app ClusterIP None 8080/TCP 55d +db ClusterIP None 5432/TCP 55d +[funkypenguin:~] % +``` + +### Create ingress + +The ingress resource tells Traefik what to forward inbound requests for *miniflux.example.com* to your service (defined above), which in turn passes the request to the "app" pod. Adjust the config below for your domain. + +``` +cat < /var/data/miniflux/ingress.yml +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app + namespace: miniflux + annotations: + kubernetes.io/ingress.class: traefik +spec: + rules: + - host: miniflux.example.com + http: + paths: + - backend: + serviceName: app + servicePort: 8080 +EOF +kubectl create -f /var/data/miniflux/ingress.yml +``` + +Check that your service is deployed, with ```kubectl get ingress -n miniflux```. You should see something like this: + +``` +[funkypenguin:~] 130 % kubectl get ingress -n miniflux +NAME HOSTS ADDRESS PORTS AGE +app miniflux.funkypenguin.co.nz 80 55d +[funkypenguin:~] % +``` + +### Access Miniflux + +At this point, you should be able to access your instance on your chosen DNS name (*i.e. https://miniflux.example.com*) + + +### Troubleshooting + +To look at the Miniflux pod's logs, run ```kubectl logs -n miniflux -f```. For further troubleshooting hints, see [Troubleshooting](/reference/kubernetes/troubleshooting/). \ No newline at end of file diff --git a/manuscript/recipes/kubernetes/nextcloud.mde b/manuscript/recipes/kubernetes/nextcloud.mde new file mode 100644 index 0000000..5a920da --- /dev/null +++ b/manuscript/recipes/kubernetes/nextcloud.mde @@ -0,0 +1,127 @@ +hero: Not all heroes wear capes + +!!! danger "This recipe is a work in progress" + This recipe is **incomplete**, and is featured to align the [patrons](https://www.patreon.com/funkypenguin)'s "premix" repository with the cookbook. "_premix_" is a private git repository available to [all Patreon patrons](https://www.patreon.com/funkypenguin), which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 😁 + +# NAME + +Intro + +![NAME Screenshot](../../images/name.jpg) + +Details + +## Ingredients + +1. [Kubernetes cluster](/kubernetes/digital-ocean/) + +## Preparation + +### Create data locations + +``` +mkdir /var/data/config/mqtt +``` + +### Create namespace + +We use Kubernetes namespaces for service discovery and isolation between our stacks, so create a namespace for the mqtt stack by creating the following .yaml: + +``` +cat < /var/data/mqtt/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: mqtt +EOF +kubectl create -f /var/data/mqtt/namespace.yaml +``` + +### Prepare environment + +Create wekan.env, and populate with the following variables +``` +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_COOKIE_SECRET= +MONGO_URL=mongodb://wekandb:27017/wekan +ROOT_URL=https://wekan.example.com +MAIL_URL=smtp://wekan@wekan.example.com:password@mail.example.com:587/ +MAIL_FROM="Wekan " +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3' + +services: + + wekandb: + image: mongo:3.2.15 + command: mongod --smallfiles --oplogSize 128 + networks: + - internal + volumes: + - /var/data/wekan/wekan-db:/data/db + - /var/data/wekan/wekan-db-dump:/dump + + proxy: + image: a5huynh/oauth2_proxy + env_file: /var/data/wekan/wekan.env + networks: + - traefik_public + - internal + deploy: + labels: + - traefik_public.frontend.rule=Host:wekan.example.com + - traefik_public.docker.network=traefik_public + - traefik_public.port=4180 + command: | + -cookie-secure=false + -upstream=http://wekan:80 + -redirect-url=https://wekan.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + + wekan: + image: wekanteam/wekan:latest + networks: + - internal + env_file: /var/data/wekan/wekan.env + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.3.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Wekan stack + +Launch the Wekan stack by running ```docker stack deploy wekan -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes + +1. If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the wekan container. You'd also need to add the traefik_public network to the wekan container. \ No newline at end of file diff --git a/manuscript/recipes/kubernetes/phpipam.mde b/manuscript/recipes/kubernetes/phpipam.mde new file mode 100644 index 0000000..30d558d --- /dev/null +++ b/manuscript/recipes/kubernetes/phpipam.mde @@ -0,0 +1,120 @@ +# Kanboard + +Intro + +![NAME Screenshot](../../images/name.jpg) + +Details + +## Ingredients + +1. [Kubernetes cluster](/kubernetes/digital-ocean/) + +## Preparation + +### Create data locations + +``` +mkdir /var/data/config/mqtt +``` + +### Create namespace + +We use Kubernetes namespaces for service discovery and isolation between our stacks, so create a namespace for the mqtt stack by creating the following .yaml: + +``` +cat < /var/data/mqtt/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: mqtt +EOF +kubectl create -f /var/data/mqtt/namespace.yaml +``` + +### Prepare environment + +Create wekan.env, and populate with the following variables +``` +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_COOKIE_SECRET= +MONGO_URL=mongodb://wekandb:27017/wekan +ROOT_URL=https://wekan.example.com +MAIL_URL=smtp://wekan@wekan.example.com:password@mail.example.com:587/ +MAIL_FROM="Wekan " +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3' + +services: + + wekandb: + image: mongo:3.2.15 + command: mongod --smallfiles --oplogSize 128 + networks: + - internal + volumes: + - /var/data/wekan/wekan-db:/data/db + - /var/data/wekan/wekan-db-dump:/dump + + proxy: + image: a5huynh/oauth2_proxy + env_file: /var/data/wekan/wekan.env + networks: + - traefik_public + - internal + deploy: + labels: + - traefik_public.frontend.rule=Host:wekan.example.com + - traefik_public.docker.network=traefik_public + - traefik_public.port=4180 + command: | + -cookie-secure=false + -upstream=http://wekan:80 + -redirect-url=https://wekan.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + + wekan: + image: wekanteam/wekan:latest + networks: + - internal + env_file: /var/data/wekan/wekan.env + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.3.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Wekan stack + +Launch the Wekan stack by running ```docker stack deploy wekan -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes + +1. If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the wekan container. You'd also need to add the traefik_public network to the wekan container. \ No newline at end of file diff --git a/manuscript/recipes/kubernetes/privatebin.mde b/manuscript/recipes/kubernetes/privatebin.mde new file mode 100644 index 0000000..5a920da --- /dev/null +++ b/manuscript/recipes/kubernetes/privatebin.mde @@ -0,0 +1,127 @@ +hero: Not all heroes wear capes + +!!! danger "This recipe is a work in progress" + This recipe is **incomplete**, and is featured to align the [patrons](https://www.patreon.com/funkypenguin)'s "premix" repository with the cookbook. "_premix_" is a private git repository available to [all Patreon patrons](https://www.patreon.com/funkypenguin), which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 😁 + +# NAME + +Intro + +![NAME Screenshot](../../images/name.jpg) + +Details + +## Ingredients + +1. [Kubernetes cluster](/kubernetes/digital-ocean/) + +## Preparation + +### Create data locations + +``` +mkdir /var/data/config/mqtt +``` + +### Create namespace + +We use Kubernetes namespaces for service discovery and isolation between our stacks, so create a namespace for the mqtt stack by creating the following .yaml: + +``` +cat < /var/data/mqtt/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: mqtt +EOF +kubectl create -f /var/data/mqtt/namespace.yaml +``` + +### Prepare environment + +Create wekan.env, and populate with the following variables +``` +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_COOKIE_SECRET= +MONGO_URL=mongodb://wekandb:27017/wekan +ROOT_URL=https://wekan.example.com +MAIL_URL=smtp://wekan@wekan.example.com:password@mail.example.com:587/ +MAIL_FROM="Wekan " +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3' + +services: + + wekandb: + image: mongo:3.2.15 + command: mongod --smallfiles --oplogSize 128 + networks: + - internal + volumes: + - /var/data/wekan/wekan-db:/data/db + - /var/data/wekan/wekan-db-dump:/dump + + proxy: + image: a5huynh/oauth2_proxy + env_file: /var/data/wekan/wekan.env + networks: + - traefik_public + - internal + deploy: + labels: + - traefik_public.frontend.rule=Host:wekan.example.com + - traefik_public.docker.network=traefik_public + - traefik_public.port=4180 + command: | + -cookie-secure=false + -upstream=http://wekan:80 + -redirect-url=https://wekan.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + + wekan: + image: wekanteam/wekan:latest + networks: + - internal + env_file: /var/data/wekan/wekan.env + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.3.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Wekan stack + +Launch the Wekan stack by running ```docker stack deploy wekan -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes + +1. If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the wekan container. You'd also need to add the traefik_public network to the wekan container. \ No newline at end of file diff --git a/manuscript/recipes/kubernetes/template-k8s.md b/manuscript/recipes/kubernetes/template-k8s.md index 7993da1..b6b6106 100644 --- a/manuscript/recipes/kubernetes/template-k8s.md +++ b/manuscript/recipes/kubernetes/template-k8s.md @@ -1,11 +1,11 @@ #Kanboard -Kanboard is a Kanban tool, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](https://geek-cookbook.funkypenguin.co.nz/)recipes/miniflux/)_) +Kanboard is a Kanban tool, developed by [Frdric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](https://geek-cookbook.funkypenguin.co.nz/)recipes/miniflux/)_) ![Kanboard Screenshot](https://geek-cookbook.funkypenguin.co.nz/)images/kanboard.png) !!! tip "Sponsored Project" - Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/)sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 😓 + Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/)sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! Features include: diff --git a/manuscript/recipes/kubernetes/template-k8s.mde b/manuscript/recipes/kubernetes/template-k8s.mde new file mode 100644 index 0000000..a3ff918 --- /dev/null +++ b/manuscript/recipes/kubernetes/template-k8s.mde @@ -0,0 +1,265 @@ +#Kanboard + +Kanboard is a Kanban tool, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](/recipes/miniflux/)_) + +![Kanboard Screenshot](/images/kanboard.png) + +!!! tip "Sponsored Project" + Kanboard is one of my [sponsored projects](/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 😓 + +Features include: + +* Visualize your work +* Limit your work in progress to be more efficient +* Customize your boards according to your business activities +* Multiple projects with the ability to drag and drop tasks +* Reports and analytics +* Fast and simple to use +* Access from anywhere with a modern browser +* Plugins and integrations with external services +* Free, open source and self-hosted +* Super simple installation + +## Ingredients + +1. A [Kubernetes Cluster](/kubernetes/design/) including [Traefik Ingress](/kubernetes/traefik/) +2. A DNS name for your kanboard instance (*kanboard.example.com*, below) pointing to your [load balancer](/kubernetes/loadbalancer/), fronting your Traefik ingress + +## Preparation + +### Prepare traefik for namespace + +When you deployed [Traefik via the helm chart](/kubernetes/traefik/), you would have customized ```values.yml``` for your deployment. In ```values.yml``` is a list of namespaces which Traefik is permitted to access. Update ```values.yml``` to include the *kanboard* namespace, as illustrated below: + +``` + +kubernetes: + namespaces: + - kube-system + - nextcloud + - kanboard + - miniflux + +``` + +If you've updated ```values.yml```, upgrade your traefik deployment via helm, by running ```helm upgrade --values values.yml traefik stable/traefik --recreate-pods``` + +### Create data locations + +Although we could simply bind-mount local volumes to a local Kubuernetes cluster, since we're targetting a cloud-based Kubernetes deployment, we only need a local path to store the YAML files which define the various aspects of our Kubernetes deployment. + +``` +mkdir /var/data/config/kanboard +``` + +### Create namespace + +We use Kubernetes namespaces for service discovery and isolation between our stacks, so create a namespace for the kanboard stack with the following .yml: + +``` +cat < /var/data/config/kanboard/namespace.yml +apiVersion: v1 +kind: Namespace +metadata: + name: kanboard +EOF +kubectl create -f /var/data/config/kanboard/namespace.yaml +``` + +### Create persistent volume claim + +Persistent volume claims are a streamlined way to create a persistent volume and assign it to a container in a pod. Create a claim for the kanboard app and plugin data: + +``` +cat < /var/data/config/kanboard/persistent-volumeclaim.yml +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: kanboard-volumeclaim + namespace: kanboard + annotations: + backup.kubernetes.io/deltas: P1D P7D +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +EOF +kubectl create -f /var/data/config/kanboard/kanboard-volumeclaim.yaml +``` + +!!! question "What's that annotation about?" + The annotation is used by [k8s-snapshots](/kubernetes/snapshots/) to create daily incremental snapshots of your persistent volumes. In this case, our volume is snapshotted daily, and copies kept for 7 days. + +### Create ConfigMap + +Kanboard's configuration is all contained within ```config.php```, which needs to be presented to the container. We _could_ maintain ```config.php``` in the persistent volume we created above, but this would require manually accessing the pod every time we wanted to make a change. + +Instead, we'll create ```config.php``` as a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/), meaning it "lives" within the Kuberetes cluster and can be **presented** to our pod. When we want to make changes, we simply update the ConfigMap (*delete and recreate, to be accurate*), and relaunch the pod. + +Grab a copy of [config.default.php](https://github.com/kanboard/kanboard/blob/master/config.default.php), save it to ```/var/data/config/kanboard/config.php```, and customize it per [the guide](https://docs.kanboard.org/en/latest/admin_guide/config_file.html). + +At the very least, I'd suggest making the following changes: +``` +define('PLUGIN_INSTALLER', true); // Yes, I want to install plugins using the UI +define('ENABLE_URL_REWRITE', false); // Yes, I want pretty URLs +``` + +Now create the configmap from config.php, by running ```kubectl create configmap -n kanboard kanboard-config --from-file=config.php``` + +## Serving + +Now that we have a [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/), a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/), and a [configmap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/), we can create a [deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), [service](https://kubernetes.io/docs/concepts/services-networking/service/), and [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) for the kanboard [pod](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). + +### Create deployment + +Create a deployment to tell Kubernetes about the desired state of the pod (*which it will then attempt to maintain*). Note below that we mount the persistent volume **twice**, to both ```/var/www/app/data``` and ```/var/www/app/plugins```, using the subPath value to differentiate them. This trick avoids us having to provision **two** persistent volumes just for data mounted in 2 separate locations. + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 👍 + +``` +cat < /var/data/kanboard/deployment.yml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + namespace: kanboard + name: app + labels: + app: app +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - image: kanboard/kanboard + name: app + volumeMounts: + - name: kanboard-config + mountPath: /var/www/app/config.php + subPath: config.php + - name: kanboard-app + mountPath: /var/www/app/data + subPath: data + - name: kanboard-app + mountPath: /var/www/app/plugins + subPath: plugins + volumes: + - name: kanboard-app + persistentVolumeClaim: + claimName: kanboard-app + - name: kanboard-config + configMap: + name: kanboard-config +EOF +kubectl create -f /var/data/kanboard/deployment.yml +``` + +Check that your deployment is running, with ```kubectl get pods -n kanboard```. After a minute or so, you should see a "Running" pod, as illustrated below: + +``` +[funkypenguin:~] % kubectl get pods -n kanboard +NAME READY STATUS RESTARTS AGE +app-79f97f7db6-hsmfg 1/1 Running 0 11d +[funkypenguin:~] % +``` + +### Create service + +The service resource "advertises" the availability of TCP port 80 in your pod, to the rest of the cluster (*constrained within your namespace*). It seems a little like overkill coming from the Docker Swarm's automated "service discovery" model, but the Kubernetes design allows for load balancing, rolling upgrades, and health checks of individual pods, without impacting the rest of the cluster elements. + +``` +cat < /var/data/kanboard/service.yml +kind: Service +apiVersion: v1 +metadata: + name: app + namespace: kanboard +spec: + selector: + app: app + ports: + - protocol: TCP + port: 80 + clusterIP: None +EOF +kubectl create -f /var/data/kanboard/service.yml +``` + +Check that your service is deployed, with ```kubectl get services -n kanboard```. You should see something like this: + +``` +[funkypenguin:~] % kubectl get service -n kanboard +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +app ClusterIP None 80/TCP 38d +[funkypenguin:~] % +``` + +### Create ingress + +The ingress resource tells Traefik what to forward inbound requests for *kanboard.example.com* to your service (defined above), which in turn passes the request to the "app" pod. Adjust the config below for your domain. + +``` +cat < /var/data/kanboard/ingress.yml +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app + namespace: kanboard + annotations: + kubernetes.io/ingress.class: traefik +spec: + rules: + - host: kanboard.example.com + http: + paths: + - backend: + serviceName: app + servicePort: 80 +EOF +kubectl create -f /var/data/kanboard/ingress.yml +``` + +Check that your service is deployed, with ```kubectl get ingress -n kanboard```. You should see something like this: + +``` +[funkypenguin:~] % kubectl get ingress -n kanboard +NAME HOSTS ADDRESS PORTS AGE +app kanboard.funkypenguin.co.nz 80 38d +[funkypenguin:~] % +``` + +### Access Kanboard + +At this point, you should be able to access your instance on your chosen DNS name (*i.e. https://kanboard.example.com*) + + +### Updating config.php + +Since ```config.php``` is a ConfigMap now, to update it, make your local changes, and then delete and recreate the ConfigMap, by running: + +``` +kubectl delete configmap -n kanboard kanboard-config +kubectl create configmap -n kanboard kanboard-config --from-file=config.php +``` + +Then, in the absense of any other changes to the deployement definition, force the pod to restart by issuing a "null patch", as follows: + +``` +kubectl patch -n kanboard deployment app -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}" +``` + +### Troubleshooting + +To look at the Kanboard pod's logs, run ```kubectl logs -n kanboard -f```. For further troubleshooting hints, see [Troubleshooting](/reference/kubernetes/troubleshooting/). + +## Chef's Notes + +1. The simplest deployment of Kanboard uses the default SQLite database backend, stored on the persistent volume. You can convert this to a "real" database running MySQL or PostgreSQL, and running an an additional database pod and service. Contact me if you'd like further details ;) \ No newline at end of file diff --git a/manuscript/recipes/mail.md b/manuscript/recipes/mail.md index 625b4bc..bb01d82 100644 --- a/manuscript/recipes/mail.md +++ b/manuscript/recipes/mail.md @@ -178,7 +178,7 @@ SSL_TYPE=letsencrypt Launch the mail server stack by running ```docker stack deploy docker-mailserver -c ``` -## Chef's Notes 📓 +## Chef's Notes 1. One of the elements of this design which I didn't appreciate at first is that since the config is entirely file-based, **setup.sh** can be run on any container host, provided it has the shared data mounted. This means that even though docker-mailserver was not designed with docker swarm in mind, it works perfectl with swarm. I.e., from any node, regardless of where the container is actually running, you're able to add/delete email addresses, view logs, etc. diff --git a/manuscript/recipes/mail.mde b/manuscript/recipes/mail.mde new file mode 100644 index 0000000..d05e60e --- /dev/null +++ b/manuscript/recipes/mail.mde @@ -0,0 +1,185 @@ +hero: Docker-mailserver - A recipe for a self-contained mailserver and friends ✉️ + +# Mail Server + +Many of the recipes that follow require email access of some kind. It's normally possible to use a hosted service such as SendGrid, or just a gmail account. If (like me) you'd like to self-host email for your stacks, then the following recipe provides a full-stack mail server running on the docker HA swarm. + +Of value to me in choosing docker-mailserver were: + +1. Automatically renews LetsEncrypt certificates +2. Creation of email accounts across multiple domains (i.e., the same container gives me mailbox wekan@wekan.example.com, and gitlab@gitlab.example.com) +3. The entire configuration is based on flat files, so there's no database or persistence to worry about + +docker-mailserver doesn't include a webmail client, and one is not strictly needed. Rainloop can be added either as another service within the stack, or as a standalone service. Rainloop will be covered in a future recipe. + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design +3. LetsEncrypt authorized email address for domain +4. Access to manage DNS records for domains + +## Preparation + +### Setup data locations + +We'll need several directories to bind-mount into our container, so create them in /var/data/docker-mailserver: + +``` +cd /var/data +mkdir docker-mailserver +cd docker-mailserver +mkdir {maildata,mailstate,config,letsencrypt,rainloop} +``` + +### Get LetsEncrypt certificate + +Decide on the FQDN to assign to your mailserver. You can service multiple domains from a single mailserver - i.e., bob@dev.example.com and daphne@prod.example.com can both be served by **mail.example.com**. + +The docker-mailserver container can _renew_ our LetsEncrypt certs for us, but it can't generate them. To do this, we need to run certbot (from a container) to request the initial certs and create the appropriate directory structure. + +In the example below, since I'm already using Traefik to manage the LE certs for my web platforms, I opted to use the DNS challenge to prove my ownership of the domain. The certbot client will prompt you to add a DNS record for domain verification. + +``` +docker run -ti --rm -v \ +"$(pwd)"/letsencrypt:/etc/letsencrypt certbot/certbot \ +--manual --preferred-challenges dns certonly \ +-d mail.example.com +``` + +### Get setup.sh + +docker-mailserver comes with a handy bash script for managing the stack (which is just really a wrapper around the container.) It'll make our setup easier, so download it into the root of your configuration/data directory, and make it executable: + +``` +curl -o setup.sh \ +https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh \ +chmod a+x ./setup.sh +``` +### Create email accounts + +For every email address required, run ```./setup.sh email add ``` to create the account. The command returns no output. + +You can run ```./setup.sh email list``` to confirm all of your addresses have been created. + +### Create DKIM DNS entries + +Run ```./setup.sh config dkim``` to create the necessary DKIM entries. The command returns no output. + +Examine the keys created by opendkim to identify the DNS TXT records required: + +``` +for i in `find config/opendkim/keys/ -name mail.txt`; do \ +echo $i; \ +cat $i; \ +done +``` + +You'll end up with something like this: + +``` +config/opendkim/keys/gitlab.example.com/mail.txt +mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYuQqDg2ZG8ZOfI1PvarF1Gcr5cJnCR8BeCj5HYgeRohSrxKL5utPEF/AWAxXYwnKpgYN837fu74GfqsIuOhu70lPhGV+O2gFVgpXYWHELvIiTqqO0QgarIN63WE2gzE4s0FckfLrMuxMoXr882wuzuJhXywGxOavybmjpnNHhbQIDAQAB" ) ; ----- DKIM key mail for gitlab.example.com +[root@ds1 mail]# +``` + +Create the necessary DNS TXT entries for your domain(s). Note that although opendkim splits the record across two lines, the actual record should be concatenated on creation. I.e., the DNS TXT record above should read: + +``` +"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYuQqDg2ZG8ZOfI1PvarF1Gcr5cJnCR8BeCj5HYgeRohSrxKL5utPEF/AWAxXYwnKpgYN837fu74GfqsIuOhu70lPhGV+O2gFVgpXYWHELvIiTqqO0QgarIN63WE2gzE4s0FckfLrMuxMoXr882wuzuJhXywGxOavybmjpnNHhbQIDAQAB" +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (_v3.2 - because we need to expose mail ports in "host mode"_), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +``` +version: '3.2' + +services: + mail: + image: tvial/docker-mailserver:latest + ports: + - target: 25 + published: 25 + protocol: tcp + mode: host + - target: 587 + published: 587 + protocol: tcp + mode: host + - target: 993 + published: 993 + protocol: tcp + mode: host + - target: 995 + published: 995 + protocol: tcp + mode: host + volumes: + - /var/data/docker-mailserver/maildata:/var/mail + - /var/data/docker-mailserver/mailstate:/var/mail-state + - /var/data/docker-mailserver/config:/tmp/docker-mailserver + - /var/data/docker-mailserver/letsencrypt:/etc/letsencrypt + env_file: /var/data/docker-mailserver/docker-mailserver.env + networks: + - internal + deploy: + replicas: 1 + + rainloop: + image: hardware/rainloop + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:rainloop.example.com + - traefik.docker.network=traefik_public + - traefik.port=8888 + volumes: + - /var/data/mailserver/rainloop:/rainloop/data + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.2.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. + +A sample docker-mailserver.env file looks like this: + +``` +ENABLE_SPAMASSASSIN=1 +ENABLE_CLAMAV=1 +ENABLE_POSTGREY=1 +ONE_DIR=1 +OVERRIDE_HOSTNAME=mail.example.com +OVERRIDE_DOMAINNAME=mail.example.com +POSTMASTER_ADDRESS=admin@example.com +PERMIT_DOCKER=network +SSL_TYPE=letsencrypt +``` + + +## Serving + +### Launch mailserver + +Launch the mail server stack by running ```docker stack deploy docker-mailserver -c ``` + +## Chef's Notes 📓 + +1. One of the elements of this design which I didn't appreciate at first is that since the config is entirely file-based, **setup.sh** can be run on any container host, provided it has the shared data mounted. This means that even though docker-mailserver was not designed with docker swarm in mind, it works perfectl with swarm. I.e., from any node, regardless of where the container is actually running, you're able to add/delete email addresses, view logs, etc. + +2. If you're using sieve with Rainloop, take note of the [workaround](https://discourse.geek-kitchen.funkypenguin.co.nz/t/mail-server-funky-penguins-geek-cookbook/70/15) identified by [ggilley](https://discourse.geek-kitchen.funkypenguin.co.nz/u/ggilley) diff --git a/manuscript/recipes/mattermost.md b/manuscript/recipes/mattermost.md index 0ae034d..efad678 100644 --- a/manuscript/recipes/mattermost.md +++ b/manuscript/recipes/mattermost.md @@ -116,6 +116,6 @@ Launch the MatterMost stack by running ```docker stack deploy mattermost -c /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql + (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.40.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch MatterMost stack + +Launch the MatterMost stack by running ```docker stack deploy mattermost -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes 📓 + +1. If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the wekan container. You'd also need to add the traefik_public network to the wekan container. \ No newline at end of file diff --git a/manuscript/recipes/miniflux.md b/manuscript/recipes/miniflux.md index 61bf42d..823a860 100644 --- a/manuscript/recipes/miniflux.md +++ b/manuscript/recipes/miniflux.md @@ -2,7 +2,7 @@ hero: Miniflux - A recipe for a lightweight minimalist RSS reader # Miniflux -Miniflux is a lightweight RSS reader, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of the favorite Open Source Kanban app, [Kanboard](https://geek-cookbook.funkypenguin.co.nz/)recipes/kanboard/)_) +Miniflux is a lightweight RSS reader, developed by [Frdric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of the favorite Open Source Kanban app, [Kanboard](https://geek-cookbook.funkypenguin.co.nz/)recipes/kanboard/)_) ![Miniflux Screenshot](../images/miniflux.png) @@ -136,6 +136,6 @@ Launch the Miniflux stack by running ```docker stack deploy miniflux -c Integration** page. \ No newline at end of file diff --git a/manuscript/recipes/miniflux.mde b/manuscript/recipes/miniflux.mde new file mode 100644 index 0000000..609754c --- /dev/null +++ b/manuscript/recipes/miniflux.mde @@ -0,0 +1,141 @@ +hero: Miniflux - A recipe for a lightweight minimalist RSS reader + +# Miniflux + +Miniflux is a lightweight RSS reader, developed by [Frédéric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of the favorite Open Source Kanban app, [Kanboard](/recipes/kanboard/)_) + +![Miniflux Screenshot](../images/miniflux.png) + +!!! tip "Sponsored Project" + Miniflux is one of my [sponsored projects](/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. Although I get to process my RSS feeds less frequently than I'd like to! + +I've [reviewed Miniflux in detail on my blog](https://www.funkypenguin.co.nz/review/miniflux-lightweight-self-hosted-rss-reader/), but features (among many) that I appreciate: + +* Compatible with the Fever API, read your feeds through existing mobile and desktop clients (_This is the killer feature for me. I hardly ever read RSS on my desktop, I typically read on my iPhone or iPad, using [Fiery Feeds](http://cocoacake.net/apps/fiery/) or my new squeeze, [Unread](https://www.goldenhillsoftware.com/unread/)_) +* Send your bookmarks to Pinboard, Wallabag, Shaarli or Instapaper (_I use this to automatically pin my bookmarks for collection on my [blog](https://www.funkypenguin.co.nz/blog/)_) +* Feeds can be configured to download a "full" version of the content (_rather than an excerpt_) +* Use the Bookmarklet to subscribe to a website directly from any browsers + +!!! abstract "2.0+ is a bit different" + [Some things changed](https://docs.miniflux.net/en/latest/migration.html) when Miniflux 2.0 was released. For one thing, the only supported database is now postgresql (_no more SQLite_). External themes are gone, as is PHP (_in favor of golang_). It's been a controversial change, but I'm keen on minimal and single-purpose, so I'm still very happy with the direction of development. The developer has laid out his [opinions](https://docs.miniflux.net/en/latest/opinionated.html) re the decisions he's made in the course of development. + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design +3. DNS entry pointing your Miniflux url (i.e. _miniflux.example.com_) to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +Create the location for the bind-mount of the application data, so that it's persistent: + +``` +mkdir -p /var/data/miniflux/database-dump +mkdir -p /var/data/runtime/miniflux/database + +``` + +### Setup environment + +Create ```/var/data/config/miniflux/miniflux.env``` something like this: + +``` +DATABASE_URL=postgres://miniflux:secret@db/miniflux?sslmode=disable +POSTGRES_USER=miniflux +POSTGRES_PASSWORD=secret + +# This is necessary for the miniflux to update the db schema, even on an empty DB +RUN_MIGRATIONS=1 + +# Uncomment this on first run, else leave it commented out after adding your own user account +CREATE_ADMIN=1 +ADMIN_USERNAME=admin +ADMIN_PASSWORD=test1234 + +# For backups +PGUSER=miniflux +PGPASSWORD=secret +PGHOST=db +BACKUP_NUM_KEEP=7 +BACKUP_FREQUENCY=1d +``` + +The entire application is configured using environment variables, including the initial username. Once you've successfully deployed once, comment out ```CREATE_ADMIN``` and the two successive lines. + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +``` +version: '3' + +services: + miniflux: + image: miniflux/miniflux:2.0.7 + env_file: /var/data/config/miniflux/miniflux.env + volumes: + - /etc/localtime:/etc/localtime:ro + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:miniflux.example.com + - traefik.port=8080 + - traefik.docker.network=traefik_public + + db: + env_file: /var/data/config/miniflux/miniflux.env + image: postgres:10.1 + volumes: + - /var/data/runtime/miniflux/database:/var/lib/postgresql/data + - /etc/localtime:/etc/localtime:ro + networks: + - internal + + db-backup: + image: postgres:10.1 + env_file: /var/data/config/miniflux/miniflux.env + volumes: + - /var/data/miniflux/database-dump:/dump + - /etc/localtime:/etc/localtime:ro + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql + (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.22.0/24 +``` + + +## Serving + +### Launch Miniflux stack + +Launch the Miniflux stack by running ```docker stack deploy miniflux -c ``` + +Log into your new instance at https://**YOUR-FQDN**, using the credentials you setup in the environment flie. After this, change your user/password as you see fit, and comment out the ```CREATE_ADMIN``` line in the env file (_if you don't, then an **additional** admin will be created the next time you deploy_) + +## Chef's Notes 📓 + +1. Find the bookmarklet under the **Settings -> Integration** page. \ No newline at end of file diff --git a/manuscript/recipes/minio.md b/manuscript/recipes/minio.md index 94f54fc..ed6e6ad 100644 --- a/manuscript/recipes/minio.md +++ b/manuscript/recipes/minio.md @@ -81,7 +81,7 @@ Log into your new instance at https://**YOUR-FQDN**, with the access key and sec If you created ```/var/data/minio```, you'll see nothing. If you referenced existing data, you should see all subdirectories in your existing folder represented as buckets. -If all you need is single-user access to your data, you're done! 🎉 +If all you need is single-user access to your data, you're done! If, however, you want to expose data to multiple users, at different privilege levels, you'll need the minio client to create some users and (_potentially_) policies... @@ -170,7 +170,7 @@ To permanently mount an S3 bucket using goofys, I'd add something like this to / goofys#bucket /mnt/mountpoint fuse _netdev,allow_other,--file-mode=0666 0 0 ``` -## Chef's Notes 📓 +## Chef's Notes 1. There are many S3-filesystem-mounting tools available, I just picked Goofys because it's simple. Google is your friend :) 2. Some applications (_like [NextCloud](https://geek-cookbook.funkypenguin.co.nz/)recipes/nextcloud/)_) can natively mount S3 buckets diff --git a/manuscript/recipes/minio.mde b/manuscript/recipes/minio.mde new file mode 100644 index 0000000..49780fe --- /dev/null +++ b/manuscript/recipes/minio.mde @@ -0,0 +1,178 @@ +# Minio + +Minio is a high performance distributed object storage server, designed for +large-scale private cloud infrastructure. + +However, at its simplest, Minio allows you to expose a local filestructure via the [Amazon S3 API](https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html). You could, for example, use it to provide access to "buckets" (folders) of data on your filestore, secured by access/secret keys, just like AWS S3. You can further interact with your "buckets" with common tools, just as if they were hosted on S3. + +Under a more advanced configuration, Minio runs in distributed mode, with [features](https://www.minio.io/features.html) including high-availability, mirroring, erasure-coding, and "bitrot detection". + +![Minio Screenshot](../images/minio.png) + +Possible use-cases: + +1. Sharing files (_protected by user accounts with secrets_) via HTTPS, either as read-only or read-write, in such a way that the bucket could be mounted to a remote filesystem using common S3-compatible tools, like [goofys](https://github.com/kahing/goofys). Ever wanted to share a folder with friends, but didn't want to open additional firewall ports etc? +2. Simulating S3 in a dev environment +3. Mirroring an S3 bucket locally + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik_public) configured per design +3. DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need a directory to hold our minio file store, as well as our minio client config, so create a structure at /var/data/minio: + +``` +mkdir /var/data/minio +cd /var/data/minio +mkdir -p {mc,data} +``` + +### Prepare environment + +Create minio.env, and populate with the following variables +``` +MINIO_ACCESS_KEY= +MINIO_SECRET_KEY= +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3.1' + +services: + app: + image: minio/minio + env_file: /var/data/config/minio/minio.env + volumes: + - /var/data/minio/data:/data + networks: + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:minio.example.com + - traefik.port=9000 + command: minio server /data + +networks: + traefik_public: + external: true +``` + +## Serving + +### Launch Minio stack + +Launch the Minio stack by running ```docker stack deploy minio -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with the access key and secret key you specified in minio.env. + +If you created ```/var/data/minio```, you'll see nothing. If you referenced existing data, you should see all subdirectories in your existing folder represented as buckets. + +If all you need is single-user access to your data, you're done! 