We talked about SWAG, SWAG Dashboard and more recently how to integrate CrowdSec into SWAG, let's talk about how to do some Geo-blocking with SWAG.

Setup SWAG to safely expose your self-hosted applications to the internet

SWAG is a rebirth of letsencrypt docker image, a full fledged web server and reverse proxy that includes Nginx, Php7, Certbot (Let’s Encrypt client) and Fail2ban.

TheLazyFox's BlogTheLazyFox

SWAG can support MaxMind databases which are used to provide IP Geolocation and Online Fraud Prevention. It was initially tougher to setup but since end of 2021, it's now integrated through Linuxserver mods system, so let me guide you into it!

Setup the mod

1. First of all, you need to create an account on MaxMind to get a free license key, mandatory to get access to their databases. Sign up to their GeoLite2 service, it's pretty straightforward
2. When you have the key, modify your SWAG docker-compose.yml file to add the MaxMind mod through an environment variable like this: DOCKER_MODS=linuxserver/mods:swag-maxmind
   If you already have mods, ensure they are separated by |, such as DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-maxmind
3. Add another environment variable MAXMINDDB_LICENSE_KEY=<license-key> and include your license key into it
4. Restart your container with docker compose up -d to apply the changes
5. Configure nginx to load the maxmind configuration file by adding the line below in the http section of /config/nginx/nginx.conf.

include /config/nginx/maxmind.conf;

The setup is now ready!

Manage whitelist and blocklist

You can manage your whitelist and blocklist per country by editing /config/nginx/maxmind.conf with your favorite text editor, you have to enter the ISO code of the country followed by yes or no .

It includes an example for blocking high risk countries from GilbN's list based on the Spamhaus statistics and Akamai’s state of the internet report.

map $geoip2_data_country_iso_code $geo-whitelist {
    default no;
    UK yes;
}

map $geoip2_data_country_iso_code $geo-blacklist {
    default yes; #If your country is listed below, remove it from the list
    CN no; #China
    RU no; #Russia
    HK no; #Hong Kong
    IN no; #India
    IR no; #Iran
    VN no; #Vietnam
    TR no; #Turkey
    EG no; #Egypt
    MX no; #Mexico
    JP no; #Japan
    KR no; #South Korea
    KP no; #North Korea
    PE no; #Peru
    BR no; #Brazil
    UA no; #Ukraine
    ID no; #Indonesia
    TH no; #Thailand
}

Apply to your definitions

To use your whitelist and blocklist, you need to include these few lines (line 9-10) in your SWAG definitions.

 server {
     listen 443 ssl;
     listen [::]:443 ssl;

     server_name some-app.*;
     include /config/nginx/ssl.conf;
     client_max_body_size 0;

     if ($lan-ip = yes) { set $geo-whitelist yes; }
     if ($geo-whitelist = no) { return 404; }

     location / {

And that's it 🚀! Restart the container to apply your configuration changes and any traffic coming for one of these countries is going to be automatically blocked!

PS: If you are using services like Cloudflare in front of your websites, it might not work as expected as your websites will be accessed by Cloudflare's IP addresses.

I recently talked to you about SWAG & SWAG Dashboard, this time I'm going to introduce to you the new Docker mod released by LSIO: swag-crowdsec!

This mod adds the CrowdSec nginx bouncer to SWAG, to be installed/updated during container start. It eases the usage of CrowdSec with SWAG so let's see how to install CrowdSec and benefit from this Docker mod.

What is CrowdSec?

CrowdSec is a free, open-source and collaborative IPS; it's like Fail2Ban but you share your bans with all of the other users to try and pre-emptively block malicious hosts [...]
Unlike fail2ban, which uses a single service for detection and blocking of malicious traffic, CrowdSec is modular, allowing you to detect and block across multiple hosts and to easily integrate with different services.
The basic building blocks are the CrowdSec agent which parses your logs and detects malicious behaviour, one or more Bouncers which do the actual blocking, the Central API which is hosted by CrowdSec themselves and allows you to push and pull community blocks, and the Local API which acts as a central coordinator on your network for all the other parts.
Source: LSIO & CrowdSec

The main takeovers are that CrowdSec is a collaborative Intrusion Prevention System which make it overly powerful compared to Fail2Ban and it also provides the capability to share your setup across multiple hosts!

CrowdSec installation

First of all, we need to create required folders and add CrowdSec in our SWAG stack.

Create the configuration for CrowdSec

1. Create the required folders into your SWAG stack's folder with mkdir -p crowdsec/{crowdsec-db,crowdsec-config,dashboard}
2. Create the acquisition file for CrowdSec with nano crowdsec/acquis.yaml
3. Fill the file with the example acquisition below from CrowdSec collection for nginx
4. Save with CTRL + X

filenames:
  - /var/log/nginx/*.log
labels:
  type: nginx

How it looks like on my server:

~/docker/swag
├── config
│   ├── crontabs
│   ├── crowdsec
│   ├── custom-cont-init.d
│   ├── custom-services.d
│   ├── dns-conf
│   ├── etc
│   ├── fail2ban
│   ├── geoip2db
│   ├── keys
│   ├── log
│   ├── nginx
│   ├── php
│   └── www
├── crowdsec
│   ├── acquis.yaml
│   ├── crowdsec-config
│   ├── crowdsec-db
│   └── dashboard
└── docker-compose.yml

Add CrowdSec into your SWAG stack

Now, let's open the SWAG docker-compose.yml and add CrowdSec into it!

1. Open your docker compose file with nano docker-compose.yml
2. Add the new service CrowdSec as below
3. ℹ️ Don't forget to update the PGID to match the one used for SWAG
4. Adapt the volumes paths if needed
5. Save with CTRL + X
6. Launch the stack with docker compose up -d and wait for everything to be started

version: "2.1"
services:
  swag:
    # Keep here your current SWAG configuration

  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:latest
    restart: unless-stopped
    depends_on:
      - swag
    networks:
      default:
        ipv4_address: 172.18.25.3
    environment:
      - COLLECTIONS=crowdsecurity/nginx
      - GID=1000
    volumes:
      - ./config/log/nginx:/var/log/nginx
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - ./crowdsec/crowdsec-db:/var/lib/crowdsec/data/
      - ./crowdsec/crowdsec-config:/etc/crowdsec/
    security_opt:
      - no-new-privileges=true

networks:
  default:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br_swag
    ipam:
      config:
        - subnet: 172.18.25.0/24
          gateway: 172.18.25.255

Now it's time to add a CrowdSec bouncer!

What is a bouncer?

The CrowdSec bouncers are standalone software pieces in charge of acting upon a decision taken by CrowdSec like blocking an IP, presenting a captcha, enforcing MFA on a given user, etc.

For example, the nginx bouncer will check every unknown IP against the local API before letting go through or serving a 403 to the user, while a firewall bouncer or a Cloudflare bouncer will simply "add" malevolent IPs to nftables/ipset set of blacklisted IPs.

Create a bouncer and integrate it in the configuration

You just need to run a single command to create your bouncer!

1. Run docker exec -t crowdsec cscli bouncers add bouncer-swag
2. It creates instantly the bouncer and print the related API key
3. ℹ️ Copy the API key you will need it soon
4. Open your docker compose file with nano docker-compose.yml
5. Add the new environment variables DOCKER_MODS, CROWDSEC_API_KEY, CROWDSEC_LAPI_URL in your SWAG service (not crowdsec one!) as below.
   ⚠️ Be careful to change the IP address to target the crowdsec service's IP or replace the IP by the service name (crowdsec in my example).
   ⚠️If you are using the SWAG Dashboard, you need to separate both mods with a pipe.
6. Save with CTRL + X
7. Launch the stack with docker compose up -d and wait for everything to be started

      - DOCKER_MODS=linuxserver/mods:swag-crowdsec
      - CROWDSEC_API_KEY=916ae26c4d744fa862bcf9cdc29e30b7
      - CROWDSEC_LAPI_URL=http://172.18.25.3:8080

      - DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec
      - CROWDSEC_API_KEY=916ae26c4d744fa862bcf9cdc29e30b7
      - CROWDSEC_LAPI_URL=http://172.18.25.3:8080

Your docker-compose.yml file should look like this now:

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag:latest
    container_name: swag
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    networks:
      default:
        ipv4_address: 172.18.25.2
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Zurich
      - URL=yourdomain.xyz
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
      - EMAIL=youremailaddress@protonmail.com
      - DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec
      - CROWDSEC_API_KEY=916ae26c4d744fa862bcf9cdc29e30b7
      - CROWDSEC_LAPI_URL=http://172.18.25.3:8080
    volumes:
      - ./config:/config
    ports:
      - 443:443
      - 80:80

  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:latest
    restart: unless-stopped
    depends_on:
      - swag
    networks:
      default:
        ipv4_address: 172.18.25.3
    environment:
      - COLLECTIONS=crowdsecurity/nginx
      - GID=1000
    volumes:
      - ./config/log/nginx:/var/log/nginx
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - ./crowdsec/crowdsec-db:/var/lib/crowdsec/data/
      - ./crowdsec/crowdsec-config:/etc/crowdsec/
    security_opt:
      - no-new-privileges=true

networks:
  default:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br_swag
    ipam:
      config:
        - subnet: 172.18.25.0/24
          gateway: 172.18.25.255

👏 CrowdSec is setup! You are now protected by a community driven Intrusion Prevention System!