🎉 + +If, however, you want to expose data to multiple users, at different privilege levels, you'll need the minio client to create some users and (_potentially_) policies... + +### Setup minio client + +To administer the Minio server, we need the Minio client. While it's possible to download the minio client and run it locally, it's just as easy to do it within a small (5Mb) container. + +I created an alias on my docker nodes, allowing me to run mc quickly: + +``` +alias mc='docker run -it -v /docker/minio/mc/:/root/.mc/ --network traefik_public minio/mc' +``` + +Now I use the alias to launch the client shell, and connect to my minio instance (_I could also use the external, traefik-provided URL_) + +``` +root@ds1:~# mc config host add minio http://app:9000 admin iambatman +mc: Configuration written to `/root/.mc/config.json`. Please update your access credentials. +mc: Successfully created `/root/.mc/share`. +mc: Initialized share uploads `/root/.mc/share/uploads.json` file. +mc: Initialized share downloads `/root/.mc/share/downloads.json` file. +Added `minio` successfully. +root@ds1:~# +``` + +### Add (readonly) user + +Use mc to add a (readonly or readwrite) user, by running ``` mc admin user add minio ``` + +Example: + +``` +root@ds1:~# mc admin user add minio spiderman peterparker readonly +Added user `spiderman` successfully. +root@ds1:~# +``` + +Confirm by listing your users (_admin is excluded from the list_): + +``` +root@node1:~# mc admin user list minio +enabled spiderman readonly +root@node1:~# +``` + +### Make a bucket accessible to users + +By default, all buckets have no "policies" attached to them, and so can only be accessed by the administrative user. Having created some readonly/read-write users above, you'll be wanting to grant them access to buckets. + +The simplest permission scheme is "on or off". Either a bucket has a policy, or it doesn't. (_I believe you can apply policies to subdirectories of buckets in a more advanced configuration_) + +After **no** policy, the most restrictive policy you can attach to a bucket is "download". This policy will allow authenticated users to download contents from the bucket. Apply the "download" policy to a bucket by running ```mc policy download minio/```, i.e.: + +``` +root@ds1:# mc policy download minio/comics +Access permission for `minio/comics` is set to `download` +root@ds1:# +``` + +### Advanced bucketing + +There are some clever complexities you can achieve with user/bucket policies, including: + +* A public bucket, which requires no authentication to read or even write (_for a public dropbox, for example_) +* A special bucket, hidden from most users, but available to VIP users by application of a custom "[canned policy](https://docs.minio.io/docs/minio-multi-user-quickstart-guide.html)" + +### Mount a minio share remotely + +Having setup your buckets, users, and policies - you can give out your minio external URL, and user access keys to your remote users, and they can S3-mount your buckets, interacting with them based on their user policy (_read-only or read/write_) + +I tested the S3 mount using [goofys](https://github.com/kahing/goofys), "a high-performance, POSIX-ish Amazon S3 file system written in Go". + +First, I created ~/.aws/credentials, as follows: + +``` +[default] +aws_access_key_id=spiderman +aws_secret_access_key=peterparker +``` + +And then I ran (_in the foreground, for debugging_), ```goofys --f -debug_s3 --debug_fuse --endpoint=https://traefik.example.com ``` + +To permanently mount an S3 bucket using goofys, I'd add something like this to /etc/fstab: + +``` +goofys#bucket /mnt/mountpoint fuse _netdev,allow_other,--file-mode=0666 0 0 +``` + +## Chef's Notes 📓 + +1. There are many S3-filesystem-mounting tools available, I just picked Goofys because it's simple. Google is your friend :) +2. Some applications (_like [NextCloud](/recipes/nextcloud/)_) can natively mount S3 buckets +3. Some backup tools (_like [Duplicity](/recipes/duplicity/)_) can backup directly to S3 buckets + diff --git a/manuscript/recipes/mqtt.md b/manuscript/recipes/mqtt.md index 39f200f..d32ba7e 100644 --- a/manuscript/recipes/mqtt.md +++ b/manuscript/recipes/mqtt.md @@ -15,7 +15,7 @@ A workaround to this bug is to run an MQTT broker **external** to the raspberry ![MQTT Screenshot](../images/mqtt.png) -[MQTT](https://mqtt.org/faq) stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium. +[MQTT](https://mqtt.org/faq) stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging machine-to-machine (M2M) or Internet of Things world of connected devices, and for mobile applications where bandwidth and battery power are at a premium. ## Ingredients @@ -204,4 +204,4 @@ mqtt-65f4d96945-bjj44 1/1 Running 0 5m To actually **use** your new MQTT broker, you'll need to connect to any one of your nodes (```kubectl get nodes -o wide```) on port 30883 (_the nodeport service we created earlier_). More info on that, and a loadbalancer design, to follow shortly :) -## Chef's Notes 📓 \ No newline at end of file +## Chef's Notes \ No newline at end of file diff --git a/manuscript/recipes/mqtt.mde b/manuscript/recipes/mqtt.mde new file mode 100644 index 0000000..342647d --- /dev/null +++ b/manuscript/recipes/mqtt.mde @@ -0,0 +1,207 @@ +hero: Kubernetes. The hero we deserve. + +!!! danger "This recipe is a work in progress" + This recipe is **incomplete**, and is featured to align the [patrons](https://www.patreon.com/funkypenguin)'s "premix" repository with the cookbook. "_premix_" is a private git repository available to [all Patreon patrons](https://www.patreon.com/funkypenguin), which includes all the necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 👍 + + So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 😁 + +# MQTT broker + +I use Elias Kotlyar's [excellent custom firmware](https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks) for Xiaomi DaFang/XiaoFang cameras, enabling RTSP, MQTT, motion tracking, and other features, integrating directly with [Home Assistant](/recipes/homeassistant/). + +There's currently a [mysterious bug](https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/638) though, which prevents TCP communication between Home Assistant and the camera, when MQTT services are enabled on the camera and the mqtt broker runs on the same Raspberry Pi as Home Assistant, using [Hass.io](https://www.home-assistant.io/hassio/). + +A workaround to this bug is to run an MQTT broker **external** to the raspberry pi, which makes the whole problem GoAway(tm). Since an MQTT broker is a single, self-contained container, I've written this recipe as an introduction to our Kubernetes cluster design. + +![MQTT Screenshot](../images/mqtt.png) + +[MQTT](https://mqtt.org/faq) stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium. + +## Ingredients + +1. A [Kubernetes cluster](/kubernetes/digital-ocean/) + +## Preparation + +### Create data locations + +Although we could simply bind-mount local volumes to a local Kubuernetes cluster, since we're targetting a cloud-based Kubernetes deployment, we only need a local path to store the YAML files which define the various aspects of our Kubernetes deployment. + +``` +mkdir /var/data/config/mqtt +``` + +### Create namespace + +We use Kubernetes namespaces for service discovery and isolation between our stacks, so create a namespace for the mqtt stack by creating the following .yaml: + +``` +cat < /var/data/mqtt/namespace.yml +apiVersion: v1 +kind: Namespace +metadata: + name: mqtt +EOF +kubectl create -f /var/data/mqtt/namespace.yaml +``` + +### Create persistent volume claim + +Persistent volume claims are a streamlined way to create a persistent volume and assign it to a container in a pod. Create a claim for the certbot data: + +``` +cat < /var/data/mqtt/persistent-volumeclaim.yml +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mqtt-volumeclaim + namespace: mqtt +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +EOF +kubectl create -f /var/data/mqtt/mqtt-volumeclaim.yaml +``` + +### Create nodeport service + +I like to expose my services using nodeport (_limited to ports 30000-32767_), and then use an external haproxy load balancer to make these available externally. (_This avoids having to pay per-port changes for a loadbalancer from the cloud provider_) + +``` +cat < /var/data/mqtt/service-nodeport.yml +kind: Service +apiVersion: v1 +metadata: + name: mqtt-nodeport + namespace: mqtt +spec: + selector: + app: mqtt + type: NodePort + ports: + - name: mqtts + port: 8883 + protocol: TCP + nodePort : 30883 +EOF +kubectl create -f /var/data/mqtt/service-nodeport.yml +``` +### Create secrets + +It's not always desirable to have sensitive data stored in your .yml files. Maybe you want to check your config into a git repository, or share it. Using Kubernetes Secrets means that you can create "secrets", and use these in your deployments by name, without exposing their contents. + +``` +echo -n "myapikeyissosecret" > cloudflare-key.secret +echo -n "myemailaddress" > cloudflare-email.secret +echo -n "myemailaddress" > letsencrypt-email.secret + +kubectl create secret -n mqtt generic mqtt-credentials \ + --from-file=cloudflare-key.secret \ + --from-file=cloudflare-email.secret \ + --from-file=letsencrypt-email.secret +``` + +!!! tip "Why use ```echo -n```?" + Because. See [my blog post here](https://www.funkypenguin.co.nz/beware-the-hidden-newlines-in-kubernetes-secrets/) for the pain of hunting invisible newlines, that's why! + +## Serving + +### Create deployment + +Now that we have a volume, a service, and a namespace, we can create a deployment for the mqtt pod. Note below the use of volume mounts, environment variables, as well as the secrets. + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 👍 + +``` +cat < /var/data/mqtt/mqtt.yml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + namespace: mqtt + name: mqtt + labels: + app: mqtt +spec: + replicas: 1 + selector: + matchLabels: + app: mqtt + template: + metadata: + labels: + app: mqtt + spec: + containers: + - image: funkypenguin/mqtt-certbot-dns + imagePullPolicy: Always +# only uncomment these to get the container to run so that we can transfer files into the PV +# command: [ "/bin/sleep" ] +# args: [ "1h" ] + env: + - name: DOMAIN + value: "*.funkypenguin.co.nz" + - name: EMAIL + valueFrom: + secretKeyRef: + name: mqtt-credentials + key: letsencrypt-email.secret + - name: CLOUDFLARE_EMAIL + valueFrom: + secretKeyRef: + name: mqtt-credentials + key: cloudflare-email.secret + - name: CLOUDFLARE_KEY + valueFrom: + secretKeyRef: + name: mqtt-credentials + key: cloudflare-key.secret +# uncomment this to test LetsEncrypt validations +# - name: TESTCERT +# value: "true" + name: mqtt + resources: + requests: + memory: "50Mi" + cpu: "0.1" + volumeMounts: + # We need the LE certs to persist across reboots to avoid getting rate-limited (bad, bad) + - name: mqtt-volumeclaim + mountPath: /etc/letsencrypt + # A configmap for the mosquitto.conf file + - name: mosquitto-conf + mountPath: /mosquitto/conf/mosquitto.conf + subPath: mosquitto.conf + # A configmap for the mosquitto passwd file + - name: mosquitto-passwd + mountPath: /mosquitto/conf/passwd + subPath: passwd + volumes: + - name: mqtt-volumeclaim + persistentVolumeClaim: + claimName: mqtt-volumeclaim + - name: mosquitto-conf + configMap: + name: mosquitto.conf + - name: mosquitto-passwd + configMap: + name: passwd +EOF +kubectl create -f /var/data/mqtt/mqtt.yml +``` + +Check that your deployment is running, with ```kubectl get pods -n mqtt```. After a minute or so, you should see a "Running" pod, as illustrated below: + +``` +[davidy:~/Documents/Personal/Projects/mqtt-k8s] 130 % kubectl get pods -n mqtt +NAME READY STATUS RESTARTS AGE +mqtt-65f4d96945-bjj44 1/1 Running 0 5m +[davidy:~/Documents/Personal/Projects/mqtt-k8s] % +``` + +To actually **use** your new MQTT broker, you'll need to connect to any one of your nodes (```kubectl get nodes -o wide```) on port 30883 (_the nodeport service we created earlier_). More info on that, and a loadbalancer design, to follow shortly :) + +## Chef's Notes 📓 \ No newline at end of file diff --git a/manuscript/recipes/munin.md b/manuscript/recipes/munin.md index 6b89492..d6ac29e 100644 --- a/manuscript/recipes/munin.md +++ b/manuscript/recipes/munin.md @@ -6,7 +6,7 @@ Munin is a networked resource monitoring tool that can help analyze resource tre Using Munin you can easily monitor the performance of your computers, networks, SANs, applications, weather measurements and whatever comes to mind. It makes it easy to determine "what's different today" when a performance problem crops up. It makes it easy to see how you're doing capacity-wise on any resources. -Munin uses the excellent ​RRDTool (written by Tobi Oetiker) and the framework is written in Perl, while plugins may be written in any language. Munin has a master/node architecture in which the master connects to all the nodes at regular intervals and asks them for data. It then stores the data in RRD files, and (if needed) updates the graphs. One of the main goals has been ease of creating new plugins (graphs). +Munin uses the excellent RRDTool (written by Tobi Oetiker) and the framework is written in Perl, while plugins may be written in any language. Munin has a master/node architecture in which the master connects to all the nodes at regular intervals and asks them for data. It then stores the data in RRD files, and (if needed) updates the graphs. One of the main goals has been ease of creating new plugins (graphs). ## Ingredients @@ -134,6 +134,6 @@ Launch the Munin stack by running ```docker stack deploy munin -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user and password password you specified in munin.env above. + +## Chef's Notes 📓 + +1. If you wanted to expose the Munin UI directly, you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the munin container. You'd also need to add the traefik_public network to the munin container. \ No newline at end of file diff --git a/manuscript/recipes/nextcloud.md b/manuscript/recipes/nextcloud.md index e97b14c..87c66c9 100644 --- a/manuscript/recipes/nextcloud.md +++ b/manuscript/recipes/nextcloud.md @@ -229,7 +229,7 @@ Note that this .htaccess can be overwritten by NextCloud, and you may have to re [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) -## Chef's Notes 📓 +## Chef's Notes 1. Since many of my other recipes use PostgreSQL, I'd have preferred to use Postgres over MariaDB, but MariaDB seems to be the [preferred database type](https://github.com/nextcloud/server/issues/5912). 2. I'm [not the first user](https://github.com/nextcloud/docker/issues/528) to stumble across the service discovery bug with reverse proxies. \ No newline at end of file diff --git a/manuscript/recipes/nextcloud.mde b/manuscript/recipes/nextcloud.mde new file mode 100644 index 0000000..1ac712a --- /dev/null +++ b/manuscript/recipes/nextcloud.mde @@ -0,0 +1,235 @@ +hero: Backup all your stuff. Share it. Privately. + +# NextCloud + +!!! important + Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +[NextCloud](https://www.nextcloud.org/) (_a [fork of OwnCloud](https://owncloud.org/blog/owncloud-statement-concerning-the-formation-of-nextcloud-by-frank-karlitschek/), led by original developer Frank Karlitschek_) is a suite of client-server software for creating and using file hosting services. It is functionally similar to Dropbox, although Nextcloud is free and open-source, allowing anyone to install and operate it on a private server. + - https://en.wikipedia.org/wiki/Nextcloud + +![NextCloud Screenshot](../images/nextcloud.png) + +This recipe is based on the official NextCloud docker image, but includes seprate containers ofor the database (_MariaDB_), Redis (_for transactional locking_), Apache Solr (_for full-text searching_), automated database backup, (_you *do* backup the stuff you care about, right?_) and a separate cron container for running NextCloud's 15-min crons. + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design +3. DNS entry pointing your NextCloud url (_nextcloud.example.com_) to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need several directories for [static data](/reference/data_layout/#static-data) to bind-mount into our container, so create them in /var/data/nextcloud (_so that they can be [backed up](/recipes/duplicity/)_) + +``` +mkdir /var/data/nextcloud +cd /var/data/nextcloud +mkdir -p {html,apps,config,data,database-dump} +``` + +Now make **more** directories for [runtime data](/reference/data_layout/#runtime-data) (_so that they can be **not** backed-up_): + +``` +mkdir /var/data/runtime/nextcloud +cd /var/data/runtime/nextcloud +mkdir -p {db,redis} +``` + + +### Prepare environment + +Create nextcloud.env, and populate with the following variables +``` +NEXTCLOUD_ADMIN_USER=admin +NEXTCLOUD_ADMIN_PASSWORD=FVuojphozxMVyaYCUWomiP9b +MYSQL_HOST=db + +# For mysql +MYSQL_ROOT_PASSWORD= +MYSQL_DATABASE=nextcloud +MYSQL_USER=nextcloud +MYSQL_PASSWORD=set to something secure> +``` + +Now create a **separate** nextcloud-db-backup.env file, to capture the environment variables necessary to perform the backup. (_If the same variables are shared with the mariadb container, they [cause issues](https://discourse.geek-kitchen.funkypenguin.co.nz/t/nextcloud-funky-penguins-geek-cookbook/254/3?u=funkypenguin) with database access_) + +``` +# For database backup (keep 7 days daily backups) +MYSQL_PWD= +MYSQL_USER=root +BACKUP_NUM_KEEP=7 +BACKUP_FREQUENCY=1d +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: "3.0" + +services: + nextcloud: + image: nextcloud + env_file: /var/data/config/nextcloud/nextcloud.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:nextcloud.example.com + - traefik.docker.network=traefik_public + - traefik.port=80 + volumes: + - /var/data/nextcloud/html:/var/www/html + - /var/data/nextcloud/apps:/var/www/html/custom_apps + - /var/data/nextcloud/config:/var/www/html/config + - /var/data/nextcloud/data:/var/www/html/data + + db: + image: mariadb:10 + env_file: /var/data/config/nextcloud/nextcloud.env + networks: + - internal + volumes: + - /var/data/runtime/nextcloud/db:/var/lib/mysql + + db-backup: + image: mariadb:10 + env_file: /var/data/config/nextcloud/nextcloud.env + volumes: + - /var/data/nextcloud/database-dump:/dump + - /etc/localtime:/etc/localtime:ro + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz + (ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + + redis: + image: redis:alpine + networks: + - internal + volumes: + - /var/data/runtime/nextcloud/redis:/data + + cron: + image: nextcloud + volumes: + - /var/data/nextcloud/:/var/www/html + user: www-data + networks: + - internal + entrypoint: | + bash -c 'bash -s <``` + +Log into your new instance at https://**YOUR-FQDN**, with user "admin" and the password you specified in nextcloud.env. + +### Enable redis + +To make NextCloud [a little snappier](https://docs.nextcloud.com/server/13/admin_manual/configuration_server/caching_configuration.html), edit ```/var/data/nextcloud/config/config.php``` (_now that it's been created on the first container launch_), and add the following: + +``` + 'redis' => array( + 'host' => 'redis', + 'port' => 6379, + ), +``` + +### Use service discovery + +Want to use Calendar/Contacts on your iOS device? Want to avoid dictating long, rambling URL strings to your users, like ```https://nextcloud.batcave.com/remote.php/dav/principals/users/USERNAME/``` ? + +Huzzah! NextCloud supports [service discovery for CalDAV/CardDAV](https://tools.ietf.org/html/rfc6764), allowing you to simply tell your device the primary URL of your server (_**nextcloud.batcave.org**, for example_), and have the device figure out the correct WebDAV path to use. + +We (_and anyone else using the [NextCloud Docker image](https://hub.docker.com/_/nextcloud/)_) are using an SSL-terminating reverse proxy ([Traefik](/ha-docker-swarm/traefik/)) in front of our NextCloud container. In fact, it's not **possible** to setup SSL **within** the NextCloud container. + +When using a reverse proxy, your device requests a URL from your proxy (https://nextcloud.batcave.com/.well-known/caldav), and the reverse proxy then passes that request **unencrypted** to the internal URL of the NextCloud instance (i.e., http://172.16.12.123/.well-known/caldav) + +The Apache webserver on the NextCloud container (_knowing it was spoken to via HTTP_), responds with a 301 redirect to http://nextcloud.batcave.com/remote.php/dav/. See the problem? You requested an **HTTPS** (_encrypted_) url, and in return, you received a redirect to an **HTTP** (_unencrypted_) URL. Any sensible client (_iOS included_) will refuse such schenanigans. + +To correct this, we need to tell NextCloud to always redirect the .well-known URLs to an HTTPS location. This can only be done **after** deploying NextCloud, since it's only on first launch of the container that the .htaccess file is created in the first place. + +To make NextCloud service discovery work with Traefik reverse proxy, edit ```/var/data/nextcloud/html/.htaccess```, and change this: + +``` +RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L] +RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L] +``` + +To this: + +``` +RewriteRule ^\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L] +RewriteRule ^\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L] +``` + +Then restart your container with ```docker service update nextcloud_nextcloud --force``` to restart apache. + +Your can test for success by running ```curl -i https://nextcloud.batcave.org/.well-known/carddav```. You should get a 301 redirect to your equivalent of https://nextcloud.batcave.org/remote.php/dav/, as below: + +``` +[davidy:~] % curl -i https://nextcloud.batcave.org/.well-known/carddav +HTTP/2 301 +content-type: text/html; charset=iso-8859-1 +date: Wed, 12 Dec 2018 08:30:11 GMT +location: https://nextcloud.batcave.org/remote.php/dav/ +``` + +Note that this .htaccess can be overwritten by NextCloud, and you may have to reapply the change in future. I've created an [issue requesting a permanent fix](https://github.com/nextcloud/docker/issues/577). + +!!! important + Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +## Chef's Notes 📓 + +1. Since many of my other recipes use PostgreSQL, I'd have preferred to use Postgres over MariaDB, but MariaDB seems to be the [preferred database type](https://github.com/nextcloud/server/issues/5912). +2. I'm [not the first user](https://github.com/nextcloud/docker/issues/528) to stumble across the service discovery bug with reverse proxies. \ No newline at end of file diff --git a/manuscript/recipes/openldap.md b/manuscript/recipes/openldap.md index fca03e8..c2ac28d 100644 --- a/manuscript/recipes/openldap.md +++ b/manuscript/recipes/openldap.md @@ -391,7 +391,7 @@ networks: !!! warning **Normally**, we set unique static subnets for every stack you deploy, and put the non-public facing components (like databases) in an dedicated _internal network. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/)reference/networks/) here. - However, you're likely to want to use OpenLdap with KeyCloak, whose JBOSS startup script assumes a single interface, and will crash in a ball of 🔥 if you try to assign multiple interfaces to the container. + However, you're likely to want to use OpenLdap with KeyCloak, whose JBOSS startup script assumes a single interface, and will crash in a ball of if you try to assign multiple interfaces to the container. Since we're going to want KeyCloak to be able to talk to OpenLDAP, we have no choice but to leave the OpenLDAP container on the "traefik_public" network. We can, however, create **another** overlay network (_auth_internal, see below_), add it to the openldap container, and use it to provide OpenLDAP access to our other stacks. @@ -445,6 +445,6 @@ Create your users using the "**New User**" button. [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) -## Chef's Notes 📓 +## Chef's Notes 1. [The KeyCloak](https://geek-cookbook.funkypenguin.co.nz/)recipes/keycloak/authenticate-against-openldap/) recipe illustrates how to integrate KeyCloak with your LDAP directory, giving you a cleaner interface to manage users, and a raft of SSO / OAuth features. diff --git a/manuscript/recipes/openldap.mde b/manuscript/recipes/openldap.mde new file mode 100644 index 0000000..94f3246 --- /dev/null +++ b/manuscript/recipes/openldap.mde @@ -0,0 +1,450 @@ +# OpenLDAP + +!!! important + Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +LDAP is probably the most ubiquitous authentication backend, before the current era of "[stupid social sign-ons](https://www.usatoday.com/story/tech/columnist/2018/10/23/how-separate-your-social-networks-your-regular-sites/1687763002/)". Many of the recipes featured in the cookbook (_[NextCloud](/recipe/nextcloud/), [Kanboard](/recipe/kanboard/), [Gitlab](/recipe/gitlab/), etc_) offer LDAP integration. + +## Big deal, who cares? + +If you're the only user of your tools, it probably doesn't bother you _too_ much to setup new user accounts for every tool. As soon as you start sharing tools with collaborators (_think 10 staff using NextCloud_), you suddenly feel the pain of managing a growing collection of local user accounts per-service. + +Enter OpenLDAP - the most crusty, PITA, fiddly platform to setup (_yes, I'm a little bitter, [dynamic configuration backend](https://linux.die.net/man/5/slapd-config)!_), but hugely useful for one job - a Lightweight Protocol for managing a Directory used for Access (_see what I did [there](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)?_) + +The nice thing about OpenLDAP is, like MySQL, once you've setup the server, you probably never have to interact directly with it. There are many tools which will let you interact with your LDAP database via a(n ugly) UI. + +This recipe combines the raw power of OpenLDAP with the flexibility and featureset of LDAP Account Manager. + +![OpenLDAP Screenshot](../images/openldap.jpeg) + +## What's the takeaway? + +What you'll end up with is a directory structure which will allow integration with popular tools (_[NextCloud](/recipe/nextcloud/), [Kanboard](/recipe/kanboard/), [Gitlab](/recipe/gitlab/), etc_), as well as with KeyCloak (_an upcoming recipe_), for **true** SSO. + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik_public) configured per design +3. DNS entry for the hostname (_i.e. "lam.your-domain.com"_) you intend to use for LDAP Account Manager, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need several directories to bind-mount into our container, so create them in /var/data/openldap: + +``` +mkdir /var/data/openldap/openldap +mkdir /var/data/runtime/openldap/ +``` + +!!! note "Why 2 directories?" + For rationale, see my [data layout explanation](/reference/data_layout/) + +### Prepare environment + +Create /var/data/openldap/openldap.env, and populate with the following variables, customized for your own domain structure. Take care with LDAP_DOMAIN, this is core to your directory structure, and can't easily be changed later. + +``` +LDAP_DOMAIN=batcave.gotham +LDAP_ORGANISATION=BatCave Inc +LDAP_ADMIN_PASSWORD=supermansucks +LDAP_TLS=false + +# Use these if you plan to protect the LDAP Account Manager webUI with an oauth_proxy +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_COOKIE_SECRET= +``` + +!!! note + I use an [OAuth proxy](/reference/oauth_proxy/) to protect access to the web UI, when the sensitivity of the protected data (i.e. my authentication store) warrants it, or if I don't necessarily trust the security of the webUI. + +Create ```authenticated-emails.txt```, and populate with the email addresses (_matched to GitHub user accounts, in my case_) to which you want grant access, using OAuth2. + +### Create config.cfg + +The Dockerized version of LDAP Account Manager is a little fiddly. In order to maintain a config file which persists across container restarts, we need to present the container with a copy of /var/www/html/config/lam.conf, tweaked for our own requirements. + +Create ```/var/data/openldap/lam/config/config.cfg``` as follows: + +???+ note "Much scroll, very text. Click here to collapse it for better readability" + + ``` + # password to add/delete/rename configuration profiles (default: lam) + password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ== + + # default profile, without ".conf" + default: batcave + + # log level + logLevel: 4 + + # log destination + logDestination: SYSLOG + + # session timeout in minutes + sessionTimeout: 30 + + # list of hosts which may access LAM + allowedHosts: + + # list of hosts which may access LAM Pro self service + allowedHostsSelfService: + + # encrypt session data + encryptSession: true + + # Password: minimum password length + passwordMinLength: 0 + + # Password: minimum uppercase characters + passwordMinUpper: 0 + + # Password: minimum lowercase characters + passwordMinLower: 0 + + # Password: minimum numeric characters + passwordMinNumeric: 0 + + # Password: minimum symbolic characters + passwordMinSymbol: 0 + + # Password: minimum character classes (0-4) + passwordMinClasses: 0 + + # Password: checked rules + checkedRulesCount: -1 + + # Password: must not contain part of user name + passwordMustNotContain3Chars: false + + # Password: must not contain user name + passwordMustNotContainUser: false + + # Email format (default/unix) + mailEOL: default + + # PHP error reporting (default/system) + errorReporting: default + + # License + license: + ``` + +### Create .cfg + +While config.cfg (_above_) defines application-level configuration, .cfg is used to configure "domain-specific" configuration. You probably only need a single profile, but LAM could theoretically be used to administer several totally unrelated LDAP servers, ergo the concept of "profiles". + +Create yours profile (_you chose a default profile in config.cfg above, remember?_) by creating ```/var/data/openldap/lam/config/.conf```, as follows: + +???+ note "Much scroll, very text. Click here to collapse it for better readability" + + ``` + # LDAP Account Manager configuration + # + # Please do not modify this file manually. The configuration can be done completely by the LAM GUI. + # + ################################################################################################### + + # server address (e.g. ldap://localhost:389 or ldaps://localhost:636) + ServerURL: ldap://openldap:389 + + # list of users who are allowed to use LDAP Account Manager + # names have to be separated by semicolons + # e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org + Admins: cn=admin,dc=batcave,dc=gotham + + # password to change these preferences via webfrontend (default: lam) + Passwd: {SSHA}h39N9+gg/Qf1K/986VkKrjWlkcI= S/IAUQ== + + # suffix of tree view + # e.g. dc=yourdomain,dc=org + treesuffix: dc=batcave,dc=gotham + + # default language (a line from config/language) + defaultLanguage: en_GB.utf8 + + # Path to external Script + scriptPath: + + # Server of external Script + scriptServer: + + # Access rights for home directories + scriptRights: 750 + + # Number of minutes LAM caches LDAP searches. + cachetimeout: 5 + + # LDAP search limit. + searchLimit: 0 + + # Module settings + + modules: posixAccount_user_minUID: 10000 + modules: posixAccount_user_maxUID: 30000 + modules: posixAccount_host_minMachine: 50000 + modules: posixAccount_host_maxMachine: 60000 + modules: posixGroup_group_minGID: 10000 + modules: posixGroup_group_maxGID: 20000 + modules: posixGroup_pwdHash: SSHA + modules: posixAccount_pwdHash: SSHA + + # List of active account types. + activeTypes: user,group + + + types: suffix_user: ou=People,dc=batcave,dc=gotham + types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber + types: modules_user: inetOrgPerson,posixAccount,shadowAccount + + types: suffix_group: ou=Groups,dc=batcave,dc=gotham + types: attr_group: #cn;#gidNumber;#memberUID;#description + types: modules_group: posixGroup + + # Password mail subject + lamProMailSubject: Your password was reset + + # Password mail text + lamProMailText: Dear @@givenName@@ @@sn@@,+::++::+your password was reset to: @@newPassword@@+::++::++::+Best regards+::++::+deskside support+::+ + + + + serverDisplayName: + + + # enable TLS encryption + useTLS: no + + + # follow referrals + followReferrals: false + + + # paged results + pagedResults: false + + referentialIntegrityOverlay: false + + + # time zone + timeZone: Europe/London + + scriptUserName: + + scriptSSHKey: + + scriptSSHKeyPassword: + + + # Access level for this profile. + accessLevel: 100 + + + # Login method. + loginMethod: list + + + # Search suffix for LAM login. + loginSearchSuffix: dc=batcave,dc=gotham + + + # Search filter for LAM login. + loginSearchFilter: uid=%USER% + + + # Bind DN for login search. + loginSearchDN: + + + # Bind password for login search. + loginSearchPassword: + + + # HTTP authentication for LAM login. + httpAuthentication: false + + + # Password mail from + lamProMailFrom: + + + # Password mail reply-to + lamProMailReplyTo: + + + # Password mail is HTML + lamProMailIsHTML: false + + + # Allow alternate address + lamProMailAllowAlternateAddress: true + + jobsBindPassword: + + jobsBindUser: + + jobsDatabase: + + jobsDBHost: + + jobsDBPort: + + jobsDBUser: + + jobsDBPassword: + + jobsDBName: + + jobToken: 190339140545 + + pwdResetAllowSpecificPassword: true + + pwdResetAllowScreenPassword: true + + pwdResetForcePasswordChange: true + + pwdResetDefaultPasswordOutput: 2 + + twoFactorAuthentication: none + + twoFactorAuthenticationURL: https://localhost + + twoFactorAuthenticationInsecure: + + twoFactorAuthenticationLabel: + + twoFactorAuthenticationOptional: + + twoFactorAuthenticationCaption: + tools: tool_hide_toolOUEditor: false + tools: tool_hide_toolProfileEditor: false + tools: tool_hide_toolSchemaBrowser: false + tools: tool_hide_toolServerInformation: false + tools: tool_hide_toolTests: false + tools: tool_hide_toolPDFEditor: false + tools: tool_hide_toolFileUpload: false + tools: tool_hide_toolMultiEdit: false + ``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this, at (```/var/data/config/openldap/openldap.yml```) + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 +``` +version: '3' + +services: + openldap: + image: osixia/openldap + env_file: /var/data/config/openldap/openldap.env + networks: + - traefik_public + - auth_internal + volumes: + - /var/data/runtime/openldap/:/var/lib/ldap + - /var/data/openldap/openldap/:/etc/ldap/slapd.d + + lam: + image: jacksgt/ldap-account-manager + networks: + - auth_internal + volumes: + - /var/data/openldap/lam/config/config.cfg:/var/www/html/config/config.cfg + - /var/data/openldap/lam/config/batcave.conf:/var/www/html/config/batcave.conf + + lam-proxy: + image: funkypenguin/oauth2_proxy + env_file: /var/data/config/openldap/openldap.env + networks: + - traefik_public + - auth_internal + deploy: + labels: + - traefik.frontend.rule=Host:lam.batcave.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + command: | + -cookie-secure=false + -upstream=http://lam:8080 + -redirect-url=https://lam.batcave.com + -http-address=http://0.0.0.0:4180 + -email-domain=batcave.com + -provider=github + + +networks: + # Used to expose lam-proxy to external access, and openldap to keycloak + traefik_public: + external: true + + # Used to expose openldap to other apps which want to talk to LDAP, including LAM + auth_internal: + external: true +``` + +!!! warning + **Normally**, we set unique static subnets for every stack you deploy, and put the non-public facing components (like databases) in an dedicated _internal network. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + However, you're likely to want to use OpenLdap with KeyCloak, whose JBOSS startup script assumes a single interface, and will crash in a ball of 🔥 if you try to assign multiple interfaces to the container. + + Since we're going to want KeyCloak to be able to talk to OpenLDAP, we have no choice but to leave the OpenLDAP container on the "traefik_public" network. We can, however, create **another** overlay network (_auth_internal, see below_), add it to the openldap container, and use it to provide OpenLDAP access to our other stacks. + +Create **another** stack config file (```/var/data/config/openldap/auth.yml```) containing just the auth_internal network, and a dummy container: + +``` +version: "3.2" + +# What is this? +# +# This stack exists solely to deploy the auth_internal overlay network, so that +# other stacks (including keycloak and openldap) can attach to it + +services: + scratch: + image: scratch + deploy: + replicas: 0 + networks: + - internal + +networks: + internal: + driver: overlay + attachable: true + ipam: + config: + - subnet: 172.16.39.0/24 +``` + + + + +## Serving + +### Launch OpenLDAP stack + +Create the auth_internal overlay network, by running ```docker stack deploy auth -c /var/data/config/openldap/auth.yml```, then launch the OpenLDAP stack by running ```docker stack deploy openldap -c /var/data/config/openldap/openldap.yml``` + +Log into your new LAM instance at https://**YOUR-FQDN**. + +On first login, you'll be prompted to create the "_ou=People_" and "_ou=Group_" elements. Proceed to create these. + +You've now setup your OpenLDAP directory structure, and your administration interface, and hopefully won't have to interact with the "special" LDAP Account Manager interface much again! + +Create your users using the "**New User**" button. + + +!!! important + Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + + [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) + +## Chef's Notes 📓 + +1. [The KeyCloak](/recipes/keycloak/authenticate-against-openldap/) recipe illustrates how to integrate KeyCloak with your LDAP directory, giving you a cleaner interface to manage users, and a raft of SSO / OAuth features. diff --git a/manuscript/recipes/owntracks.md b/manuscript/recipes/owntracks.md index 68f132c..3a8f509 100644 --- a/manuscript/recipes/owntracks.md +++ b/manuscript/recipes/owntracks.md @@ -108,7 +108,7 @@ Launch the OwnTracks stack by running ```docker stack deploy owntracks -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes 📓 + +1. If you wanted to expose the OwnTracks Web UI directly, you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wekan container. You'd also need to add the traefik network to the owntracks container. +2. I'm using my own image rather than owntracks/recorderd, because of a [potentially swarm-breaking bug](https://github.com/owntracks/recorderd/issues/14) I found in the official container. If this gets resolved (_or if I was mistaken_) I'll update the recipe accordingly. +3. By default, you'll get a fully accessible, unprotected MQTT broker. This may not be suitable for public exposure, so you'll want to look into securing mosquitto with TLS and ACLs. diff --git a/manuscript/recipes/phpipam.md b/manuscript/recipes/phpipam.md index 10f6be1..1fb1ac9 100644 --- a/manuscript/recipes/phpipam.md +++ b/manuscript/recipes/phpipam.md @@ -205,6 +205,6 @@ Launch the phpIPAM stack by running ```docker stack deploy phpipam -c /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz + (ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.47.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch phpIPAM stack + +Launch the phpIPAM stack by running ```docker stack deploy phpipam -c ``` + +Log into your new instance at https://**YOUR-FQDN**, and follow the on-screen prompts to set your first user/password. + +## Chef's Notes 📓 + +1. If you wanted to expose the phpIPAM UI directly, you could remove the oauth2_proxy and the nginx services from the design, and move the traefik_public-related labels directly to the phpipam container. You'd also need to add the traefik_public network to the phpipam container. \ No newline at end of file diff --git a/manuscript/recipes/piwik.mde b/manuscript/recipes/piwik.mde new file mode 100644 index 0000000..dbda51a --- /dev/null +++ b/manuscript/recipes/piwik.mde @@ -0,0 +1,93 @@ +# Piwik + +[Piwik](http://www.piwik.org) is a rich open-source web analytics platform, which can be coupled with commercial plugins for additional features. It's most simply described as "_self-hosted Google Analytics_". + +![Piwik Screenshot](../images/piwik.png) + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design + + +## Preparation + +### Limitation of docker-swarm + +The docker-swarm load-balancer is a problem for deploying piwik, since it rewrites the source address of every incoming packet to whichever docker node received the packet into the swarm. Which is a PITA for analytics, since the original source IP of the request is obscured. + +The issue is tracked at #[25526](https://github.com/moby/moby/issues/25526), and there is a workaround, but it requires running the piwik "app" container on **every** swarm node... + +### Prepare environment + +Create piwik.env, and populate with the following variables + +``` +MYSQL_ROOT_PASSWORD=set-me-and-use-me-when-setting-up-piwik +``` + +### Setup docker swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + +``` +version: '3' + +services: + db: + image: mysql + volumes: + - /var/data/piwik/mysql/runtime:/var/lib/mysql + env_file: /var/data/piwik/piwik.env + networks: + - internal + app: + image: piwik:apache + volumes: + - /var/data/piwik/config:/var/www/html/config + networks: + - internal + - traefik + deploy: + mode: global + labels: + - traefik.frontend.rule=Host:piwik.example.com + - traefik.docker.network=traefik + - traefik.port=80 + cron: + image: piwik:apache + volumes: + - /var/data/piwik/config:/var/www/html/config + entrypoint: | + bash -c 'bash -s <``` + +Log into your new instance at https://**YOUR-FQDN**, and follow the wizard to complete the setup. \ No newline at end of file diff --git a/manuscript/recipes/plex.md b/manuscript/recipes/plex.md index 0316a03..00499a4 100644 --- a/manuscript/recipes/plex.md +++ b/manuscript/recipes/plex.md @@ -94,7 +94,7 @@ Launch the Plex stack by running ```docker stack deploy plex -c ``` + +Log into your new instance at https://**YOUR-FQDN** (You'll need to setup a plex.tv login for remote access / discovery to work from certain clients) + +## Chef's Notes 📓 + +1. Plex uses port 32400 for remote access, using your plex.tv user/password to authenticate you. The inclusion of the traefik proxy in this recipe is simply to allow you to use the web client (as opposed to a client app) by connecting directly to your instance, as opposed to browsing your media via https://plex.tv/web +2. Got an NVIDIA GPU? See [this blog post](https://www.funkypenguin.co.nz/note/gpu-transcoding-with-emby-plex-using-docker-nvidia/) re how to use your GPU to transcode your media! \ No newline at end of file diff --git a/manuscript/recipes/portainer.md b/manuscript/recipes/portainer.md index 344e9f7..44d7729 100644 --- a/manuscript/recipes/portainer.md +++ b/manuscript/recipes/portainer.md @@ -64,6 +64,6 @@ Launch the Portainer stack by running ```docker stack deploy portainer -c ``` + +Log into your new instance at https://**YOUR-FQDN**. You'll be prompted to set your admin user/password. + +## Chef's Notes 📓 + +1. I wanted to use oauth2_proxy to provide an additional layer of security for Portainer, but the proxy seems to break the authentication mechanism, effectively making the stack **so** secure, that it can't be logged into! \ No newline at end of file diff --git a/manuscript/recipes/privatebin.md b/manuscript/recipes/privatebin.md index c762258..6028c98 100644 --- a/manuscript/recipes/privatebin.md +++ b/manuscript/recipes/privatebin.md @@ -58,7 +58,7 @@ Launch the PrivateBin stack by running ```docker stack deploy privatebin -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes 📓 + +1. The [PrivateBin repo](https://github.com/PrivateBin/PrivateBin/blob/master/INSTALL.md) explains how to tweak configuration options, or to use a database instead of file storage, if your volume justifies it :) +2. The inclusion of PrivateBin was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Jerry!! diff --git a/manuscript/recipes/realms.md b/manuscript/recipes/realms.md index c2f0b6c..1cc47d9 100644 --- a/manuscript/recipes/realms.md +++ b/manuscript/recipes/realms.md @@ -108,7 +108,7 @@ Launch the Wekan stack by running ```docker stack deploy realms -c ``` + +Log into your new instance at https://**YOUR-FQDN**, authenticate against oauth_proxy, and you're immediately presented with Realms wiki, waiting for a fresh edit ;) + +## Chef's Notes 📓 + +1. If you wanted to expose the Realms UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the realms container. You'd also need to add the traefik_public network to the realms container. +2. The inclusion of Realms was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz). Thanks gkoerk! \ No newline at end of file diff --git a/manuscript/recipes/swarmprom.md b/manuscript/recipes/swarmprom.md index 35dffab..02ed028 100644 --- a/manuscript/recipes/swarmprom.md +++ b/manuscript/recipes/swarmprom.md @@ -391,6 +391,6 @@ Launch the Swarm stack by running ```docker stack deploy swarmprom -c ``` + +Log into your new grafana instance, check out your beautiful graphs. Move onto drooling over Prometheus, AlertManager, and Unsee. + +## Chef's Notes 📓 + +1. Pay close attention to the ```grafana.env``` config. If you encounter errors about ```basic auth failed```, or failed CSS, it's likely due to misconfiguration of one of the grafana environment variables. \ No newline at end of file diff --git a/manuscript/recipes/template.md b/manuscript/recipes/template.md index 9673906..296e50f 100644 --- a/manuscript/recipes/template.md +++ b/manuscript/recipes/template.md @@ -114,6 +114,6 @@ Launch the Wekan stack by running ```docker stack deploy wekan -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes 📓 + +1. If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik_public-related labels directly to the wekan container. You'd also need to add the traefik_public network to the wekan container. diff --git a/manuscript/recipes/tiny-tiny-rss.md b/manuscript/recipes/tiny-tiny-rss.md index 69a285f..aadf79f 100644 --- a/manuscript/recipes/tiny-tiny-rss.md +++ b/manuscript/recipes/tiny-tiny-rss.md @@ -127,7 +127,7 @@ Launch the TTRSS stack by running ```docker stack deploy ttrss -c /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql + (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + +networks: + traefik: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.5.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + +## Serving + +### Launch TTRSS stack + +Launch the TTRSS stack by running ```docker stack deploy ttrss -c ``` + +Log into your new instance at https://**YOUR-FQDN** - the first user you create will be an administrative user. + + +## Chef's Notes 📓 + +There are several TTRSS containers available on docker hub, none of them "official". I chose [x86dev's container](https://github.com/x86dev/docker-ttrss) for its features - such as my favorite skins and plugins, and the daily automatic updates from the "rolling release" master. Some of the features of the container I use are due to a [PR](https://github.com/x86dev/docker-ttrss/pull/12) I submitted: + +1. Docker swarm looses the docker-compose concept of "dependencies" between containers. In the case of this stack, the application server typically starts up before the database container, which causes the database autoconfiguration scripts to fail, and brings up the app in a broken state. To prevent this, I include "[wait-for](https://github.com/Eficode/wait-for/)", which (combined with "S6_BEHAVIOUR_IF_STAGE2_FAILS=2"), will cause the app container to restart (and attempt to auto-configure itself) until the database is ready. + +2. The upstream git URL [changed recently](https://discourse.tt-rss.org/t/gitlab-is-overbloated-shit-garbage/325/6), but my experience of the new repository is that it's **SO** slow, that the initial "git clone" on setup of the container times out. To work around this, I created [my own repo](https://github.com/funkypenguin/tt-rss.git), cloned upstream, pushed it into my repo, and pointed the container at my own repo with TTRSS_REPO. I don't get the _latest_ code changes, but at least the app container starts up. When upstream git is performing properly, I'll remove TTRSS_REPO to revert back to the "rolling release". + diff --git a/manuscript/recipes/wallabag.md b/manuscript/recipes/wallabag.md index 11d1758..d8254be 100644 --- a/manuscript/recipes/wallabag.md +++ b/manuscript/recipes/wallabag.md @@ -196,7 +196,7 @@ Even with all these elements in place, you still need to enable Redis under Inte ![Wallabag Imports](../images/wallabag_imports.png) -## Chef's Notes 📓 +## Chef's Notes 1. If you wanted to expose the Wallabag UI directly (_required for the iOS/Android apps_), you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wallabag container. You'd also need to add the traefik_public network to the wallabag container. I found the iOS app to be unreliable and clunky, so elected to leave my oauth_proxy enabled, and to simply use the webUI on my mobile devices instead. YMMMV. 2. I've not tested the email integration, but you'd need an SMTP server listening on port 25 (_since we can't change the port_) to use it \ No newline at end of file diff --git a/manuscript/recipes/wallabag.mde b/manuscript/recipes/wallabag.mde new file mode 100644 index 0000000..5c604e2 --- /dev/null +++ b/manuscript/recipes/wallabag.mde @@ -0,0 +1,202 @@ +hero: Read-it-later, mate! + +# Wallabag + +Wallabag is a self-hosted webapp which allows you to save URLs to "read later", similar to [Instapaper](https://www.instapaper.com/u) or [Pocket](https://getpocket.com/a/). Like Instapaper (_but **not** Pocket, sadly_), Wallabag allows you to **annotate** any pages you grab for your own reference. + +All saved data (_pages, annotations, images, tags, etc_) are stored on your own server, and can be shared/exported in a variety of formats, including ePub and PDF. + +![Wallabag Screenshot](../images/wallabag.png) + +There are plugins for [Chrome](https://chrome.google.com/webstore/detail/wallabagger/gbmgphmejlcoihgedabhgjdkcahacjlj) and [Firefox](https://addons.mozilla.org/firefox/addon/wallabagger/), as well as apps for [iOS](https://appsto.re/fr/YeqYfb.i), [Android](https://play.google.com/store/apps/details?id=fr.gaulupeau.apps.InThePoche), etc. Wallabag will also integrate nicely with my favorite RSS reader, [Miniflux](https://miniflux.net/) (_for which there is an [existing recipe](/recipes/miniflux)_). + +[Here's a video](https://player.vimeo.com/video/167435064) which shows off the UI a bit more. + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik) configured per design +3. DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We need a filesystem location to store images that Wallabag downloads from the original sources, to re-display when you read your articles, as well as nightly database dumps (_which you **should [backup](/recipes/duplicity/)**_), so create something like this: + +``` +mkdir -p /var/data/wallabag +cd /var/data/wallabag +mkdir -p {images,db-dump} +``` + +### Prepare environment + +Create wallabag.env, and populate with the following variables. The only variable you **have** to change is SYMFONY__ENV__DOMAIN_NAME - this **must** be the URL that your Wallabag instance will be available at (_else you'll have no CSS_) +``` +# For the DB container +POSTGRES_PASSWORD=wallabag +POSTGRES_USER=wallabag + +# For the wallabag container +SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql +SYMFONY__ENV__DATABASE_HOST=db +SYMFONY__ENV__DATABASE_PORT=5432 +SYMFONY__ENV__DATABASE_NAME=wallabag +SYMFONY__ENV__DATABASE_USER=wallabag +SYMFONY__ENV__DATABASE_PASSWORD=wallabag +SYMFONY__ENV__DOMAIN_NAME=https://wallabag.example.com +SYMFONY__ENV__DATABASE_DRIVER_CLASS=Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver +SYMFONY__ENV__MAILER_HOST=127.0.0.1 +SYMFONY__ENV__MAILER_USER=~ +SYMFONY__ENV__MAILER_PASSWORD=~ +SYMFONY__ENV__FROM_EMAIL=wallabag@example.com +SYMFONY__ENV__FOSUSER_REGISTRATION=false + + +# If you decide to protect wallabag with an oauth_proxy, complete these +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_COOKIE_SECRET= +``` + +Now create wallabag-backup.env in the same folder, with the following contents. (_This is necessary to prevent environment variables required for backup from breaking the DB container_) + +``` +# For database backups +PGUSER=wallabag +PGPASSWORD=wallabag +PGHOST=db +BACKUP_NUM_KEEP=7 +BACKUP_FREQUENCY=1d +``` + + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: '3' +services: + + wallabag: + image: wallabag/wallabag + env_file: /var/data/config/wallabag/wallabag.env + networks: + - internal + volumes: + - /var/data/wallabag/images:/var/www/wallabag/web/assets/images + + wallabag_proxy: + image: a5huynh/oauth2_proxy + env_file: /var/data/config/wallabag/wallabag.env + networks: + - internal + - traefik_public + deploy: + labels: + - traefik.frontend.rule=Host:wallabag.example.com + - traefik.docker.network=traefik_public + - traefik.port=4180 + volumes: + - /var/data/config/wallabag/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://wallabag:80 + -redirect-url=https://wallabag.example.com + -http-address=http://0.0.0.0:4180 + -email-domain=example.com + -provider=github + -authenticated-emails-file=/authenticated-emails.txt + + db: + image: postgres + env_file: /var/data/config/wallabag/wallabag.env + dns_search: + - hq.example.com + volumes: + - /var/data/runtime/wallabag/data:/var/lib/postgresql/data + networks: + - internal + + db-backup: + image: postgres:latest + env_file: /var/data/config/wallabag/wallabag-backup.env + volumes: + - /var/data/wallabag/database-dump:/dump + - /etc/localtime:/etc/localtime:ro + entrypoint: | + bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql + (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} + sleep $$BACKUP_FREQUENCY + done + EOF' + networks: + - internal + + redis: + image: redis:alpine + networks: + - internal + + import-instapaper: + image: wallabag/wallabag + env_file: /var/data/config/wallabag/wallabag.env + networks: + - internal + command: | + import instapaper + + import-pocket: + image: wallabag/wallabag + env_file: /var/data/config/wallabag/wallabag.env + networks: + - internal + command: | + import pocket + +networks: + traefik_public: + external: true + internal: + driver: overlay + ipam: + config: + - subnet: 172.16.21.0/24 +``` + +!!! note + Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](/reference/networks/) here. + + + +## Serving + +### Launch Wallabag stack + +Launch the Wallabag stack by running ```docker stack deploy wallabag -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "wallabag" and default password "wallabag". + +### Enable asynchronous imports + +You'll have noticed redis, plus the pocket/instapaper-importing containers included in the .yml above. Redis is there to allow [asynchronous](https://github.com/wallabag/doc/blob/master/en/admin/asynchronous.md) imports, and pocket and instapaper are there since they're likely the most popular platform you'd _want_ to import from. Other possibilities (_you'll need to adjust the .yml_) are **readability**, **firefox**, **chrome**, and **wallabag_v1** and **wallabag_v2**. + +Even with all these elements in place, you still need to enable Redis under Internal Settings -> Import, via the **admin** user in the webUI. Here's a screenshot to help you find it: + +![Wallabag Imports](../images/wallabag_imports.png) + + +## Chef's Notes 📓 + +1. If you wanted to expose the Wallabag UI directly (_required for the iOS/Android apps_), you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wallabag container. You'd also need to add the traefik_public network to the wallabag container. I found the iOS app to be unreliable and clunky, so elected to leave my oauth_proxy enabled, and to simply use the webUI on my mobile devices instead. YMMMV. +2. I've not tested the email integration, but you'd need an SMTP server listening on port 25 (_since we can't change the port_) to use it \ No newline at end of file diff --git a/manuscript/recipes/wekan.md b/manuscript/recipes/wekan.md index 26fc0b6..052ef44 100644 --- a/manuscript/recipes/wekan.md +++ b/manuscript/recipes/wekan.md @@ -140,6 +140,6 @@ Launch the Wekan stack by running ```docker stack deploy wekan -c ``` + +Log into your new instance at https://**YOUR-FQDN**, with user "root" and the password you specified in gitlab.env. + +## Chef's Notes 📓 + +1. If you wanted to expose the Wekan UI directly, you could remove the oauth2_proxy from the design, and move the traefik-related labels directly to the wekan container. You'd also need to add the traefik network to the wekan container. \ No newline at end of file diff --git a/manuscript/recipes/wetty.md b/manuscript/recipes/wetty.md index c4cf98f..a3dc87a 100644 --- a/manuscript/recipes/wetty.md +++ b/manuscript/recipes/wetty.md @@ -1,4 +1,4 @@ -hero: Terminal in a browser, baby! 