Few useful commands:

• docker exec -t crowdsec cscli metrics
  Fetch metrics from the prometheus server and display them in a human-friendly way
• docker exec -t crowdsec cscli decisions list
  List decisions from LAPI
• docker exec -t crowdsec cscli decisions delete --all
  Delete List decisions from LAPI
• docker exec -t crowdsec cscli alerts flush
  Flush alerts -⚠️ This command can be used only on the same machine than the local API

If you need more commands, please refer to the official documentation.

Create a CrowdSec dashboard

We like dashboards, yes we ❤️ dashboards so let's create one for CrowdSec with Metabase!

version: "2.1"
services:
  swag:
    # Keep here your current SWAG configuration

  crowdsec:
    # Keep here your current CrowdSec configuration
     
  dashboard:
    container_name: crowdsec-dashboard
    build: ./crowdsec/dashboard
    restart: unless-stopped
    depends_on:
      - crowdsec
    networks:
      default:
        ipv4_address: 172.18.25.4
    ports:
      - 1111:3000
    environment:
      - MB_DB_FILE=/data/metabase.db
      - MGID=1000
    volumes:
      - ./crowdsec/crowdsec-db:/metabase-data/

1. Go in the dashboard folder created before (I knew you like dashboards!) with cd crowdsec/dashboard
2. Get the Dockerfile provided by LSIO with wget https://raw.githubusercontent.com/crowdsecurity/example-docker-compose/main/crowdsec/dashboard/Dockerfile
3. Add the dashboard service in your docker-compose.yml file like above
4. Save with CTRL + X
5. Launch the stack with docker compose up -d and wait for everything to be started
6. Access your dashboard on https://your-host-ip:1111
7. Default's credentials are crowdsec@crowdsec.net and !!Cr0wdS3c_M3t4b4s3??

🎉 Congrats! You can now browse the dashboards prepared for you and even create your owns!

Link your instance to CrowdSec Console

You can also decide to link your CrowdSec instance to the CrowdSec Cloud Console to monitor alerts and manage several instances.

1. Create an account on https://app.crowdsec.net
2. After login, you will see a command to enroll your instance, execute it through Docker with docker exec -it crowdsec cscli console enroll thisisyourtoken
3. Go back to the website to accept the enrollment
4. Restart CrowdSec with docker restart crowdsec

You can now monitor your instance from the CrowdSec Console!

Ressources to go deeper:

• https://www.linuxserver.io/blog/blocking-malicious-connections-with-crowdsec-and-swag
• https://github.com/crowdsecurity
• https://github.com/crowdsecurity/cs-nginx-bouncer/
• https://github.com/linuxserver/docker-mods/tree/swag-crowdsec
• https://crowdsec.net/
• https://doc.crowdsec.net/docs/cscli/cscli
• https://hub.crowdsec.net/author/crowdsecurity/collections/nginx
• https://blog.thelazyfox.xyz/setup-swag-to-safely-expose-your-self-hosted-applications-to-the-internet/

Big Up EVO for support! ♥

Few months ago, I've introduced to you SWAG!  

Setup SWAG to safely expose your self-hosted applications to the internet

SWAG is a rebirth of letsencrypt docker image, a full fledged web server and reverse proxy that includes Nginx, Php7, Certbot (Let’s Encrypt client) and Fail2ban.

TheLazyFox's BlogTheLazyFox

The LSIO team has released sometimes ago a dashboard to monitor what is happening on your SWAG, here is how to implement it!

SWAG Dashboard is a mod powered by GoAccess that provides a comprehensive overview of SWAG's operation.

This dashboard is provided by LSIO through a powerful Docker mod so it's super easily to setup!

You just need to integrate this line in your environment variables:

- DOCKER_MODS=linuxserver/mods:swag-dashboard

Let's add it into the full SWAG docker compose example from the article above, it will look like this:

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag:latest
    container_name: swag
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Zurich
      - URL=yourdomain.xyz
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
      - EMAIL=youremailaddress@protonmail.com
      - DOCKER_MODS=linuxserver/mods:swag-dashboard
    volumes:
      - ./config:/config
    ports:
      - 443:443
      - 80:80
    labels:
      - com.centurylinklabs.watchtower.enable=true
      - deunhealth.restart.on.unhealthy=true

For security reasons, the dashboard can only be accessible through the URL dashboard.yourdomain.xyz but obviously it's not something we want to open to the world. To access it, you need to create a DNS rewrite.

On my side, I'm using AdGuard Home which grants the ability to do DNS rewriting for all devices on my network, it suits perfectly that need.

You can also use other solutions, feel free to share them with to complete this article😉.

AdGuard Home: A world without ads and trackers!

You might have heard about Ublock Origin or PiHole, let me introduce to you AdGuard, and especially AdGuard Home!

TheLazyFox's BlogTheLazyFox

DNS rewrite with Adguard Home

If you are an Adguard Home user:

1. Open AdGuard
2. Go to Filters > DNS rewrites
3. Click on Add DNS rewrite
4. As domain name, enter dashboard.yourdomain.xyz (replace with your own domain)
5. As IP address, enter the IP address of your host where SWAG is running
6. Click on Save

DNS rewrite with PiHole

If you are a PiHole user:

1. Open PiHole
2. Go to Local DNS Records
3. As domain name, enter dashboard.yourdomain.xyz (replace with your own domain)
4. As IP address, enter the IP address of your host where SWAG is running
5. Click on Add

Here we go! 🚀

You can now enjoy and dig into the good looking dashboard by accessing dashboard.yourdomain.xyz (replace with your own domain) 🎉

If you are looking for more details, please visit the official blog post from LSIO.

Few years ago, I was using the reverse proxy provided by my Synology NAS and generating my SSL certificate directly with the LetsEncrypt container by LinuxServer which is now depreciated.  

Generate a Let’s Encrypt wildcard certificate on Synology with Docker and Cloudflare

Following my setup of AdGuard Home, I found out it can manage DNS-over-HTTPS and DNS-over-TLS but it needs valid SSL certificates for that purpose.

TheLazyFox's BlogTheLazyFox

For few months now, I'm running with SWAG!

What is SWAG?

Swag is a term that refers to a person's sense of style or skills. It is derived from "swagger" and was made popular by hip-hop culture.

Seriously speaking, SWAG is a rebirth of letsencrypt docker image, a full fledged web server and reverse proxy that includes Nginx, Php7, Certbot (Let's Encrypt client) and Fail2ban. No more confusion or trademark issue related to the name "letsencrypt".

SWAG is really a LEMP stack minus the M. For those unfamiliar, the letters stand for L=Linux, E=Nginx (because it's pronounced Engine-X), M=MySQL/MariaDB and P=PHP. SWAG has all but MySQL/MariaDB, for which we recommend pairing with our MariaDB docker image if needed. Apart from those, SWAG has the Let's Encrypt client Certbot integrated, for automating retrieval and management of free SSL certs. It also has Fail2ban for intrusion detection and prevention.

How to setup SWAG for your domain?

Docker Compose

First thing first, you need to create a folder for this project and put inside your docker-compose.yml file.

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag:latest
    container_name: swag
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Zurich
      - URL=yourdomain.xyz
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
      - EMAIL=youremailaddress@protonmail.com
    volumes:
      - ./config:/config
    ports:
      - 443:443
      - 80:80
    labels:
      - com.centurylinklabs.watchtower.enable=true
      - deunhealth.restart.on.unhealthy=true

Please remember to create all folders and files before trying to launch your docker-compose.

How does it look like on my server:

swag/
      |_ docker-compose.yaml
      |_ config/

Before starting, let's encrypt speak about the content of this docker compose file.

• URL
  This is the URL of your domain. It will be used to generate the SSL certificate but also for the DNS validation
• SUBDOMAINS
  You can list all subdomains you would like to cover with your SSL certificate or just set wildcard to cover them all. It will result with a certification for *.yourdomain.xyz
• VALIDATION
  This describe the method used by the container to validate your ownership of the above-mentionned domain. We are going to use the DNS validation.
• DNSPLUGIN
  I'm setting cloudflare which is my DNS as you will see below. It's one of the various DNS supported by SWAG. More information on the official documentation
• EMAIL
  Your email address to be used to get your free Let's Encrypt SSL certificate for your domain

DNS provider

Cloudflare is recommended due to being free and reliable. To switch to Cloudflare, you can register for a free account and follow their steps to point the nameservers to Cloudflare. The rest of the instructions assume that you are using the cloudflare DNS plugin but it's quite the same for others.

On your DNS provider, you will need to create an A record for the main domain and point it to our server IP. Then you will also create a CNAME for all your subdomains or a CNAME for * and point it to the A record for the domain. On Cloudflare, we'll click on the orange cloud to turn it grey so that it is DNS only and not cached/proxied by Cloudflare, which would add more complexities.