💻 +hero: Terminal in a browser, baby! # Wetty @@ -98,7 +98,7 @@ Launch the Wetty stack by running ```docker stack deploy wetty -c ``` + +Browse to your new browser-cli-terminal at https://**YOUR-FQDN**. Authenticate with your OAuth provider, and then proceed to login, either to the remote host you specified (_batcomputer.batcave.com, in the example above_), or using user and password "term" to log directly into the Wetty alpine container (_from which you can establish egress SSH_) + +## Chef's Notes 📓 + +1. You could set SSHHOST to the IP of the "docker0" interface on your host, which is normally 172.17.0.1. (_Or run ```/sbin/ip route|awk '/default/ { print $3 }'``` in the container_) This would then provide you the ability to remote-manage your swarm with only web access to Wetty. +2. The inclusion of Wetty was due to the efforts of @gpulido in our [Discord server](http://chat.funkypenguin.co.nz). Thanks Gabriel! diff --git a/manuscript/recipes/workflow.mde b/manuscript/recipes/workflow.mde new file mode 100644 index 0000000..be9af51 --- /dev/null +++ b/manuscript/recipes/workflow.mde @@ -0,0 +1,8 @@ +The workflow for creating a recipe + +1. In my gitlab repo for the cookbook, I create an issue to track the new recipe I want to create +2. From the issue, I create a branch +3. I pull the branch locally, "git pull" followed by "git co " +4. I "git add" my changes, commit, and push the branch +5. I create a merge request in the branch to track merging into produced +6. I set request to merge when pipeline succeeds diff --git a/manuscript/reference/containers.mde b/manuscript/reference/containers.mde new file mode 100644 index 0000000..3c8aafa --- /dev/null +++ b/manuscript/reference/containers.mde @@ -0,0 +1,42 @@ +# Containers + +In the course of creating these recipes, I've often ended up creating containers with my own tweaks or changes. Below is a list of all the containers I've built. All of them are automatic builds, and the Dockerfiles and build logs are publicly available: + +Name | Description | Badges +--|--|-- +[funkypenguin/athena](https://hub.docker.com/r/funkypenguin/athena/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/athena.svg)](https://hub.docker.com/r/funkypenguin/athena/)| Athena cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/athena.svg)](https://hub.docker.com/r/funkypenguin/athena/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/athena.svg)](https://hub.docker.com/r/funkypenguin/athena/) +[funkypenguin/alertmanager-discord](https://hub.docker.com/r/funkypenguin/alertmanager-discord/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/alertmanager-discord.svg)](https://hub.docker.com/r/funkypenguin/alertmanager-discord/)| AlertManager-compatible webhook to send Prometheus alerts to a Discord channel |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/alertmanager-discord.svg)](https://hub.docker.com/r/funkypenguin/alertmanager-discord/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/alertmanager-discord.svg)](https://hub.docker.com/r/funkypenguin/alertmanager-discord/) +[funkypenguin/aeon](https://hub.docker.com/r/funkypenguin/aeon/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/aeon.svg)](https://hub.docker.com/r/funkypenguin/aeon/)| Aeon cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/aeon.svg)](https://hub.docker.com/r/funkypenguin/aeon/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/aeon.svg)](https://hub.docker.com/r/funkypenguin/aeon/) +[funkypenguin/bittube](https://hub.docker.com/r/funkypenguin/bittube/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/bittube.svg)](https://hub.docker.com/r/funkypenguin/bittube/)| BitTube cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/bittube.svg)](https://hub.docker.com/r/funkypenguin/bittube/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/bittube.svg)](https://hub.docker.com/r/funkypenguin/bittube/) +[funkypenguin/cryptonote-nodejs-pool](https://hub.docker.com/r/funkypenguin/cryptonote-nodejs-pool/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/cryptonote-nodejs-pool.svg)](https://hub.docker.com/r/funkypenguin/cryptonote-nodejs-pool/)| nodeJS-based mining pool for cryptonote-based mining pools, supporting advanced features like email/telegram notifications |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/cryptonote-nodejs-pool.svg)](https://hub.docker.com/r/funkypenguin/cryptonote-nodejs-pool/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/cryptonote-nodejs-pool.svg)](https://hub.docker.com/r/funkypenguin/cryptonote-nodejs-pool/) +[funkypenguin/conceal-core](https://hub.docker.com/r/funkypenguin/conceald/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/conceald.svg)](https://hub.docker.com/r/funkypenguin/conceald//)| Conceal cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/conceald.svg)](https://hub.docker.com/r/funkypenguin/conceald/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/conceald.svg)](https://hub.docker.com/r/funkypenguin/conceald/) +[funkypenguin/git-docker](https://hub.docker.com/r/funkypenguin/git-docker/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/git-docker.svg)](https://hub.docker.com/r/funkypenguin/git-docker/)| Git client in a docker container, for use on immutable OS (Atomic) hosts|[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/git-docker.svg)](https://hub.docker.com/r/funkypenguin/git-docker/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/git-docker.svg)](https://hub.docker.com/r/funkypenguin/git-docker/) +[funkypenguin/home-assistant](https://hub.docker.com/r/funkypenguin/home-assistant/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/home-assistant.svg)](https://hub.docker.com/r/funkypenguin/home-assistant//)| home-assistant |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/home-assistant.svg)](https://hub.docker.com/r/funkypenguin/home-assistant/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/home-assistant.svg)](https://hub.docker.com/r/funkypenguin/home-assistant/) +[funkypenguin/htpc-cron](https://hub.docker.com/r/funkypenguin/htpc-cron/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/htpc-cron.svg)](https://hub.docker.com/r/funkypenguin/htpc-cron/)| htpc-cron |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/htpc-cron.svg)](https://hub.docker.com/r/funkypenguin/htpc-cron/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/htpc-cron.svg)](https://hub.docker.com/r/funkypenguin/htpc-cron/) +[funkypenguin/kepl](https://hub.docker.com/r/funkypenguin/kepl/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/kepl.svg)](https://hub.docker.com/r/funkypenguin/kepl/)| KEPL cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/kepl.svg)](https://hub.docker.com/r/funkypenguin/kepl/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/kepl.svg)](https://hub.docker.com/r/funkypenguin/kepl/) +[funkypenguin/koson](https://hub.docker.com/r/funkypenguin/koson/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/koson.svg)](https://hub.docker.com/r/funkypenguin/koson/)| koson |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/koson.svg)](https://hub.docker.com/r/funkypenguin/koson/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/koson.svg)](https://hub.docker.com/r/funkypenguin/koson/) +[funkypenguin/loki](https://hub.docker.com/r/funkypenguin/loki/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/loki.svg)](https://hub.docker.com/r/funkypenguin/loki/)| loki |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/loki.svg)](https://hub.docker.com/r/funkypenguin/loki/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/loki.svg)](https://hub.docker.com/r/funkypenguin/loki/) +[funkypenguin/masari](https://hub.docker.com/r/funkypenguin/masari/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/masari.svg)](https://hub.docker.com/r/funkypenguin/masari//)| Masari cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/masari.svg)](https://hub.docker.com/r/funkypenguin/masari/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/masari.svg)](https://hub.docker.com/r/funkypenguin/masari/) +[funkypenguin/monero](https://hub.docker.com/r/funkypenguin/monero/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/monero.svg)](https://hub.docker.com/r/funkypenguin/monero/)| Monero cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/monero.svg)](https://hub.docker.com/r/funkypenguin/monero/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/monero.svg)](https://hub.docker.com/r/funkypenguin/monero/) +[funkypenguin/monkeytips](https://hub.docker.com/r/funkypenguin/monkeytips/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/monkeytips.svg)](https://hub.docker.com/r/funkypenguin/monkeytips//)| MonkeyTips cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/monkeytips.svg)](https://hub.docker.com/r/funkypenguin/monkeytips/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/monkeytips.svg)](https://hub.docker.com/r/funkypenguin/monkeytips/) +[funkypenguin/minio](https://hub.docker.com/r/funkypenguin/minio/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/minio.svg)](https://hub.docker.com/r/funkypenguin/minio/)| minio |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/minio.svg)](https://hub.docker.com/r/funkypenguin/minio/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/minio.svg)](https://hub.docker.com/r/funkypenguin/minio/) +[funkypenguin/mqtt-certbot-dns](https://hub.docker.com/r/funkypenguin/mqtt-certbot-dns/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/mqtt-certbot-dns.svg)](https://hub.docker.com/r/funkypenguin/mqtt-certbot-dns/)| mqtt-certbot-dns |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/mqtt-certbot-dns.svg)](https://hub.docker.com/r/funkypenguin/mqtt-certbot-dns/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/mqtt-certbot-dns.svg)](https://hub.docker.com/r/funkypenguin/mqtt-certbot-dns/) +[funkypenguin/munin-server](https://hub.docker.com/r/funkypenguin/munin-server/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/munin-server.svg)](https://hub.docker.com/r/funkypenguin/munin-server/)| munin-server |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/munin-server.svg)](https://hub.docker.com/r/funkypenguin/munin-server/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/munin-server.svg)](https://hub.docker.com/r/funkypenguin/munin-server/) +[funkypenguin/munin-node](https://hub.docker.com/r/funkypenguin/munin-node/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/munin-node.svg)](https://hub.docker.com/r/funkypenguin/munin-node/)| munin-node |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/munin-node.svg)](https://hub.docker.com/r/funkypenguin/munin-node/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/munin-node.svg)](https://hub.docker.com/r/funkypenguin/munin-node/) +[funkypenguin/mwlib](https://hub.docker.com/r/funkypenguin/mwlib/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/mwlib.svg)](https://hub.docker.com/r/funkypenguin/mwlib/)| mwlib |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/mwlib.svg)](https://hub.docker.com/r/funkypenguin/mwlib/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/mwlib.svg)](https://hub.docker.com/r/funkypenguin/mwlib/) +[funkypenguin/mqttwarn](https://hub.docker.com/r/funkypenguin/mqttwarn/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/mqttwarn.svg)](https://hub.docker.com/r/funkypenguin/mqttwarn/)| mqttwarn |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/mqttwarn.svg)](https://hub.docker.com/r/funkypenguin/mqttwarn/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/mqttwarn.svg)](https://hub.docker.com/r/funkypenguin/mqttwarn/) +[funkypenguin/nginx-proxy-letsencrypt](https://hub.docker.com/r/funkypenguin/nginx-proxy-letsencrypt/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/nginx-proxy-letsencrypt.svg)](https://hub.docker.com/r/funkypenguin/nginx-proxy-letsencrypt/)| nginx-proxy-letsencrypt |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/nginx-proxy-letsencrypt.svg)](https://hub.docker.com/r/funkypenguin/nginx-proxy-letsencrypt/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/nginx-proxy-letsencrypt.svg)](https://hub.docker.com/r/funkypenguin/nginx-proxy-letsencrypt/) +[funkypenguin/nzbdrone](https://hub.docker.com/r/funkypenguin/nzbdrone/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/nzbdrone.svg)](https://hub.docker.com/r/funkypenguin/nzbdrone/)| nzbdrone |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/nzbdrone.svg)](https://hub.docker.com/r/funkypenguin/nzbdrone/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/nzbdrone.svg)](https://hub.docker.com/r/funkypenguin/nzbdrone/) +[funkypenguin/owntracks](https://hub.docker.com/r/funkypenguin/owntracks/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/owntracks.svg)](https://hub.docker.com/r/funkypenguin/owntracks//)| Owntracks |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/owntracks.svg)](https://hub.docker.com/r/funkypenguin/owntracks/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/owntracks.svg)](https://hub.docker.com/r/funkypenguin/owntracks/) +[funkypenguin/oauth2_proxy](https://hub.docker.com/r/funkypenguin/oauth2_proxy/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/oauth2_proxy.svg)](https://hub.docker.com/r/funkypenguin/oauth2_proxy/)| OAuth2 proxy supporting self-signed upstream certs |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/oauth2_proxy.svg)](https://hub.docker.com/r/funkypenguin/oauth2_proxy/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/oauth2_proxy.svg)](https://hub.docker.com/r/funkypenguin/oauth2_proxy/) +[funkypenguin/plex](https://hub.docker.com/r/funkypenguin/plex/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/plex.svg)](https://hub.docker.com/r/funkypenguin/plex/)| plex |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/plex.svg)](https://hub.docker.com/r/funkypenguin/plex/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/plex.svg)](https://hub.docker.com/r/funkypenguin/plex/) +[funkypenguin/radarrsync](https://hub.docker.com/r/funkypenguin/radarrsync/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/radarrsync.svg)](https://hub.docker.com/r/funkypenguin/radarrsync/)| Python script to sync multiple Radarr instances |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/radarrsync.svg)](https://hub.docker.com/r/funkypenguin/radarrsync/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/radarrsync.svg)](https://hub.docker.com/r/funkypenguin/radarrsync/) +[funkypenguin/ryo-currency](https://hub.docker.com/r/funkypenguin/ryo-currency/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/ryo-currency.svg)](https://hub.docker.com/r/funkypenguin/ryo-currency/)| RYO cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/ryo-currency.svg)](https://hub.docker.com/r/funkypenguin/ryo-currency/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/ryo-currency.svg)](https://hub.docker.com/r/funkypenguin/ryo-currency/) +[funkypenguin/rtorrent](https://hub.docker.com/r/funkypenguin/rtorrent/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/rtorrent.svg)](https://hub.docker.com/r/funkypenguin/rtorrent/)| rtorrent |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/rtorrent.svg)](https://hub.docker.com/r/funkypenguin/rtorrent/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/rtorrent.svg)](https://hub.docker.com/r/funkypenguin/rtorrent/) +[funkypenguin/sabnzbd](https://hub.docker.com/r/funkypenguin/sabnzbd/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/sabnzbd.svg)](https://hub.docker.com/r/funkypenguin/oauth2_proxy/)| sabnzbd |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/sabnzbd.svg)](https://hub.docker.com/r/funkypenguin/sabnzbd/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/sabnzbd.svg)](https://hub.docker.com/r/funkypenguin/sabnzbd/) +[funkypenguin/turtlecoind](https://hub.docker.com/r/funkypenguin/turtlecoind/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/turtlecoind.svg)](https://hub.docker.com/r/funkypenguin/turtlecoind/)| turtlecoin |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/turtlecoind.svg)](https://hub.docker.com/r/funkypenguin/turtlecoind/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/turtlecoind.svg)](https://hub.docker.com/r/funkypenguin/turtlecoind/) +[funkypenguin/temasek](https://hub.docker.com/r/funkypenguin/temasek/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/temasek.svg)](https://hub.docker.com/r/funkypenguin/temasek/)| temasek |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/temasek.svg)](https://hub.docker.com/r/funkypenguin/temasek/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/temasek.svg)](https://hub.docker.com/r/funkypenguin/temasek/) +[funkypenguin/turtle-pool](https://hub.docker.com/r/funkypenguin/turtle-pool/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/turtle-pool.svg)](https://hub.docker.com/r/funkypenguin/turtle-pool//)| turtle-pool |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/turtle-pool.svg)](https://hub.docker.com/r/funkypenguin/turtle-pool/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/turtle-pool.svg)](https://hub.docker.com/r/funkypenguin/turtle-pool/) +[funkypenguin/turtlecoin](https://hub.docker.com/r/funkypenguin/turtlecoin/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/turtlecoin.svg)](https://hub.docker.com/r/funkypenguin/turtlecoin/)| turtlecoin |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/turtlecoin.svg)](https://hub.docker.com/r/funkypenguin/turtlecoin/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/turtlecoin.svg)](https://hub.docker.com/r/funkypenguin/turtlecoin/) +[funkypenguin/x-cash](https://hub.docker.com/r/funkypenguin/x-cash/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/x-cash.svg)](https://hub.docker.com/r/funkypenguin/x-cash/)| X-CASH cryptocurrency daemon/services |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/x-cash.svg)](https://hub.docker.com/r/funkypenguin/x-cash/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/x-cash.svg)](https://hub.docker.com/r/funkypenguin/x-cash/) +[funkypenguin/xmrig-cpu](https://hub.docker.com/r/funkypenguin/xmrig-cpu/)
[![Size](https://images.microbadger.com/badges/image/funkypenguin/xmrig-cpu.svg)](https://hub.docker.com/r/funkypenguin/xmrig-cpu/)| xmrig-cpu |[![Docker Pulls](https://img.shields.io/docker/pulls/funkypenguin/xmrig-cpu.svg)](https://hub.docker.com/r/funkypenguin/xmrig-cpu/)
[![Docker Stars](https://img.shields.io/docker/stars/funkypenguin/xmrig-cpu.svg)](https://hub.docker.com/r/funkypenguin/xmrig-cpu/)| \ No newline at end of file diff --git a/manuscript/reference/data_layout.mde b/manuscript/reference/data_layout.mde new file mode 100644 index 0000000..8439947 --- /dev/null +++ b/manuscript/reference/data_layout.mde @@ -0,0 +1,17 @@ +# Data layout + +The applications deployed in the stack utilize a combination of data-at-rest (_static config, files, etc_) and runtime data (_live database files_). The realtime data can't be [backed up](/recipes/duplicity) with a simple copy-paste, so where we employ databases, we also include containers to perform a regular export of database data to a filesystem location. + +So that we can confidently backup all our data, I've setup a data layout as follows: + +## Configuration data + +Configuration data goes into /var/data/config/[recipe name], and is typically only a docker-compose .yml, and a .env file + +## Runtime data + +Realtime data (typically database files or files-in-use) are stored in /var/data/realtime/[recipe-name], and are **excluded** from backup (_They change constantly, and cannot be safely restored_). + +## Static data + +Static data goes into /var/data/[recipe name], and includes anything that can be safely backed up while a container is running. This includes database exports of the runtime data above. \ No newline at end of file diff --git a/manuscript/reference/git-docker.mde b/manuscript/reference/git-docker.mde new file mode 100644 index 0000000..7e662fa --- /dev/null +++ b/manuscript/reference/git-docker.mde @@ -0,0 +1,52 @@ +# Introduction + +Our HA platform design relies on Atomic OS, which only contains bare minimum elements to run containers. + +So how can we use git on this system, to push/pull the changes we make to config files? With a container, of course! + +## git-docker + +I [made a simple container](https://github.com/funkypenguin/git-docker/blob/master/Dockerfile) which just basically executes git in the CWD: + +To use it transparently, add an alias for the "git" command, or just download it with the rest of the [handy aliases](https://raw.githubusercontent.com/funkypenguin/geek-cookbook/master/examples/scripts/gcb-aliases.sh): + +``` +alias git='docker run -v $PWD:/var/data -v \ +/var/data/git-docker/data/.ssh:/root/.ssh funkypenguin/git-docker git' +``` + +## Setup SSH key + +If you plan to actually _push_ using git, you'll need to setup an SSH keypair. You _could_ copy across whatever keypair you currently use, but it's probably more appropriate to generate a specific keypair for this purpose. + +Generate your new SSH keypair by running: + +``` +mkdir -p /var/data/git-docker/data/.ssh +chmod 600 /var/data/git-docker/data/.ssh +docker run -v /var/data/git-docker/data/.ssh:/root/.ssh funkypenguin/git-docker ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 +``` + +The output will look something like this: +``` +Generating public/private ed25519 key pair. +Enter passphrase (empty for no passphrase): Enter same passphrase again: Created directory '/root/.ssh'. +Your identification has been saved in /root/.ssh/id_ed25519. +Your public key has been saved in /root/.ssh/id_ed25519.pub. +The key fingerprint is: +SHA256:uZtriS7ypx7Q4kr+w++nHhHpcRfpf5MhxP3Wpx3H3hk root@a230749d8d8a +The key's randomart image is: ++--[ED25519 256]--+ +| .o . | +| . ..o . | +| + .... ...| +| .. + .o . . E=| +| o .o S . . ++B| +| . o . . . +..+| +| .o .. ... . . | +|o..o..+.oo | +|...=OX+.