You can now start your docker container for the first time to generate all the files in your config folder with docker-compose up. You might see some errors because we didn't provided all information yet for the DNS validation but you need that first start to generate the required files. Exit with CTRL + C.

You can now edit the file /swag/config/dns-conf/cloudflare.iniwith your favorite text editor and add your Cloudflare email address and Global API key. Save it and relaunch the container with docker-compose up -d.

dns_cloudflare_email = youremailaddress@protonmail.com
dns_cloudflare_api_key = yourglobalapikey

🎉 Congrats!
SWAG is running and your Let's Encrypt SSL certificate has been generated for your domain!

SWAG is running on your server, you can see it by accessing it on port 443 (HTTPS) or 80 (HTTP) of your local machine.

Reverse Proxy

A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as if they originated from the Web server itself.

You need now to setup a reverse proxy to redirect each of your subdomains to the correct self-hosted application. No worries, SWAG comes with Nginx embedded!

The SWAG image comes with a list of preset reverse proxy configuration files for popular apps and services such as Jellyfin, Heimdall, Vaultwarden, etc. They are all hosted on GitHub and are automatically pulled into the /swag/config/nginx/proxy-confs folder as inactive sample files.

Let's active some of them to get access to our applications from Internet!
To activate one, you must rename the conf file to remove .sample from its filename and restart the SWAG container.

You can simply do cp jellyfin.subdomain.conf.sample jellyfin.subdomain.confto get your configuration file ready for editing for the application Jellyfin.

Now let's see what is inside the file with nano jellyfin.subdomain.conf.
What matter for us is pretty simple:

• server_name jellyfin.*;
  Only destination addresses that match jellyfin.* will match this server block. You need to replace jellyfinby the subdomain name you want to use
• set $upstream_app jellyfin;
  This is the container name used as dns hostname of the application your want to target. You can also replace it by the IP of the machine (e.g. 192.128.1.152)
  If you use the hostname, please ensure SWAG and Jellyfin share the same network
• set $upstream_port 8096;
  This is the port where the application is running. You can replace it by your Jellyfin port. If above, you used the IP of the machine, use the external port otherwise the internal one
• set $upstream_proto http;
  This is the protocol
• If you want to know more about the structure of this file, please refer to the official documentation about understanding the proxy conf structure

With this configuration, any hit on jellyfin.yourdomain.xyzwill be redirected to your local application http://192.168.1.152:8096.

Don't forget to update the variable's values in all location section of the file

🎉 Congrats!
Your self-hosted application is now accessible from the Internet!

Extra security layers

Enable HSTS

HTTP Strict Transport Security (HSTS) is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. Source: https://https.cio.gov/hsts/.

It's very simple to activate with SWAG!

1. Edit the file ssl.conf with nano swag/config/nginx/ssl.conf
2. Uncomment the line add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
3. Save with CTRL + X
4. Restart SWAG with docker restart swag

Setup Fail2ban

Fail2Ban is an intrusion prevention software framework that protects servers from brute-force attacks. It's also included in the SWAG docker image! Let's take your Jellyfin application as example.

Create a new jail

First, you need to edit the list of Fail2ban jails to add one for this application with nano /swag/config/fail2ban/jail.local and add a new section for Jellyfin application.

[jellyfin]
enabled  = true
filter   = jellyfin
port     = http,https
logpath  = /config/log/nginx/access.log
maxretry = 4

• enabled
  Define if the jail is active or not
• filter
  The filter name used for this jail, we will create it after
• port
  Which standard ports it covers. It can include http, https, ssh, sftp and many others
• logpath
  Path to the log file which is provided to the filter
• maxretry
  Number of matches which triggers ban action on the IP
• bantime
  Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban

NOTE: Each parameters can be overriden in each jail, if missing it will fallback to the one from the [DEFAULT] jail defined on top of /swag/config/fail2ban/jail.local.

Create a new filter

Secondly, you need to create a filter to be used on the logs above-mentionned to define what to catch and count as intrusion tentatives by using nano /swag/config/fail2ban/filter.d/jellyfin.conf and paste this filter inside to catch all 401 errors.

[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|CONNECT|PUT|DELETE) \/.*? \S+\" 401 .+$

You can now save the file and restart SWAG with docker restart swag.

Test your Fail2Ban setup

It's actually pretty easy to test!

1. Connect yourself to a VPN server
2. Access your website via https://jellyfin.yourdomain.xyz
3. Fail 4 times the authentication
4. You can check the status of the jail to see the IP being blocked with docker exec -it swag fail2ban-client status jellyfin

Few useful commands for Fail2ban

• List all your active jails
  docker exec -it swag fail2ban-client status
• List banned IPs for a jail
  docker exec -it swag fail2ban-client status <JAIL_NAME>
• Manually unban an IP for a jail
  docker exec -it swag fail2ban-client set <JAIL_NAME> unbanip <IP>
• Manually ban an IP for a jail
  docker exec -it swag fail2ban-client set <JAIL_NAME> banip <IP>

🎉 Congrats!
You have applied 2 extra layers of security on top of your self-hosted application including Fail2ban!
YOU'RE SWAGGY AF!

The objective of this tutorial is to mount a folder on your server to store content without thinking about storage capacity. Everything on this folder is going to be, on the fly, encrypted and pushed to Google Drive. It comes also with caching if you want to use this folder to store your Jellyfin, Emby, Plex or any other media center application library.

IMPORTANT NOTICE
1. Always backup your rclone.conf file in several secured locations, if lost you will not be able to decrypt your data.
2. Google limits the upload on Google Drive to 750 Gb / day. If you exceed it you might get a 24 hours ban.

Haaaave you met Rclone?

Users call rclone "The Swiss army knife of cloud storage", and "Technology indistinguishable from magic".

"Rclone is a command line program to manage files on cloud storage. It is a feature rich alternative to cloud vendors' web storage interfaces. Over 40 cloud storage products support rclone including S3 object stores, business & consumer file storage services, as well as standard transfer protocols." - rclone.com

Install Rclone

Rclone is pretty straight-forward to install with an one-line script. This line also works on a Synology NAS.

curl https://rclone.org/install.sh | sudo bash

You can also find all binaries to install it on rclone.org.

Note for Synology users: You need to enable the user home service to use Rclone as its configuration will be stored in /var/services/homes/thelazyfox/.config/rclone/rclone.conf.
To enable it, open "Control Panel" > "User & Group" > "Advanced" > "User Home" > "Enable user home service" > "Apply"

Create a Google Drive API application

Google is providing API keys for almost all its services, including Google Drive.
We need to create one for rclone so let's get started!

1. Login on Google API Console
2. Create a project (Psst, you can call it "Rclone"!)
3. Click on "Enable APIs and Services" and search for "Google Drive API"
4. Open it and click on "Enable"
5. Open the left panel and click on "Credentials"
6. Now Click on "Create credentials" > "OAuth client ID"
7. If it's your first time in there, you will need to create and design the OAuth consent screen. It's the screen which ask for permissions to use your Google Account / Services. You just have to define few parameters like name and type "External"
8. When you are all set, go back to the "OAuth client ID" creation flow
9. Choose your application type ("Desktop app" is fine) and name it (what about "Rclone" again?)
10. A pop-in is now displaying your "Client ID" and your "Client secret", keep it open, you will need them very soon. You can see them on demand by clicking on the pencil edit icon

Create a Rclone remote drive (not encrypted)

Now it's time to setup rclone!

Start by executing the command rclone config.

Create a new remote drive

No remotes found - make a new one
n) New remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config

n/d/r/c/s/q> n

Choose n to create a new remote drive and then, give it a name and hit Enter. I chose "GDrive1" to know which storage provider it uses and to easily increment it if I need new ones.

Select storage type: Google Drive

As soon as you entered a name, it will show the list of all available storage types. You are looking for "Google Drive", number 16 when I'm writing this article.
Type16 and hit Enter.

Enter your Google Drive API application settings

Rclone is now asking for the "Google Application Client Id" and "Google Application Client Secret" you created the step before. Copy/paste them and continue.

Option client_id.
Google Application Client Id
Setting your own is recommended.
See https://rclone.org/drive/#making-your-own-client-id for how to create your own.
If you leave this blank, it will use an internal key which is low performance.
Enter a string value. Press Enter for the default ("").
client_id> this_is_my_client_id
Option client_secret.
OAuth Client Secret.
Leave blank normally.
Enter a string value. Press Enter for the default ("").
client_secret> this_is_my_client_secret

Now you have to select the scope, type 1 for full access to your Google Drive and hit Enter.

Choose a folder

The next step proposes to choose a specific folder to use into Google Drive.

I have decided to create a folder called "rclone" into my Google Drive root folder as I'm using Google Drive for other purposes as well. Rclone will require the ID of this folder and it's super easy to get it, it's the last part of the URL when your are inside that folder, just after folders/.

https://drive.google.com/drive/u/2/folders/1KTYd5OhJ2k-IHLewp1WBquNN9VmwdDNj

Otherwise, if you want to use the root folder of your Google Drive, leave it empty.