+. | ++----[SHA256]-----+ +``` + +Now add the contents of /var/data/git-docker/data/.ssh/id_ed25519.pub to your git account, and off you go - just run "git" from your Atomic host as usual, and pretend that you have the client installed! \ No newline at end of file diff --git a/manuscript/reference/infrastructure.md b/manuscript/reference/infrastructure.md index 9d2e105..f12c0df 100644 --- a/manuscript/reference/infrastructure.md +++ b/manuscript/reference/infrastructure.md @@ -115,8 +115,8 @@ I had to add compute admin, service admin, and kubernetes engine admin to my org gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN} Creating gs://funkypenguin-terraform-admin/... -[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± -[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± cat > backend.tf < backend.tf < terraform { heredoc> backend "gcs" { heredoc> bucket = "${TF_ADMIN}" @@ -125,9 +125,9 @@ heredoc> project = "${TF_ADMIN}" heredoc> } heredoc> } heredoc> EOF -[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± gsutil versioning set on gs://${TF_ADMIN} +[davidy:~/Documents remix/kubernetes/terraform] master(+1/-0)* gsutil versioning set on gs://${TF_ADMIN} Enabling versioning for gs://funkypenguin-terraform-admin/... -[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS} +[davidy:~/Documents remix/kubernetes/terraform] master(+1/-0)* export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS} export GOOGLE_PROJECT=${TF_ADMIN} diff --git a/manuscript/reference/infrastructure.mde b/manuscript/reference/infrastructure.mde new file mode 100644 index 0000000..9d2e105 --- /dev/null +++ b/manuscript/reference/infrastructure.mde @@ -0,0 +1,192 @@ +## Terraform + +We _could_ describe the manual gcloud/ssh steps required to deploy a Kubernetes cluster to Google Kubernetes Engine, but using Terraform allows us to abstract ourself from the provider, and focus on just the infrastructure we need built. + +The terraform config we produce is theoretically reusabel across AWS, Azure, OpenStack, as well as GCE. + +Install terraform locally - on OSX, I used ```brew install terraform``` + +Confirm it's correctly installed by running ```terraform -v```. My output looks like this: + +``` +[davidy:~] % terraform -v +Terraform v0.11.8 + +[davidy:~] % +``` + +## Google Cloud SDK + +I can't remember how I installed gcloud, but I don't think I used homebrew. Run ```curl https://sdk.cloud.google.com | bash``` for a standard install, followed by ```gcloud init``` for the first-time setup. + +This works: + +``` +cat <<-"BREWFILE" > Brewfile +cask 'google-cloud-sdk' +brew 'kubectl' +brew 'terraform' +BREWFILE +brew bundle --verbose +``` + + +### Prepare for terraform + +I followed [this guide](https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform) to setup the following in the "best" way: + +Run ```gcloud beta billing accounts list``` to get your billing account + +``` + +export TF_ADMIN=tf-admin-funkypenguin +export TF_CREDS=serviceaccount.json +export TF_VAR_org_id=250566349101 +export TF_VAR_billing_account=0156AE-7AE048-1DA888 +export TF_VAR_region=australia-southeast1 +export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS} + +gcloud projects create ${TF_ADMIN} --set-as-default +gcloud beta billing projects link ${TF_ADMIN} \ + --billing-account ${TF_VAR_billing_account} + + gcloud iam service-accounts create terraform \ + --display-name "Terraform admin account" + Created service account [terraform]. + + gcloud iam service-accounts keys create ${TF_CREDS} \ + --iam-account terraform@${TF_ADMIN}.iam.gserviceaccount.com + created key [c0a49832c94aa0e23278165e2d316ee3d5bad438] of type [json] as [serviceaccount.json] for [terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com] + + gcloud projects add-iam-policy-binding ${TF_ADMIN} \ + > --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \ + > --role roles/viewer + bindings: + - members: + - user:googlecloud2018@funkypenguin.co.nz + role: roles/owner + - members: + - serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com + role: roles/viewer + etag: BwV0VGSzYSU= + version: 1gcloud projects add-iam-policy-binding ${TF_ADMIN} \ +> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \ +> --role roles/viewer +bindings: +- members: + - user:googlecloud2018@funkypenguin.co.nz + role: roles/owner +- members: + - serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com + role: roles/viewer +etag: BwV0VGSzYSU= +version: 1 + +gcloud projects add-iam-policy-binding ${TF_ADMIN} \ +> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \ +> --role roles/storage.admin +bindings: +- members: + - user:googlecloud2018@funkypenguin.co.nz + role: roles/owner +- members: + - serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com + role: roles/storage.admin +- members: + - serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com + role: roles/viewer +etag: BwV0VGZwXfM= +version: 1 + + +gcloud services enable cloudresourcemanager.googleapis.com +gcloud services enable cloudbilling.googleapis.com +gcloud services enable iam.googleapis.com +gcloud services enable compute.googleapis.com + +## FIXME +Enabled Kubernetes Engine API in the tf-admin project, so that terraform can actually compute versions of the engine available + +## FIXME + +I had to add compute admin, service admin, and kubernetes engine admin to my org-level account, in order to use gcloud get-cluster-credentilals + + + +gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN} +Creating gs://funkypenguin-terraform-admin/... +[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± +[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± cat > backend.tf < terraform { +heredoc> backend "gcs" { +heredoc> bucket = "${TF_ADMIN}" +heredoc> path = "/terraform.tfstate" +heredoc> project = "${TF_ADMIN}" +heredoc> } +heredoc> } +heredoc> EOF +[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± gsutil versioning set on gs://${TF_ADMIN} +Enabling versioning for gs://funkypenguin-terraform-admin/... +[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS} +export GOOGLE_PROJECT=${TF_ADMIN} + + +``` + +### Create Service Account + +Since it's probably not a great idea to associate your own, master Google Cloud account with your automation process (after all, you can't easily revoke your own credentials if they leak), create a Service Account for terraform under GCE, and grant it the "Compute Admin" role. + +Download the resulting JSON, and save it wherever you're saving your code. Remember to protect this .json file like a password, so add it to .gitignore if you're checking your code into git (_and if you're not checking your code into git, what's wrong with you, just do it now!_) + +### Setup provider.tf + +I setup my provider like this, noting that the project name (which must already be created) came from the output of ```gloud projects list```, and region/zone came from https://cloud.google.com/compute/docs/regions-zones/ + +``` +# Specify the provider (GCP, AWS, Azure) +provider "google" { +credentials = "${file("serviceaccount.json")}" +project = "funkypenguin-mining-pools" +region = "australia-southeast1" +} +``` + +### Setup compute.tf + +Just playing, I setup this: + +``` +# Create a new instance +resource "google_compute_instance" "ubuntu-xenial" { + name = "ubuntu-xenial" + machine_type = "f1-micro" + zone = "us-west1-a" + boot_disk { + initialize_params { + image = "ubuntu-1604-lts" + } +} +network_interface { + network = "default" + access_config {} +} +service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} +``` + +### Initialize and plan (it's free) + +Run ```terraform init``` to initialize Terraform + +Then run ```terrafor plan``` to check that the plan looks good. + +### Apply (not necessarily free) + +Once your plan (above) is good, run ```terraform apply``` to put it into motion. This is the point where you may start incurring costs. + +### Setup kubectl + +gcloud container clusters get-credentials $(terraform output cluster_name) --zone $(terraform output cluster_zone) --project $(terraform output project_id) diff --git a/manuscript/reference/networks.mde b/manuscript/reference/networks.mde new file mode 100644 index 0000000..6719711 --- /dev/null +++ b/manuscript/reference/networks.mde @@ -0,0 +1,56 @@ +# Networks + +In order to avoid IP addressing conflicts as we bring swarm networks up/down, we will statically address each docker overlay network, and record the details below: + +Network | Range +--|-- +[Traefik](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik/) | _unspecified_ +[Docker-cleanup](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/docker-swarm-mode/#setup-automated-cleanup) | 172.16.0.0/24 +[Mail Server](https://geek-cookbook.funkypenguin.co.nz/recipes/mail/) | 172.16.1.0/24 +[Gitlab](https://geek-cookbook.funkypenguin.co.nz/recipes/gitlab/) | 172.16.2.0/24 +[Wekan](https://geek-cookbook.funkypenguin.co.nz/recipes/wekan/) | 172.16.3.0/24 +[Piwik](https://geek-cookbook.funkypenguin.co.nz/recipes/piwik/) | 172.16.4.0/24 +[Tiny Tiny RSS](https://geek-cookbook.funkypenguin.co.nz/recipes/tiny-tiny-rss/) | 172.16.5.0/24 +[Huginn](https://geek-cookbook.funkypenguin.co.nz/recipes/huginn/) | 172.16.6.0/24 +[Unifi](https://geek-cookbook.funkypenguin.co.nz/recipes/unifi/) | 172.16.7.0/24 +[Kanboard](https://geek-cookbook.funkypenguin.co.nz/recipes/kanboard/) | 172.16.8.0/24 +[Gollum](https://geek-cookbook.funkypenguin.co.nz/recipes/gollum/) | 172.16.9.0/24 +[Duplicity](https://geek-cookbook.funkypenguin.co.nz/recipes/duplicity/) | 172.16.10.0/24 +[Autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) | 172.16.11.0/24 +[Nextcloud](https://geek-cookbook.funkypenguin.co.nz/recipes/nextcloud/) | 172.16.12.0/24 +[Portainer](https://geek-cookbook.funkypenguin.co.nz/recipes/portainer/) | 172.16.13.0/24 +[Home-Assistant](https://geek-cookbook.funkypenguin.co.nz/recipes/home-assistant/) | 172.16.14.0/24 +[OwnTracks](https://geek-cookbook.funkypenguin.co.nz/recipes/owntracks/) | 172.16.15.0/24 +[Plex](https://geek-cookbook.funkypenguin.co.nz/recipes/plex/) | 172.16.16.0/24 +[Emby](https://geek-cookbook.funkypenguin.co.nz/recipes/emby/) | 172.16.17.0/24 +[Calibre-Web](https://geek-cookbook.funkypenguin.co.nz/recipes/calibre-web/) | 172.16.18.0/24 +[Wallabag](https://geek-cookbook.funkypenguin.co.nz/recipes/wallabag/) | 172.16.19.0/24 +[InstaPy](https://geek-cookbook.funkypenguin.co.nz/recipes/instapy/) | 172.16.20.0/24 +[Turtle Pool](https://geek-cookbook.funkypenguin.co.nz/recipes/turtle-pool/) | 172.16.21.0/24 +[MiniFlux](https://geek-cookbook.funkypenguin.co.nz/recipes/miniflux/) | 172.16.22.0/24 +[Gitlab Runner](https://geek-cookbook.funkypenguin.co.nz/recipes/gitlab-runner/) | 172.16.23.0/24 +[Munin](https://geek-cookbook.funkypenguin.co.nz/recipes/munin/) | 172.16.24.0/24 +[Masari Mining Pool](https://geek-cookbook.funkypenguin.co.nz/recipes/cryptonote-mining-pool/masari/) | 172.16.25.0/24 +[Athena Mining Pool](https://geek-cookbook.funkypenguin.co.nz/recipes/cryptonote-mining-pool/athena/) | 172.16.26.0/24 +[Bookstack](https://geek-cookbook.funkypenguin.co.nz/recipes/bookstack/) | 172.16.33.0/24 +[Swarmprom](https://geek-cookbook.funkypenguin.co.nz/recipes/swarmprom/) | 172.16.34.0/24 +[Realms](https://geek-cookbook.funkypenguin.co.nz/recipes/realms/) | 172.16.35.0/24 +[ElkarBackup](https://geek-cookbook.funkypenguin.co.nz/recipes/elkarbackp/) | 172.16.36.0/24 +[Mayan EDMS](https://geek-cookbook.funkypenguin.co.nz/recipes/realms/) | 172.16.37.0/24 +[Shaarli](https://geek-cookbook.funkypenguin.co.nz/recipes/shaarli/) | 172.16.38.0/24 +[OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/recipes/openldap/) | 172.16.39.0/24 +[MatterMost](https://geek-cookbook.funkypenguin.co.nz/recipes/mattermost/) | 172.16.40.0/24 +[PrivateBin](https://geek-cookbook.funkypenguin.co.nz/recipes/privatebin/) | 172.16.41.0/24 +[Mayan EDMS](https://geek-cookbook.funkypenguin.co.nz/recipes/mayan-edms/) | 172.16.42.0/24 +[Hack MD](https://geek-cookbook.funkypenguin.co.nz/recipes/hackmd/) | 172.16.43.0/24 +[FlightAirMap](https://geek-cookbook.funkypenguin.co.nz/recipes/flightairmap/) |172.16.44.0/24 +[Wetty](https://geek-cookbook.funkypenguin.co.nz/recipes/wetty/) | 172.16.45.0/24 +[FileBrowser](https://geek-cookbook.funkypenguin.co.nz/recipes/filebrowser/) | 172.16.46.0/24 +[phpIPAM](https://geek-cookbook.funkypenguin.co.nz/recipes/phpipam/) | 172.16.47.0/24 +[Dozzle](https://geek-cookbook.funkypenguin.co.nz/recipes/dozzle/) | 172.16.48.0/24 +[KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/) | 172.16.49.0/24 +[Sensu](https://geek-cookbook.funkypenguin.co.nz/recipes/sensu/) | 172.16.50.0/24 +[Magento](https://geek-cookbook.funkypenguin.co.nz/recipes/magento/) | 172.16.51.0/24 +[Graylog](https://geek-cookbook.funkypenguin.co.nz/recipes/graylog/) | 172.16.52.0/24 +[Harbor](https://geek-cookbook.funkypenguin.co.nz/recipes/graylog/) | 172.16.53.0/24 +[Harbor-Clair](https://geek-cookbook.funkypenguin.co.nz/recipes/graylog/) | 172.16.54.0/24 \ No newline at end of file diff --git a/manuscript/reference/oauth_proxy.mde b/manuscript/reference/oauth_proxy.mde new file mode 100644 index 0000000..149085c --- /dev/null +++ b/manuscript/reference/oauth_proxy.mde @@ -0,0 +1,79 @@ +# OAuth proxy + +Some of the platforms we use on our swarm may have strong, proven security to prevent abuse. Techniques such as rate-limiting (to defeat brute force attacks) or even support 2-factor authentication (tiny-tiny-rss or Wallabag support this). + +Other platforms may provide **no authentication** (Traefik's web UI for example), or minimal, un-proven UI authentication which may have been added as an afterthought. + +Still platforms may hold such sensitive data (i.e., NextCloud), that we'll feel more secure by putting an additional authentication layer in front of them. + +This is the role of the OAuth proxy. + +## How does it work? + +**Normally**, Traefik proxies web requests directly to individual web apps running in containers. The user talks directly to the webapp, and the webapp is responsible for ensuring appropriate authentication. + +When employing the **OAuth proxy** , the proxy sits in the middle of this transaction - traefik sends the web client to the OAuth proxy, the proxy authenticates the user against a 3rd-party source (_GitHub, Google, etc_), and then passes authenticated requests on to the web app in the container. + +Illustrated below: +![OAuth proxy](/images/oauth_proxy.png) + +The advantage under this design is additional security. If I'm deploying a web app which I expect only myself to require access to, I'll put the oauth_proxy in front of it. The overhead is negligible, and the additional layer of security is well-worth it. + +## Ingredients + +## Preparation + +### OAuth provider + +OAuth Proxy currently supports the following OAuth providers: + +* Google (default) +* Azure +* Facebook +* GitHub +* GitLab +* LinkedIn +* MyUSA + +Follow the [instructions](https://github.com/bitly/oauth2_proxy) to setup your oauth provider. You need to setup a unique key/secret for **each** instance of the proxy you want to run, since in each case the callback URL will differ. + +### Authorized emails file + +There are a variety of options with oauth_proxy re which email addresses (authenticated against your oauth provider) should be permitted access. You can permit access based on email domain (*@gmail.com), individual email address (batman@gmail.com), or based on provider-specific groups (_i.e., a GitHub organization_) + +The most restrictive configuration allows access on a per-email address basis, which is illustrated below: + +I created **/var/data/oauth_proxy/authenticated-emails.txt**, and add my own email address to the first line. + +### Configure stack + +You'll need to define a service for the oauth_proxy in every stack which you want to protect. Here's an example from the [Wekan](/recipes/wekan/) recipe: + +``` +proxy: + image: a5huynh/oauth2_proxy + env_file : /var/data/wekan/wekan.env + networks: + - traefik + - internal + deploy: + labels: + - traefik.frontend.rule=Host:wekan.funkypenguin.co.nz + - traefik.docker.network=traefik + - traefik.port=4180 + volumes: + - /var/data/oauth_proxy/authenticated-emails.txt:/authenticated-emails.txt + command: | + -cookie-secure=false + -upstream=http://wekan:80 + -redirect-url=https://wekan.funkypenguin.co.nz + -http-address=http://0.0.0.0:4180 + -email-domain=funkypenguin.co.nz + -provider=github + -authenticated-emails-file=/authenticated-emails.txt +``` + +Note above how: +* Labels are required to tell Traefik to forward the traffic to the proxy, rather than the backend container running the app +* An environment file is defined, but.. +* The redirect URL must still be passed to the oauth_proxy in the command argument \ No newline at end of file diff --git a/manuscript/reference/openvpn.mde b/manuscript/reference/openvpn.mde new file mode 100644 index 0000000..8094bcd --- /dev/null +++ b/manuscript/reference/openvpn.mde @@ -0,0 +1,58 @@ +# OpenVPN + +Sometimes you need an OpenVPN tunnel between your docker hosts and some other environment. I needed this to provide connectivity between swarm-deployed services like Home Assistant, and my IOT devices within my home LAN. + +OpenVPN is one application which doesn't really work in a swarm-type deployment, since each host will typically require a unique certificate/key to connect to the VPN anyway. + +In my case, I needed each docker node to connect via [OpenVPN](http://www.openvpn.org) back to a [pfsense](http://www.pfsense.org) instance, but there were a few gotchas related to OpenVPN at CentOS Atomic which I needed to address first. + +## SELinux for OpenVPN + +Yes, SELinux. Install a custom policy permitting a docker container to create tun interfaces, like this: + +``` +cat << EOF > docker-openvpn.te +module docker-openvpn 1.0; + +require { + type svirt_lxc_net_t; + class tun_socket create; +} + +#============= svirt_lxc_net_t ============== +allow svirt_lxc_net_t self:tun_socket create; + +EOF + +checkmodule -M -m -o docker-openvpn.mod docker-openvpn.te +semodule_package -o docker-openvpn.pp -m docker-openvpn.mod +semodule -i docker-openvpn.pp +``` + +## Insert the tun module + +Even with the SELinux policy above, I still need to insert the "tun" module into the running kernel at the host-level, before a docker container can use it to create a tun interface. + +Run the following to auto-insert the tun module on boot: + +``` +cat << EOF >> /etc/rc.d/rc.local +# Insert the "tun" module so that the vpn-client container can access /dev/net/tun +/sbin/modprobe tun +EOF +chmod 755 /etc/rc.d/rc.local +``` + +## Connect the VPN + +Finally, for each node, I exported client credentials, and SCP'd them over to the docker node, into /root/my-vpn-configs-here/. I also had to use the NET_ADMIN cap-add parameter, as illustrated below: + +``` +docker run -d --name vpn-client \ + --restart=always --cap-add=NET_ADMIN --net=host \ + --device /dev/net/tun \ + -v /root/my-vpn-configs-here:/vpn:z \ + ekristen/openvpn-client --config /vpn/my-host-config.ovpn +``` + +Now every time my node boots, it establishes a VPN tunnel back to my pfsense host and (_by using custom configuration directives in OpenVPN_) is assigned a static VPN IP. \ No newline at end of file diff --git a/manuscript/reference/troubleshooting.mde b/manuscript/reference/troubleshooting.mde new file mode 100644 index 0000000..2830da9 --- /dev/null +++ b/manuscript/reference/troubleshooting.mde @@ -0,0 +1,26 @@ +# Troubleshooting + +Having difficulty with a recipe? Here are some tips.. + +## Why is my stack not launching? + +Run ```docker stack ps --no-trunc``` for more details on why individual containers failed to launching + +## Attaching to running container + +Need to debug **why** your oauth2_proxy