ID of the root folder - leave blank normally.  Fill in to access "Computers" folders. (see docs).
root_folder_id> 1KTYd5OhJ2k-IHLewp1WBquNN9VmwdDNj

Additional settings (Optional)

The next two questions are optional, leave them blank.

The first one is the "Service Account Credentials". Google Cloud Platform proposes to use Service account instead of interactive login with your personal account. In this tutorial, I will use my Google account directly. If you want to read more about authentication best practices or if you want to create a service account, everything is available in Google Cloud Platform documentation.

Option service_account_file.
Service Account Credentials JSON file path.
Leave blank normally.
Needed only if you want use SA instead of interactive login.
Leading `~` will be expanded in the file name as will environment variables such as `${RCLONE_CONFIG_DIR}`.
Enter a string value. Press Enter for the default ("").
service_account_file> 

The second one is advanced configuration, type n and then hit Enter to move to the next step.

Edit advanced config? (y/n)
y) Yes
n) No (default)
y/n> n

Google Drive Authentication

It's now time to give rclone the permissions to use your Google Drive account.

If you are working on a Desktop machine directly, enter y and hit Enter to proceed automatically. Otherwise, if you are connected via SSH like I do, rclone cannot open a web browser to prompt the authentication window, therefore enter n and hit Enter to continue manually.

A link to Google's OAuth page is given to you, open it and authorize your rclone application to access your Google Drive account, it will provide you a verification code. Copy/paste the code in the console and hit Enter.

Team drive

The next step is to define if you want to use your main Google Drive or a Team Drive. I have no team drive so I type n and hit Enter.

Configure this as a team drive?
y) Yes
n) No
y/n> n

Final review

As a final step, rclone gives you an overview of the whole setup and asks to confirm. If you are done, type y and hit Enter.

At this moment, you are done with the Google Drive configuration into rclone. The next step is about setting up some caching and encryption on top of it. 🔐

Create the cache and encrypted rclone remote drives

You have two options:

1. Start the wizard tool a second time with rclone config, choosing option 8 to "cache a remote" and then start it a third time choosing option 12 to "Encrypt/Decrypt a remote"
2. Edit your rclone.conf manually and inject the config below inside

I suggest to use the second option as you are already quite familiar with the wizard!

Edit rclone.conf

The rclone.conf file is stored in .config/rclone/ in your user's home folder.

For Synology users, the path is /var/services/homes/your-user/.config/rclone/rclone.conf

Open rclone.conf file with nano  ~/.config/rclone/rclone.conf and paste the code of [GDrive1Cache] and [GDrive1Crypt] below your existing GDrive1 configuration.

Name the drives as you wish by changing the text between the brackets but keep in mind the following:

1. The caching remote drive is relates to the Google Drive remote drive in its own configuration and so do the encrypted remote drive with the caching remote drive, ensure the names are correct
2. Always keep the : after the drive name

[GDrive1]
type = drive
client_id = this_is_my_client_id
client_secret = this_is_my_client_secret
scope = drive
root_folder_id = 1KTYd5OhJ2k-IHLewp1WBquNN9VmwdDNj
token = {"access_token":"AAA","token_type":"BBB","refresh_token":"CCC","expiry":"DDD"}
team_drive =

[GDrive1Cache]
type = cache
remote = GDrive1:
chunk_size = 50M
info_age = 1h0m0s
chunk_total_size = 10G

[GDrive1Crypt]
type = crypt
remote = GDrive1Cache:
filename_encryption = standard
directory_name_encryption = true

You are now missing only one thing to complete the configuration, the encryption keys of our encrypted remote drive!

Define your encryption keys

To add the encryption keys (password and salt) to your configuration, you need to edit the configuration through rclone config.

1. Select Edit existing remote
2. Choose your encrypted remote drive GDrive1Crypt
3. Hit n to not change the parameters until you reach the Password or pass phrase for encryptionand Password or passphrase for salt
4. Choose Generate random password for both and save them in a secured location in case of troubles
5. Finish and validate your configuration

You successfully setup on rclone:

• A Google Drive remote drive
• A cache remote drive
• An encrypted remote drive

It's now time to test and start using it! 👨‍🔬

Mount your encrypted remote drive

To be able to use it, you need to mount it on your server or Synology NAS.
Start by creating a folder where you want to mount it with, for example, mkdir /mnt/GDrive1on your server or mkdir /volume1/rclone/GDrive1 on your Synology NAS.

On your server

To ensure your encrypted remote drive is always mount on boot, you need to create a systemd service:

1. Create the service file with nano /etc/systemd/system/GDrive1Crypt.service
2. Copy/Paste the service below and update the correct path to rclone.conf
3. Save with Ctrl+X and Y
4. Reload the list of systemd scripts with sudo systemctl daemon-reload
5. Start the service with sudo systemctl start GDrive1Crypt.service
6. Enable it so it runs automatically on boot with sudo systemctl enable GDrive1Crypt.service

[Unit]
Description=Mount GDrive1Crypt
AssertPathIsDirectory=/mnt/GDrive1
After=networking.service

[Service]
Type=simple
ExecStart=rclone mount --config=/home/thelazyfox/.config/rclone/rclone.conf GDrive1Crypt: /mnt/GDrive1 --allow-other --cache-db-purge --fast-list --poll-interval 10m
ExecStop=/bin/fusermount -u /mnt/GDrive1
Restart=always
RestartSec=10

[Install]
WantedBy=default.target

On your Synology NAS

As it's not possible to create systemd service on Synology NAS, you need to create a task running on each boot:

1. Open "Control Panel"
2. Click on "Create" > "Triggered Task" > "User-defined script"
3. Define a name, select "Boot-up" as Event and move to the tab "Task Settings"
4. In the "Run command" section, enter the script below
5. Optional: You can choose to receive the run details if there is an issue to your email address by checking the two boxes and entering your email address
6. Click on "OK" to save
7. Select your task and click on "Run"

rclone mount --config=/var/services/homes/thelazyfox/.config/rclone/rclone.conf GDrive1Crypt: /volume1/rclone/GDrive1 --allow-other --cache-db-purge --fast-list --poll-interval 10m 

Testing

You can now copy or create files in this folder and you should see them encrypted on your Google Drive! 🚀

🎉 Congrats! You have mounted your first encrypted and cached remote drive with rclone and Google Drive! Rclone is a very powerful tool with a lot of others interesting features!

If for any reason you can't access to your GDrive remote, refresh your tocken with rclone config reconnect GDrive1:

Thanks to Aerya & MrPsycho for support and resources!

Feel free to share your setup and experiences with rclone on Discord!

You waste too much time visiting every single day your favorite websites?
You care about privacy and don't want any website to know your preferences?
You don't want to miss any GitHub release from your favorites software?
No worries! FreshRSS can solve all your problems!

Installation

Once again, nothing very complex here, the docker image is provided by LinuxServer 🦦.

First thing first, you need to create a folder for this project and put inside your docker-compose.yml file.

version: "2.3"
services:
  freshrss:
    container_name: freshrss
    image: lscr.io/linuxserver/freshrss:latest
    restart: unless-stopped
    ports:
      - 8082:80
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Paris
    volumes:
      - /home/thelazyfox/docker/freshrss/config:/config

Please remember to create all folders and files before trying to launch your docker-compose.

How does it look like on my server:

freshrss/
      |_ docker-compose.yaml
      |_ config/

And now, you just have to launch your docker-compose file with the following command cd freshrss && docker-compose up -d

Features

In FreshRSS, you can manage everything you need around your RSS feeds including:

• Categories
• Labels
• Archiving strategy
• What to display on your main feed
• Multi users is supported so you can share it with your family
• Customize the theme
• Add addons

Tips: If you want to follow the releases of your favorite applications, just enter the releases GitHub page of the project. Example: https://github.com/xbmc/xbmc/releases/

I let you discover all features, feel free to share your favorites!

This article will detail all the hardware and software I have used to monitor the temperatures from a fridge and freezer to ensure they never go crazy. It comes with notifications as well in case of issues.

First things first, the hardware!

To be able to get this result, you will need:

1. A Raspberry Pi with Raspbian, it will not consume a lot of power and CPU so Model 1 or 2 are enough
2. One or more DS18B20 sensors (I'm using 2), depending on how many temperatures you want to capture. They are waterproof and coming with a 2 meters long wire so you can keep your Raspberry Pi far away and safe
3. A breadboard, it will make your testing and wiring much easier
4. A 4.7 kOhm resistor
5. A server to run Docker with Grafana and influxDB, the Raspberry Pi's job is only about capture and push of the data to InfluxDB. You can also run everything on a Raspberry Pi but you will need a more performant one

Hardware installation

1. As a first step, shut down your Raspberry Pi and plug the sensors and resistor accordingly to the schema above
2. Open raspi-config with sudo raspi-config
3. Select Interfacing Options
4. Highlight 1-wire and set it to Yes then confirm with Select
5. Reboot your Raspberry Pi with sudo reboot

Sensors configuration

Now we will check if the Raspberry Pi recognize the sensors and can capture temperature

Sensors requirements

1. You first need to register all the sensors you have plugged to the GPIO4, run sudo modprobe w1-gpio so the Raspberry Pi is aware of it
2. Now, tell to the Raspberry Pi it can measure temperature on the 1-Wire system with sudo modprobe w1-therm
3. It's important to load these 2 modules automatically on next boot. For that purpose, edit the modules file with sudo nano /etc/modules and add inside w1-gpioand w1-therm like below
4. Save with Ctrl+X and Y

Testing the sensors

You need to ensure the sensors are capturing the temperature correctly.

1. Browse the 1-wire devices folder with cd /sys/bus/w1/devices
2. List all devices with ls. The DS18B20 sensors start with 28- followed by the serial number of the sensor
3. Enter in one of the sensors directory and read the file w1_slavewith cd 28-yyyy && cat w1_slave (replace yyyy by your sensor's serial number)
4. The value you will see at the end of the second line is the current temperature in degrees Celcius (you need to divide it by 1000, t=-16812 means -16.812°C)
5. The first line contain a CRC, if the value is not YES, you might have a defect in your sensor or in its wiring

Prepare InfluxDB and Grafana to receive the Data

Build the stack

Let's build Grafana and InfluxDB as a docker-compose stack.

version: "2.3"
services:
  influxdb:
    image: influxdb:1.8-alpine
    container_name: monitoring-temperature-influxdb
    restart: always
    ports:
      - "8083:8083"
      - "8086:8086"
      - "8090:8090"
    environment:
      - PUID=1026
      - PGID=1000
      - TZ=Europe/Paris
    env_file:
      - /home/thelazyfox/docker/monitoring-temperature/influxdb/env.influxdb
    volumes:
      - /home/thelazyfox/docker/monitoring-temperature/influxdb/data:/var/lib/influxdb

  grafana:
    image: grafana/grafana
    container_name: monitoring-temperature-grafana
    restart: always
    ports:
      - "3000:3000"
    links:
      - influxdb
    volumes:
      - /home/thelazyfox/docker/monitoring-temperature/grafana/data:/var/lib/grafana
    environment:
      - PUID=1026
      - PGID=1000
      - TZ=Europe/Paris
      - GF_RENDERING_SERVER_URL=http://10.1.1.11:8123/render
      - GF_RENDERING_CALLBACK_URL=http://10.1.1.11:3000/
      - GF_LOG_FILTERS=rendering:debug
      - GF_INSTALL_PLUGINS=grafana-clock-panel,briangann-gauge-panel,natel-plotly-panel,grafana-simple-json-datasource
      - GF_AUTH_ANONYMOUS_ENABLED=true
      - GF_AUTH_ANONYMOUS_ORG_NAME=Home
    labels:

  grafana-image-renderer:
    image: grafana/grafana-image-renderer
    container_name: monitoring-temperature-grafana-image-renderer
    restart: always
    ports:
      - "8123:8081"
    environment:
      - PUID=1026
      - PGID=1000
      - TZ=Europe/Paris
      - IGNORE_HTTPS_ERRORS=true
      - LOG_LEVEL=debug
      - RENDERING_DUMPIO=true
      - RENDERING_MODE=default
      - ENABLE_METRICS=true

Please remember to create all folders and files before trying to launch your docker-compose.

How does it look like on my server:

monitoring-temperature/
      |_ docker-compose.yaml
      |_ influxdb/
          |_ env.influxdb/ 
          |_ data/ 
      |_ grafana/          
          |_ data/ 

Few notes regarding the stack:

• grafana-image-renderer is used to integrate charts screenshot in the notifications
• grafana-image-renderer IP and port must be updated into GF_RENDERING_SERVER_URL environment variable of grafana service
• Grafana's IP and port must be updated into GF_RENDERING_CALLBACK_URL environment variable of grafana service

And now, launch your docker-compose file with the following command cd monitoring-temperature && docker-compose up -d

Configure InfluxDB

It's time to create your InfluxDB database.

1. Enter in your container with docker exec -it monitoring-temperature-influxdb bash
2. Open InfluxDB shell with influx
3. Create your database named "temp_logger_db" with CREATE DATABASE temp_logger_db
4. Confirm it was successfully created by running SHOW DATABASES
5. You can now enter exit and exit again to resume

Configure Grafana

Grafana is accessible on port 3000, login with the default account admin:admin to link InfluxDB as a data source into Grafana.

1. Open Settings
2. Select "Data Sources" tab
3. Click on "Add data source"
4. Search and select "InfluxDB"
5. Configure as below (Server URL, Database name and credentials)

Capture data with Python3 on Raspberry Pi

InfluxDB is ready and Grafana is connected to InfluxDB. Now it's time to go back on your Raspberry Pi to capture sensors' data from the files we saw before and inject them into InfluxDB.

Install dependencies

You need to install python3 and its influx library with sudo apt-get install python3 python3-pip && pip install influxdb

Create the script

1. To capture the data, you have to create the python script below with sudo nano templogger.py
2. Replace the sensors serial numbers on line 17 and integrate your InfluxDB information on line 20 to 23 and save
3. Test the script by running /usr/bin/python3 /home/pi/templogger.py -db=temp_logger_db -sn=data
4. You should see your temperatures

# -*- coding: utf-8 -*-
import os
import glob
import argparse
import time
import datetime
import sys
from influxdb import InfluxDBClient

os.system('modprobe w1-gpio')
os.system('modprobe w1-therm')

base_dir = '/sys/bus/w1/devices/'
device_folders = glob.glob(base_dir + '28*')

# List of temperature sensors from base_dir. Add as much as you want.
sensors=['28-012032d0174e', '28-012032e0a6f0']

# InfluxDB parameters
host = "10.1.1.11"
port = 8086
user = "root"
password = "root"

def get_args():
    parser = argparse.ArgumentParser(description='Push Celsius temperatures from DS18B20 sensors to an Influx database.')
    parser.add_argument(
        '-db', '--database', type=str, help='Database name', required=True)
    parser.add_argument(
        '-sn', '--session', type=str, help='Session', required=True)
    now = datetime.datetime.now()
    parser.add_argument(
        '-rn', '--run', type=str, help='Run number', required=False,
        default=now.strftime("%Y%m%d%H%M"))
    
    args = parser.parse_args()
    db_name = args.database
    run_no = args.run
    session = args.session
    return db_name, session, run_no

def read_temperature_raw(device_file):
    f = open(device_file, 'r')
    lines = f.readlines()
    f.close()
    return lines

def read_temperature(device_file):
    lines = read_temperature_raw(device_file)

    # Wait for the file to be available with a valid CRC
    while (not lines) or (lines[0].strip()[-3:] != 'YES'):
        time.sleep(0.2)
        print ("Retrying...")
        lines = read_temperature_raw(device_file)

    # Get the temperature value from the file
    equals_pos = lines[1].find('t=')

    # Convert to Celcius and round to 1 decimal
    if equals_pos != -1:
        temperature_string = lines[1][equals_pos+2:]
        temperature = float(temperature_string) / 1000.0
        temperature = round(temperature, 1)

    return temperature

def get_data_points():
    # Go through all sensors to get the temperature
    for sensor in range (len(sensors)):
        device_file=device_folders[sensor]+ '/w1_slave'
        sensors[sensor] = read_temperature(device_file)
        print (device_file,sensor,sensors[sensor])
    timestamp=datetime.datetime.utcnow().isoformat()

    # Create Influxdb datapoints
    datapoints = [
        {
            "measurement": session,
            "tags": {"runNum": run_no,},
            "time": timestamp,
            "fields": {"temperature 1":sensors[0],"temperature 2":sensors[1]}
        }
        ]
    return datapoints

# Get values from arguments
db_name, session, run_no = get_args()
print ("Session: ", session)
print ("Run No: ", run_no)
print ("DB name: ", db_name)

# Initialize the Influxdb client
client = InfluxDBClient(host, port, user, password, db_name)

# Collecting and pushing data
datapoints=get_data_points()
bResult=client.write_points(datapoints)
print("Write points {0} Bresult:{1}".format(datapoints, bResult))

Run it automatically as a cron job

You want to capture the data as soon as the Raspberry Pi is turned on and on a regular basis, for that purpose, we need to create a cronjob.

1. Open the crontab with crontab -e
2. Add this line to run the script every minute: * * * * * /usr/bin/python3 /home/pi/templogger.py -db=temp_logger_db -sn=data
   If you need help with crontab to change the frequency, you can use cronhub
3. Update the script's path and the database name if needed
4. Save with Ctrl+X and Y
5. It's over!

Run it as a service with systemd

As an alternative, you can also manage your data capture with a systemd service. First you will need to slightly alter the script.