container can't talk to its upstream app? Start by identifying which node the proxy container is running on, using ```docker ps ```. + +SSH to the host node, and attach to the container using ```docker exec -it /bin/bash``` (_substitute ```/bin/ash``` for ```/bin/bash```, in the case of an Alpine container_), and then try to telnet to your upstream host. + +## Watching logs of container + +Need to see what a particular container is doing? Run ```docker service logs -f _``` to watch a particular service. As the service dies and is recreated, the logs will continue to be displayed. + +## Visually monitoring containers with ctop + +For a visual "top-like" display of your container's activity (_as well as a [detailed per-container view](https://github.com/bcicen/ctop/blob/master/_docs/single.md)_), try using [ctop](https://github.com/bcicen/ctop). + +To execute, simply run `docker run --rm -ti --name ctop -v /var/run/docker.sock:/var/run/docker.sock quay.io/vektorlab/ctop:latest` + +Example: +![](https://github.com/bcicen/ctop/raw/master/_docs/img/grid.gif) \ No newline at end of file diff --git a/manuscript/sections/README.mde b/manuscript/sections/README.mde new file mode 100644 index 0000000..c9efe0d --- /dev/null +++ b/manuscript/sections/README.mde @@ -0,0 +1 @@ +This directory exists to allow me to pull in markdown docs into the LeanPub book structure, which won't show up in the online version. diff --git a/manuscript/sections/chefs-favorites-docker.mde b/manuscript/sections/chefs-favorites-docker.mde new file mode 100644 index 0000000..9081880 --- /dev/null +++ b/manuscript/sections/chefs-favorites-docker.mde @@ -0,0 +1,3 @@ +# Chef's Favorites (Docker) # + +The following recipes are the chef's current favorites - these are recipes actively in use and updated by @funkypenguin \ No newline at end of file diff --git a/manuscript/sections/chefs-favorites-kubernetes.mde b/manuscript/sections/chefs-favorites-kubernetes.mde new file mode 100644 index 0000000..9081880 --- /dev/null +++ b/manuscript/sections/chefs-favorites-kubernetes.mde @@ -0,0 +1,3 @@ +# Chef's Favorites (Docker) # + +The following recipes are the chef's current favorites - these are recipes actively in use and updated by @funkypenguin \ No newline at end of file diff --git a/manuscript/sections/ha-docker-swarm.mde b/manuscript/sections/ha-docker-swarm.mde new file mode 100644 index 0000000..b5d7348 --- /dev/null +++ b/manuscript/sections/ha-docker-swarm.mde @@ -0,0 +1,3 @@ +# HA Docker Swarm # + +This section introduces the HA Docker Swarm, which will be the basis for all the recipes discussed. diff --git a/manuscript/sections/kubernetes.mde b/manuscript/sections/kubernetes.mde new file mode 100644 index 0000000..f1c2c38 --- /dev/null +++ b/manuscript/sections/kubernetes.mde @@ -0,0 +1,3 @@ +# Kubernetes # + +This section introduces the Kubernetes design, which will be the basis for all the recipes discussed further. diff --git a/manuscript/sections/menu-docker.mde b/manuscript/sections/menu-docker.mde new file mode 100644 index 0000000..a674baa --- /dev/null +++ b/manuscript/sections/menu-docker.mde @@ -0,0 +1,3 @@ +# Recipies (Docker) # + +Now follows individual recipes. diff --git a/manuscript/sections/menu-kubernetes.mde b/manuscript/sections/menu-kubernetes.mde new file mode 100644 index 0000000..4149de0 --- /dev/null +++ b/manuscript/sections/menu-kubernetes.mde @@ -0,0 +1,3 @@ +# Recipies (Kubernetes) # + +Now follows individual recipes. diff --git a/manuscript/sections/reference.mde b/manuscript/sections/reference.mde new file mode 100644 index 0000000..18fcf66 --- /dev/null +++ b/manuscript/sections/reference.mde @@ -0,0 +1,3 @@ +# Reference # + +Now follows useful elements which are not full recipes. diff --git a/manuscript/sponsored-projects.mde b/manuscript/sponsored-projects.mde new file mode 100644 index 0000000..1fd3dbe --- /dev/null +++ b/manuscript/sponsored-projects.mde @@ -0,0 +1,21 @@ +# Sponsored Projects + +I'm supported and motivated by [Patreon patrons](https://www.patreon.com/funkypenguin) and [LeanPub readers](https://leanpub.com/geeks-cookbook) who have generously sponsored me. + +I regularly donate to / sponsor the following projects. **Join me** in supporting these geeks, and encouraging them to continue building the ingredients for your favourite recipes! + +| Project | Donate via.. +| ------------- |-------------| +| [Kanboard](/recipes/kanboard/) | [PayPal](https://kanboard.org/#donations) +| [Miniflux](/recipes/miniflux/) | [PayPal](https://miniflux.net/#donations) +| [SABnzbd](/recipes/autopirate/sabnzbd/) | [Paypal / Credit Card / Crypto](https://sabnzbd.org/donate/) +| [Radarr](/recipes/autopirate/radarr/) | [OpenCollective](https://opencollective.com/radarr#budget) +| [Sonarr](/recipes/autopirate/sonarr/) | [BitCoin/CC](https://sonarr.tv/donate) +| [NZBHydra](/recipes/autopirate/nzbhydra/) | [Cryptocurrency](https://github.com/theotherp/nzbhydra2) +| [Calibre](https://calibre-ebook.com/) | [Credit Card](https://calibre-ebook.com/donate) / [Patreon](https://www.patreon.com/kovidgoyal) / [LibrePay](https://liberapay.com/kovidgoyal/donate) +| [LinuxServer.io](https://www.linuxserver.io) | [PayPal](https://www.linuxserver.io/donate) +| [Pi-hole](https://pi-hole.net/) | [Patreon](https://www.patreon.com/pihole/posts) +| [Franck Nijhof's Hassio Addons](https://www.frenck.nl/about/franck-nijhof/) | [Patreon](https://www.patreon.com/frenck/overview) +| [WidgetBot's Discord Widget](https://widgetbot.io/) | [Patreon](https://www.patreon.com/widgetbot/overview) + + diff --git a/manuscript/support.mde b/manuscript/support.mde new file mode 100644 index 0000000..75ac520 --- /dev/null +++ b/manuscript/support.mde @@ -0,0 +1,82 @@ +# Support + +> "Excuse me... waiter, there's a bug in this recipe!" + +How do you get support for these receipes? There are several options... + +## Discord: Where the cool kids are + +All the cool kids are hanging out in the [Discord server][1]. + +> "Eh? What's Discord? Get off my lawn, young whippersnappers!!" + +Yeah, I know. I also thought Discord was just for the gamer kids, but it turns out it's great for a geeky community. Why? [Let me elucidate ya.][2].. + +1. Native markdown for code blocks +2. Drag-drop screenshots +3. Costs nothing, no ads +4. Mobile notifications are reliable, individual channels mutable, etc + +## Forums: Party like it's 1999 + +For community support and engagement, I've setup a [Discourse forum][3]. Using this as the primary means of topical discussions makes it easy to share recipes / experiences with future geeks. + +## Discuss a recipe + +Every recipe includes a section at the end for comments. + +If you have a comment / question about a specific recipe, navigate to the recipe, scroll to the bottom, and add your comment. You'll be sent to the [kitchen][4] to post the actual comment, but it'll be visible beneath the recipe _and_ at the kitchen. (_To post, you'll need to sign in using OAuth from github, google, etc, or create a new account_) + +## Request a recipe + +I'd love to hear your ideas for more recipes. To request/suggest a recipe, create a new post in the [kitchen][5] with the details. + +## Spit out a bug + +Found a bug in your soup? Tell the chef by either: + +1. Commenting on the recipe (see above), or +2. Submitting an issue against the github [repo][6] + +## Tip the chef + +### Buy my book 📖 + +I'm also writing the Geek Cookbook as a formal eBook, on Leanpub (https://leanpub.com/geeks-cookbook). Buy it for $0.99 (_which is really just a token gesture of support_) - you can get it for free (_in PDF, mobi, or epub format_), or pay me what you think it's worth! + +### [Sponsor][7] / [Patreonize][8] me 💰 + +The best way to support this work is to become a [Sponsor]() (_GitHub_) or a [Patron][10] (_Patreon_). For as little as $5/month, you get: + +* warm fuzzies, +* access to the pre-mix repo, +* an anonymous plug you can pull at any time, +* and a bunch more loot based on tier + +.. and I get some pocket money every month to buy wine, cheese, and cryptocurrency! 🍷 💰 + +Impulsively **[click here (NOW quick do it!)][11]** to sponsor me, or instead thoughtfully and analytically review my GitHub profile **[here][12]** and make up your own mind. + +### Engage me 🏢 + +Need some Cloud / Microservices / DevOps / Infrastructure design work done? I'm a full-time [AWS-certified][13] consultant, this stuff is my bread and butter! :bread: :fork\_and\_knife: [Contact][14] me and let's talk! + +### Discord + +Come and hang out in Discord.. + + + +[1]: http://chat.funkypenguin.co.nz +[2]: https://www.youtube.com/watch?v=1qHoSWxVqtE +[3]: https://discourse.geek-kitchen.funkypenguin.co.nz/ +[4]: https://discourse.geek-kitchen.funkypenguin.co.nz/ +[5]: https://discourse.geek-kitchen.funkypenguin.co.nz/ +[6]: https://github.com/funkypenguin/geek-cookbook/issues +[7]: https://github.com/sponsors/funkypenguin +[8]: https://www.patreon.com/funkypenguin +[10]: https://www.patreon.com/bePatron?u=6982506 +[11]: https://github.com/sponsors/funkypenguin +[12]: https://github.com/funkypenguin +[13]: https://www.certmetrics.com/amazon/public/badge.aspx?i=4&t=c&d=2019-02-22&ci=AWS00794574 +[14]: https://www.funkypenguin.co.nz \ No newline at end of file diff --git a/manuscript/whoami.md b/manuscript/whoami.md index 20c6d1c..27e6a37 100644 --- a/manuscript/whoami.md +++ b/manuscript/whoami.md @@ -20,7 +20,7 @@ To get management approval to deploy, I wrote a logger (with web UI) for jabber Due to my contributions to [phpList](http://www.phplist.com), I was approached in 2011 by [Packt Publishing](http://www.packtpub.com), to [write a book](https://www.funkypenguin.co.nz/book/phplist-2-email-campaign-manager) about using PHPList. -## Work with me 🤝 +## Work with me Need some Cloud / Microservices / DevOps / Infrastructure design work done? I'm a full-time [AWS-certified][aws_cert] consultant, this stuff is my bread and butter! :bread: :fork_and_knife: [Get in touch][contact], and let's talk business! diff --git a/manuscript/whoami.mde b/manuscript/whoami.mde new file mode 100644 index 0000000..20c6d1c --- /dev/null +++ b/manuscript/whoami.mde @@ -0,0 +1,64 @@ +# Welcome to Funky Penguin's Geek Cookbook + +## Hello world, + +I'm [David](https://www.funkypenguin.co.nz/). + +I'm a contracting IT consultant, with a broad range of experience and skills. I'm an [AWS Certified Solution Architect (Professional)](https://www.certmetrics.com/amazon/public/badge.aspx?i=4&t=c&d=2019-02-22&ci=AWS00794574), a remote worker, I've had a [book published](https://www.funkypenguin.co.nz/book/phplist-2-email-campaign-manager/), and I [blog](https://www.funkypenguin.co.nz/) on topics that interest me. + +## Why Funky Penguin? + +My first "real" job, out of high-school, was working the IT helpdesk in a typical pre-2000 organization in South Africa. I enjoyed experimenting with Linux, and cut my teeth by replacing the organization's Exchange 5.5 mail platform with a 15-site [qmail-ldap](http://www.nrg4u.com/) cluster, with [amavis](https://en.wikipedia.org/wiki/Amavis) virus-scanning. + +One of our suppliers asked me to quote to do the same for their organization. With nothing to loose, and half-expecting to be turned down, I quoted a generous fee, and chose a cheeky company name. The supplier immediately accepted my quote, and the name ("_Funky Penguin_") stuck. + +## Technical Documentation + +During the same "real" job above, I wanted to deploy [jabberd](https://en.wikipedia.org/wiki/Jabberd14), for internal instant messaging within the organization, and as a means to control the sprawl of ad-hoc instant-messaging among staff, using ICQ, MSN, and Yahoo Messenger. + +To get management approval to deploy, I wrote a logger (with web UI) for jabber conversations ([Bandersnatch](https://www.funkypenguin.co.nz/project/bandersnatch/)), and a [75-page user manual](https://www.funkypenguin.co.nz/book/jajc-manual/) (_in [Docbook XML](http://www.docbook.org/)_) for a spunky Russian WinXP jabber client, [JAJC](http://jajc.jrudevels.org/). + +Due to my contributions to [phpList](http://www.phplist.com), I was approached in 2011 by [Packt Publishing](http://www.packtpub.com), to [write a book](https://www.funkypenguin.co.nz/book/phplist-2-email-campaign-manager) about using PHPList. + +## Work with me 🤝 + +Need some Cloud / Microservices / DevOps / Infrastructure design work done? I'm a full-time [AWS-certified][aws_cert] consultant, this stuff is my bread and butter! :bread: :fork_and_knife: [Get in touch][contact], and let's talk business! + +[plex]: https://www.plex.tv/ +[nextcloud]: https://nextcloud.com/ +[wordpress]: https://wordpress.org/ +[ghost]: https://ghost.io/ +[discord]: http://chat.funkypenguin.co.nz +[patreon]: https://www.patreon.com/bePatron?u=6982506 +[github_sponsor]: https://github.com/sponsors/funkypenguin +[github]: https://github.com/sponsors/funkypenguin +[discourse]: https://discourse.geek-kitchen.funkypenguin.co.nz/ +[twitter]: https://twitter.com/funkypenguin +[contact]: https://www.funkypenguin.co.nz +[aws_cert]: https://www.certmetrics.com/amazon/public/badge.aspx?i=4&t=c&d=2019-02-22&ci=AWS00794574 + +!!! quote "He unblocked me on all the technical hurdles to launching my SaaS in GKE!" + + By the time I had enlisted Funky Penguin's help, I'd architected myself into a bit of a nightmare with Kubernetes. I knew what I wanted to achieve, but I'd made a mess of it. Funky Penguin (David) was able to jump right in and offer a vital second-think on everything I'd done, pointing out where things could be simplified and streamlined, and better alternatives. + + He unblocked me on all the technical hurdles to launching my SaaS in GKE! + + With him delivering the container/Kubernetes architecture and helm CI/CD workflow, I was freed up to focus on coding and design, which fast-tracked me to launching on time. And now I have a simple deployment process that is easy for me to execute and maintain as a solo founder. + + I have no hesitation in recommending him for your project, and I'll certainly be calling on him again in the future. + + - John McDowall, Founder, [kiso.io](https://kiso.io) + +## Contact Me + +Contact me by: + +* Jumping into our [Discord server](http://chat.funkypenguin.co.nz) +* Email ([davidy@funkypenguin.co.nz](mailto:davidy@funkypenguin.co.nz)) +* Twitter ([@funkypenguin](https://twitter.com/funkypenguin)) + +Or by using the form below: + +

+ +
diff --git a/scripts/build.sh b/scripts/build.sh index d88cc1b..2bce5f8 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -1,14 +1,11 @@ #!/bin/bash # This script prepares mkdocs for a build (there are some adjustments to be made to the recipes before publishing) -# Copy the contents of "manuscript" to a new "publish" folder -mkdir -p publish -mkdir -p publish/overrides -cp -r {manuscript,overrides} publish/ -cp mkdocs.yml publish/ +# Fetch git history so that we get last-updated timestamps +git fetch --unshallow # Append a common footer to all recipes/swarm docs -for i in `find publish/manuscript/ -name "*.md" | grep -v index.md` +for i in `find manuscript/ -name "*.md" | grep -v index.md` do # Does this recipe already have a "tip your waiter" section? grep -q "Tip your waiter" $i @@ -22,7 +19,7 @@ do done # Now build the docs for publishing -mkdocs build -f publish/mkdocs.yml +mkdocs build -f mkdocs.yml # Setup any necessary netlify redirects -cp netlify_redirects.txt publish/site/_redirects +cp netlify_redirects.txt site/_redirects \ No newline at end of file diff --git a/scripts/markdown-to-markua.sh b/scripts/markdown-to-markua.sh index 63755f3..5a8479e 100755 --- a/scripts/markdown-to-markua.sh +++ b/scripts/markdown-to-markua.sh @@ -1,31 +1,16 @@ #!/bin/bash -# Markua doesn't know what to do with 4 backticks (````), so convert to 3: -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/\`\`\`\`/\`\`\`/g" +for file in `find manuscript -type f -name "*.md"` +do + echo "Processing $file..." -# Markua doesn't like emojis, so remove them: -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/👏//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/💬//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/👍//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/💰//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/🍷//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/🏢//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/❤️//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/🐢//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/👋//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/🐦//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/📖//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/✉️//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/📺//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/🎥//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/🎵//g" -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/😁//g" + # Markua doesn't know what to do with 4 backticks (````), so convert to 3: + sed -ie "s/\`\`\`\`/\`\`\`/g" $file -# Can't use relative paths in a book, so make all paths static -find manuscript -type f -name "*.md" -print0 | xargs -0 sed -i "s/(\//(https:\/\/geek-cookbook.funkypenguin.co.nz\/)/g" + # Can't use relative paths in a book, so make all paths static + sed -ie 's/(\//(https:\/\/geek-cookbook.funkypenguin.co.nz\/)/g' $file - - - - -# Do nothing, yet. This is where the sed magic will go + # strip emojis + tr -cd '\11\12\15\40-\176' < $file > $file-clean + mv $file-clean $file +done \ No newline at end of file diff --git a/scripts/recipe-footer.md b/scripts/recipe-footer.md index aa5a842..8afb830 100644 --- a/scripts/recipe-footer.md +++ b/scripts/recipe-footer.md @@ -1,28 +1,14 @@ -## Tip your waiter (support me) 👏 +## Tip your waiter (sponsor me) 👏 -Did you receive excellent service? Want to make your waiter happy? (_..and support development of current and future recipes!_) See the [support](/support/) page for (_free or paid)_ ways to say thank you! 👏 +Did you receive excellent service? Want to make your waiter happy? (_..and support development of current and future recipes!_) Sponsor me on [Github][github_sponsor] / [Patreon][patreon], or see the [support](/support/) page for more (_free or paid)_ ways to say thank you! 👏 ## Flirt with waiter (subscribe) 💌 -Want to know now when this recipe gets updated, or when future recipes are added? Subscribe to the [RSS feed](https://mastodon.social/@geekcookbook_changes.atom), or leave your email address below, and we'll keep you updated. (*double-opt-in, no monkey business, no spam either - check the [archive](https://us16.campaign-archive.com/home/?u=a1d9cee4402be76497a2baf49&id=10e284530a) for proof!*) +Want to know now when this recipe gets updated, or when future recipes are added? Subscribe to the [RSS feed](https://mastodon.social/@geekcookbook_changes.atom), or leave your email address below, and we'll keep you updated. (*double-opt-in, no monkey business, no spam) - -
-
-
- -
- -
-
- - -
- - -
-
-
- +
## Your comments? 💬 + +[patreon]: https://www.patreon.com/bePatron?u=6982506 +[github_sponsor]: https://github.com/sponsors/funkypenguin \ No newline at end of file diff --git a/scripts/serve.sh b/scripts/serve.sh new file mode 100755 index 0000000..4dee3a8 --- /dev/null +++ b/scripts/serve.sh @@ -0,0 +1,4 @@ +#!/bin/bash +docker pull squidfunk/mkdocs-material:latest +docker build . -t funkypenguin/mkdocs-material +docker run --rm --name mkdocs-material -it -p 8123:8000 -v ${PWD}:/docs funkypenguin/mkdocs-material