Adapt the script

Replace the section "Collecting and pushing data" from the previous script with this one:

# Collecting and pushing data
try:
     while True:
        datapoints=get_data_points()
        bResult=client.write_points(datapoints)
        print("Write points {0} Bresult:{1}".format(datapoints,bResult))
        time.sleep(60)
       
except KeyboardInterrupt:
    print ("Program stopped by keyboard interrupt [CTRL_C].")

Create and start the service

1. Create the file with nano /etc/systemd/system/templogger.service
2. Copy/Paste the service below and update the script's path and the database name if needed
3. Save with Ctrl+X and Y
4. Reload the list of systemd scripts with sudo systemctl daemon-reload
5. Start the service with sudo systemctl start templogger.service
6. Enable it so it runs automatically on boot with sudo systemctl enable templogger.service

[Unit]
Description=Temp Logger
After=multi-user.target

[Service]
Restart=on-failure
RestartSec=5s
Type=idle
User=pi
Group=pi
ExecStart=/usr/bin/python3 /home/pi/templogger.py -db=temp_logger_db -sn=data

[Install]
WantedBy=multi-user.target

✌🏼 By crontab or by service, your temperatures are now captured every 60 seconds in InfluxDB! You can now start building your Grafana Dashboard.

Start building your Grafana Dashboard

1. Create a new Dashboard
2. Add a new Panel and configure the Query as below
3. Source InfluxDB from default, the dataset is data (you can customize it by changing the value of -sn in the command)
4. Select field(temperature1) (you will see one value per sensor)
5. Format as Time series
6. Save

🎉 Congrats! Your Raspberry Pi is now capturing temperatures and pushing it in an InfluxDB available through Grafana!
Feel free to share your Dashboards and alerts on Discord!

Since I initially wrote this article, I have printed my own board to replace the breadboard. I've designed it on EasyEDA. I put it for download below, feel free to use it and print it with jlcpcb.com.

Docker provides natively an healthcheck system, when a container has an healthcheck configured, it comes with an health status in addition to its normal status. This status is initially starting. Whenever a health check passes, it becomes healthy (whatever state it was previously in). After a certain number of consecutive failures, it becomes unhealthy.

The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working. This can detect cases such as a web server that is stuck in an infinite loop and unable to handle new connections, even though the server process is still running.

Nevertheless, a huge amount of Docker container providers don't implement this feature.

No worries, there is a way to integrate an healthcheck in your docker compose file and this is the purpose of this post! 🚀

Healthchecks with Docker Compose

This is how it looks like in your docker-compose.yml file.

healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost"]
  interval: 1m30s
  timeout: 10s
  retries: 3
  start_period: 40s

interval, timeout and start_period are self explanatory. interval is the frequency the test is run, timeout is the time allocated to run the test before its considered as failed and start_period , the time to wait before the first test is started to give time to your container to start. They are specified as durations. retriesis the number of tentatives before considering the test as failed.

Now let's talk about test, this is the actual test docker is going to execute to determine if your docker is healthy or unhealthy. It must be either a string or a list. If it's a string, just put the full command. If it’s a list, the first item must be NONE, CMD or CMD-SHELL.

• NONE, no healthcheck will run including the one in the container if there is one
• CMD, it must be followed by the command and all its argument as part of the list
• CMD-SHELL,  followed by a string it’s equivalent to just specifying  that string

Let's go through some examples to hit the local webserver to see if its running correctly:

# CMD option
test: ["CMD", "curl", "-f", "http://localhost"]

# CMD-SHELL option
test: ["CMD-SHELL", "curl -f http://localhost || exit 1"]

# String option
test: "curl -f https://localhost || exit 1"

Healthcheck and dependencies

You probably already use depends_on to ensure some containers are started before launching another one.

depends_on:
   - mycontainer
   
# OR 

depends_on:
   mycontainer:
      condition: service_started

Now you can wait until the container turns healthy! ✌🏼

depends_on:
  mycontainer:
    condition: service_healthy

And now, what if?

My container is not a webserver

When your container is not running a webserver, you will need to define what command to run to ensure its healthy.

Some containers contain interesting command like postgrewhich comes with pg_isreadyto know if the database server is up and running. Check the documentation if you want to customize it.

test: ["CMD-SHELL", "pg_isready -U user"]

With influxdb, you can list all databases which will indeed confirm the up and running state of your container.

test: ["CMD-SHELL", "influx -execute 'SHOW DATABASES' || exit 1"]

My container doesn't have curl

Some of the containers running a webserver don't contain curl, no worries, you can still use wget.

test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider --no-check-certificate http://localhost/ || exit 1"]

My container uses another container's network

And finally, what if you are routing a container traffic through a vpn container?

In this case, it's important to hit the local webserver through the vpn container in your healthcheck's test.

In the example below, I'm testing the internal port of the container through the VPN IP address. By doing this, you ensure your container will turn unhealthy if your VPN container is restarting or just down.

version: "2.3" 
services: 
  vpn:
    container_name: my-vpn
    [...]
    networks:
      default:
        ipv4_address: 172.21.0.2
    ports:
      - 8888:1111
    [...]

  mycontainer:
    container_name: my-container
    [...]
    depends_on:
     - vpn
    network_mode: "service:vpn"
    [...]
    healthcheck:
      test: ["CMD-SHELL", "curl --fail http://172.21.0.2:1111/ || exit 1"]
      start_period: 120s
      interval: 60s
      timeout: 10s
      retries: 3

networks:
  default:
    external:
      name: my-vpn-network

My container is unhealthy

If your container is unhealthy, you can use some of the containers able to restart unhealthy ones automatically. I recommend willfarrell/docker-autoheal or qdm12/deunhealth. I personnaly use the second one, written in Go like Docker it directly uses the Docker API.

The docker-compose.yml file is super simple to setup, no volume to map.

version: "3.7"
services:
  deunhealth:
    image: qmcgaw/deunhealth:latest
    container_name: deunhealth
    network_mode: "none"
    environment:
      - LOG_LEVEL=info
      - HEALTH_SERVER_ADDRESS=127.0.0.1:9999
      - TZ=Europe/Zurich
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

🎉 Now it's your turn to healthcheck all your containers!

Today, I'm presenting to you an interesting project from henrywhitaker3 on GitHub called Speedtest-Tracker. In few words, this is a self-hosted and always-on speed test solution.

It uses Ookla's Speedtest cli to exectue the speedtest and uses Chart.js to display awesome charts with the results. The application is developed with Laravel for the back-end and the front-end uses React.

Installation

Speedtest-Tracker is a Docker image, so we will use docker-compose as usual. Like TheLounge, the file is straight-forward, you need to map your configuration folder and that's it.
Please note the environment variable OOKLA_EULA_GDPR=true which is mandatory to accept Ookla's EULA and privacy agreements in order to use this container.

version: '3'
services:
  speedtest:
    container_name: speedtest-tracker
    image: henrywhitaker3/speedtest-tracker:latest
    restart: unless-stopped
    ports:
      - 8765:80
    volumes:
      - ./config:/config
    environment:
      - TZ=Europe/Zurich
      - PUID=1026
      - PGID=100
      - OOKLA_EULA_GDPR=true
    logging:
      driver: "json-file"
      options:
        max-file: "10"
        max-size: "200k"

Features

• It runs a speedtest automatically every hour
• Charts to see the history of your speedtests
• Backup/restore any data in JSON or CSV format
• Notifications through Slack, Discord or Telegram
• Organizr integration
• healthchecks.io integration
• InfluxDB integration (currently v1 only, v2 is a WIP)

It doesn't work?

Some users have reported issues to accept the Ookla's EULA and privacy agreements. If you can't get any speedtest results, try this:

1. Execute docker exec -it speedtest-tracker bash to get into the container
2. Run php /config/www/artisan speedtest:eula to force the acceptation
3. Restart your container with docker restart speedtest-tracker

The Lounge is the perfect solution for you if you are looking for an "Always connected" and self-hosted IRC client.

Installation

This application is available on GitHub and DockerHub and is super straight-forward to install.
On my side, I installed it using docker-compose. No worries, you can find well detailed package or Docker installation steps in their documentation.

First thing first, you need to create a folder for this project and put inside your docker-compose.yml file.

As you know, IRC provide features to get other user hostname or IP address very easily, for that reason, we are going to run it behind a VPN.
I will not get into details regarding the VPN part, if you need more details, read the article Routing Docker traffic through a VPN container.

Routing Docker traffic through a VPN container

I’m using a VPN for years now but I recently decided to route the traffic of some of my container through a VPN connection to by-pass some country-specific restrictions and to enhance my privacy.

TheLazyFox's BlogTheLazyFox

The docker-compose.yml file is pretty simple to setup, you just need to map the config folder.

version: "3.2"
services:
  vpn:
    container_name: vpn-thelounge
    image: dperson/openvpn-client:latest
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 172.30.0.2
    dns:
      - 9.9.9.9
      - 8.8.8.8
    ports:
      - 9000:9000
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    security_opt:
      - label:disable
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Paris
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - /home/thelazyfox/docker/thelounge/vpn/config:/vpn
    command: '-f "" -r 172.30.0.2/24'
    healthcheck:
      test: ["CMD", "curl", "-Ss", "ifconfig.co"]
      start_period: 5s
      interval: 60s
      timeout: 10s
      retries: 3

  thelounge:
    container_name: thelounge
    image: thelounge/thelounge:latest
    restart: unless-stopped
    depends_on:
       - vpn
    network_mode: "service:vpn"
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Paris
    volumes:
      - /home/thelazyfox/docker/thelounge/config:/var/opt/thelounge

networks:
  default:
    driver: bridge
    ipam:
      config:
        - subnet: 172.30.0.0/16
          gateway: 172.30.0.255

Please remember to create all folders and files before trying to launch your docker-compose.

How does it look like on my server:

thelounge/
      |_ docker-compose.yaml
      |_ config/
      |_ vpn/          
          |_ config/ 

And now, you just have to launch your docker-compose file with the following command cd thelounge && docker-compose up -d

Features

TheLounge is very easy to use and complete so I will let you discover all the features by yourself.

We can highlight as main capabilities:

• Push notifications
• File upload
• Always connected
• Responsive interface
• Multi user support
  In case of trouble, their user administration doc is super complete
• Themes management
  TheLounge is currently integrated into Theme.park if you are looking for custom themes

Theme.park: Custom themes for your favorite apps!

Theme.park is a Github project which propose a collection of of themes/skins for most of your favorites apps!

TheLazyFox's BlogTheLazyFox

If you still have some doubts, give a try to the demo client.

Conclusion

TheLounge is the best self-hosted IRC solution available from my point of view, easy to setup and configure. It's a must-have in your setup, go for it!

The LinuxServer team has deprecated their image linuxserver/rtorrent/rutorrent due to a lack of maintainers!
They now suggest to use crazymax/rtorrent-rutorrent instead. I have decided to give it a try and finally after few tests and adaptations, I have migrated for good!

I will detail below all customization I have made to keep the same experience and usage I had with the previous one.

ℹ️ It's important to mention that most of the changes introduced on this image has been made, by the author, to avoid to use rutorrent plugins at the maximum.

More details below! 😉

Please note that this image can be even more customized if you build it yourself

Download folders

Linuxserver is using:

• A temp folder  /downloads/incoming
• A finished folder /downloads/completed
• A watch folder /downloads/watch available to be used with Autotools>AutoWatch

Crazy-max is using:

• A temp folder /downloads/temp
• A finished folder /downloads/complete ⚠️Note the slight difference here
• A watch folder /data/rtorrent/watch which is the default rtorrent folder (Remember the note about getting rid of rutorrent plugins?)
• I have anyway created /data/watched to keep using Autotools>AutoWatch easily

Configuration

Environment file and port management

A lot of settings can be configured from the environment file, please find below mine and some explanations

• The property RU_REMOVE_CORE_PLUGINS gives you the ability to remove completely some rutorrent plugins when you create your container (Remember the note about... ok you got it!). Be careful, some components have cross-dependencies! For example, Autotools requires data to work properly.
• At the end of the file, you can see 5 properties to customized all the ports. It's a feature I have requested, thanks for the super-fast implementation.  This is a must have if you want to use more than one container behind VPN and avoid conflicts
• I also customized MEMORY_LIMIT and UPLOAD_MAX_SIZE for container with huge volumes of data
• Find out more on GitHub

TZ=Europe/Paris
PUID=1026
PGID=100

MEMORY_LIMIT=1024M
UPLOAD_MAX_SIZE=32M
OPCACHE_MEM_SIZE=256
MAX_FILE_UPLOADS=10
REAL_IP_FROM=0.0.0.0/32
REAL_IP_HEADER=X-Forwarded-For
LOG_IP_VAR=remote_addr

XMLRPC_AUTHBASIC_STRING=rTorrent XMLRPC restricted access
RUTORRENT_AUTHBASIC_STRING=ruTorrent restricted access
WEBDAV_AUTHBASIC_STRING=WebDAV restricted access

RT_LOG_LEVEL=info
RT_LOG_EXECUTE=false
RT_LOG_XMLRPC=false

RU_REMOVE_CORE_PLUGINS=httprpc,_cloudflare,_noty,_noty2,cookies,extratio,extsearch,feeds,filedrop,history,loginmgr,lookat,retrackers,rss,rssurlrewrite,rutracker_check,scheduler,screenshots,show_peers_like_wtorrent,spectrogram,trafic,unpack,uploadeta,xmpp
RU_HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
RU_HTTP_TIME_OUT=30
RU_HTTP_USE_GZIP=true
RU_RPC_TIME_OUT=5
RU_LOG_RPC_CALLS=false
RU_LOG_RPC_FAULTS=true
RU_PHP_USE_GZIP=false
RU_PHP_GZIP_LEVEL=2
RU_SCHEDULE_RAND=10
RU_LOG_FILE=/data/rutorrent/rutorrent.log
RU_DO_DIAGNOSTIC=true
RU_SAVE_UPLOADED_TORRENTS=true
RU_OVERWRITE_UPLOADED_TORRENTS=false
RU_FORBID_USER_SETTINGS=false
RU_LOCALE=UTF8

RT_DHT_PORT=6840
XMLRPC_PORT=8040
RUTORRENT_PORT=33440
WEBDAV_PORT=9040
RT_INC_PORT=50040

.rtorrent.rc customization

The .rtorrent.rc configuration file (/data/rtorrent/.rtorrent.rc) contains by default few customization worth to mention.

First of all, these 2 lines:

# Watch a directory for new torrents, and stop those that have been deleted
schedule2 = watch_directory, 1, 1, (cat,"load.start=",(cfg.watch),"*.torrent")
schedule2 = untied_directory, 5, 5, (cat,"stop_untied=",(cfg.watch),"*.torrent")

They activate the usage of the rtorrent watch folder (/data/rtorrent/watch) to import the torrent and label them (if inside a folder) to get rid of Autotools>Autowatch and Autotools>Autolabel. I have commented these 2 lines as rtorrent watch feature is not recursive above one folder so I will keep using Autotools.
In addition, it creates also a binding between the torrent file in the watch folder (which is not delete when imported) and its session. Remove one removes the other one and I didn't want to use it that way.

Then there is 3 lines to avoid using Autotools>Automove. I have commented it as well to keep using Autotools.

# Move finished (no need Autotools/Automove plugin on ruTorrent)
method.insert = d.get_finished_dir, simple, "cat=$cfg.download_complete=,$d.custom1="
method.insert = d.move_to_complete, simple, "d.directory.set=$argument.1=; execute=mkdir,-p,$argument.1=; execute=mv,-u,$argument.0=,$argument.1=; d.save_full_session="
method.set_key = event.download.finished,move_complete,"d.move_to_complete=$d.data_path=,$d.get_finished_dir="
directory.default.set = (cat,(cfg.download_complete))

And last but not least!

# Erase data when torrent deleted (no need erasedata plugin on ruTorrent)
method.set_key = event.download.erased,delete_erased,"execute=rm,-rf,--,$d.data_path="

⚠️This is a warning sign to catch your attention as its a topic worth to mention!
This configuration is setup to automatically delete all data files associated with a torrent when using the function "Remove" in the interface which normally only remove the torrent and not the data.
To remove the torrent and the data, you will normally have to use Remove and Delete data in the interface, which is provided by the plugin erasedata. The author of the image put this configuration line by default to avoid having to use erasedata plugin, nevertheless I do not agree with that and I find the ability to remove a torrent without touching its data pretty useful so I also commented this line.

Using Delete to remove the torrent but not the data is useful for torrent which do not verify at 100% for example (missing a file or whatever)

Migrating torrents and session

After few tests, I was not able to migrate "easily" my session folder between the 2 images. I tried to:

• Copy the session folder content from one image to the other
• Run a search and replace /downloads/completed to /downloads/complete
• Start the container

It never worked as expected! As you know me well, I never would have accepted to migrate manually one by one so I did a python script to ease this by:

• Find all torrents in the watch folder (Do a copy before!)
• Read the associated session files
• Extract the path after /downloads/completed
• Rebuild a tree of folders and move .torrent inside so you can just move it in your watch folder and let the magic happens! ✨

You will have to run through the content checking for all of them but at least, no manual operations.

import re
import sys,os
import shutil
import urlparse

try:
    os.makedirs("_done")
except OSError:
    if not os.path.isdir("_done"):
        raise

files = [f for f in os.listdir('.') if os.path.isfile(f)]

for f in files:
    if f.endswith('.torrent'):

        print("Filename:" + f)
        sessionFilename = f +".rtorrent"
        libFilename = f +".libtorrent_resume"

        print("-- Session:" + sessionFilename)
        print("-- Libresume:" + libFilename)

        # Reading session file to get the current path
        with open (sessionFilename, 'rt') as sessionFile:
            sessionContent = sessionFile.read()

        # Extract path with regex
        results=re.search(r'(?<=:\/downloads\/complete\/)(.*?)(?=7:hashing)', sessionContent)
        if results is not None:
            pathRaw=results.group(1)
            print("-- pathRaw:" + pathRaw)
        else:
            pathRaw=None

        if pathRaw:
            # Remove the base path
            pathCleaned=pathRaw.replace("/downloads/completed/", "")

            # Remove trailing slash
            pathTarget=re.sub('/[^/]+$', '/', pathCleaned)

            print("-- Path:" + pathCleaned)
            print("-- Target:" + pathTarget)
            print("-----------------------")

            # Create the path

            try:
                os.makedirs(pathTarget)
            except OSError:
                if not os.path.isdir(pathTarget):
                    raise

            # Move the files
            path = os.path.join(pathTarget, f)
            shutil.move(f, path)
            shutil.move(sessionFilename, "_done")
            shutil.move(libFilename, "_done")

When all of this was done, I had a tought 💡
The session incompatibility might be due to the removal of some plugins in the new image, you should try without first and let me know 😉

Others features!

This image contains somes interesting features like the theme importing which let you import new one by just adding a folder into /data/rutorrent/themes. The same works for plugins into /data/rutorrent/plugins.

You can also overload an existing configuration by adding files into /data/rutorrent/plugins-conf. You can find an example below to active debug and increase the interval of Autotools plugin.

<?php

    // set interval for schedule command in seconds
    $autowatch_interval = 60;

    // set "true" to enable debug output
    $autodebug_enabled = true;

The image also includes a pretty straightforward way to manage the htaccess authentication, more information in the official documentation.

Conclusion

I didn't want to keep using a deprecetad image and I've been seduced by this one and all its possible customizations like the themes or plugins importer/overloader.
The easy port customization is awesome as well!

I hope it helped! Stay tuned!

I recently faced a problem with my computer, every time I was setting it in sleep mode it was waking up automatically after few seconds. As I had no explanation at the first sight, I started to dig and I learn few things.

First of all, Windows provides the ability to schedule timers to wake your computer. I never used that but just to clear this cause, you can run the following command in your Command Prompt (Win + R > cmd > Enter)

It confirms to me there is nothing configured! Next!

The following command shows which devices are authorized to wake up your computer, like your mouse or keyboard for example. We are all used to hit one of them to wake the computer, right?

As my network adapter is part of that list, I was thinking about a Wake-On-Lan behavior triggered from another device on the network but as it's part of a bigger list, I wanted to be sure and finally found the perfect command for this.

This command provides information about the last timer or device which woke up your computer. To make it efficient, put your computer in sleep mode, wait for the undesired wake up to happen and then run the command.

It confirms the theory! A device on my network obviously doesn't want my computer to sleep quietly!

Now I need to turn that off and there is two options for that:

1. Chase the signal and shut it down
2. Configure my computer to not take care of that signal

As I really don't want any device to be able to wake up my computer, I have looked at the second option first, to kill the problem and it's pretty easy to do.

1. Hit Win + R > type devmgmt.msc > Enter
2. Identity the network adapter found with the command above
3. Right-click > Properties
4. Open "Power Management" tab
5. Uncheck "Allow this device to wake the computer"
6. Click OK and quit

Now my computer can finally sleep quietly (and so do I) without any savage packages waking it up!

Now I'm still wondering what was causing this issue. I have tried some Wake On LAN package sniffers like Wake On LAN Monitor but so far I didn't find anything.
May be because the packages are only sent when my computer is off?

If you have any suggestion, hit the comment section!

I'm using a VPN for years now but I recently decided to route the traffic of some of my container through a VPN connection to by-pass some country-specific restrictions and to enhance my privacy.

I found out a docker container which suits perfectly to what I wanted to do and I will show you how to quickly built this setup.

Prerequisites

Folder structure

As a first step, you have to create a folder structure as the following one.

docker-vpn-project/
      |_ docker-compose.yaml 
      |_ vpn
          |_ config
      |_ my-container # If needed
          |_ config

OpenVPN files

To be able to work, this container will need some OpenVPN configurations from my current VPN provider, Windscribe.

On their website, you can easily find an OpenVPN configuration generator which provides you the key elements to continue:

• An *.ovpn configuration file
• A certificate and a private key
• An username/password for the authentication

You have now downloaded and extracted all the files and it looks like this:

Now it's time to copy these files into your VPN configuration folder.

Authentication file

You will need to create a file "vpn.auth" for the credentials. This file must contains only 2 lines of text, the first one is your username and the second line is the password, both provided by your VPN provider.

Now you need to open the *.ovpn file to target the authentication file we have create. You just need to add the path of the file inside the container /vpn/vpn.auth following the existing auth-user-pass section (line 7).

How does it look on my Synology NAS:

docker-vpn-project/
      |_ docker-compose.yaml 
      |_ vpn
          |_ config
                |_ ca.crt  
                |_ ta.key
                |_ vpn.auth
                |_ Windscribe-Zurich-Alphorn-GCM.ovpn
      |_ my-container # If needed
          |_ config

Docker-compose.yaml

Now let's deep-dive into the docker-compose.yaml file. For this example, I  route through VPN a librespeed container but you can easily use this also for Sonarr, Radarr, ruTorrent, qbitTorrent, Jackett, Prowlarr, etc.

version: "2.3" 
services: 
  vpn:
    container_name: my-vpn
    image: dperson/openvpn-client:latest
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 172.51.0.2
    dns:
      - 9.9.9.9
    ports:
      - 1234:80
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    security_opt:
      - label:disable
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Zurich
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./vpn/config:/vpn
    command: '-f "" -r 192.168.0.0/24'
    healthcheck:
      test: ["CMD-SHELL", "if [ $$(curl --silent https://ifconfig.co/country-iso) = 'DE' ]; then exit 0; else exit 1; fi"]
      start_period: 5s
      interval: 5s
      timeout: 10s
      retries: 3

  my-container:
    image: linuxserver/librespeed:version-5.2.4
    container_name: my-container
    restart: unless-stopped
    network_mode: "service:vpn"
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Zurich
 
networks:
  default:
    driver: bridge
    ipam:
      config:
        - subnet: 172.51.0.0/16
          gateway: 172.51.0.255

The key section are the following:

• vpn.networks - Used to define a fixed IP address to your VPN container into the current network range
• vpn.dns - The DNS address your VPN container is going to use to resolve domains. I'm using Quad9
• vpn.dns - The ports you need to map. As all the traffic is redirected through the VPN, you need to map all the ports into the VPN container and not your services container
• my-container.network_mode - No custom port declaration, we are delegating the complete network management to the VPN service, running inside the same docker-compose.yaml file, named vpn.
  Note: If you want to run the VPN container in a separate docker-compose.yaml or docker run command, you will need to set container:vpn instead of service:vpn
• networks - We are defining the default network of this stack
• healthcheck - This healthcheck command is going to define my VPN container as unhealthy if its connection is not located in Germany

And now you are ready to test!

Container creation and connectivity

You can now create and start your Docker stack with the command:
sudo docker-compose up -d

You can check your VPN container logs to check if everything is fine. It should look like this:

As soon as both of the containers are created and started, it's time to check your connectivity and especially your IP address.

Let's start with the VPN container, you can run the following command:
sudo docker exec -it my-vpn curl ifconfig.co/json

You can see below that your IP address is now located in Zurich, the VPN is correctly connected!

Now, we are going to check the librespeed container, you can run the following command:
sudo docker exec -it my-container curl ifconfig.co/json

The result is exactly the same! Congratulations, you are now routing all your Librespeed container traffic through a VPN container! 🎉

Debug

If you encounter any issue related to the /dev/net/tun device interface, as I did on my Synology NAS, you might need to create it before.
I made a small bash file you can easily run to fix this issue!

• Create the file
  sudo nano tun.sh
• Paste this content inside

#!/bin/bash

# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
    if ( [ ! -d /dev/net ] ); then
        mkdir -m 755 /dev/net
    fi
     mknod /dev/net/tun c 10 200
fi

# Load the tun module if not already loaded
if ( !(lsmod | grep -q "^tun\s") ); then
    insmod /lib/modules/tun.ko
fi

 # Load iptables mangle is not already loaded
if ( !(lsmod |grep -q "^iptable_mangle\s") ); then
    insmod /lib/modules/iptable_mangle.ko
fi

• Make it executable
  sudo chmod +x tun.sh
• Execute it
  sudo ./tun.sh

WireGuard is a free and open-source software application and communication protocol that implements virtual private network techniques to create secure point-to-point connections in routed or bridged configurations

WireGuard is a new, modern and open-source VPN protocol. You might have heard about it as it has been merge a exactly a year ago in the Linux core.

Is my VPN Provider compatible?

Some of the most famous providers already offer WireGuard through their mobile or desktop applications and some of them also provide configuration files for custom install!

WindScribe: https://blog.windscribe.com/introducing-wireguard-76a1670700a6
NordVPN: https://nordvpn.com/fr/blog/nordlynx-protocol-wireguard
ProtonVPN: https://protonvpn.com/blog/wireguard-donation

How to use it on my Synology NAS?

I have recently discovered a GitHub project which let you build your own custom Synology package, fully compatible with your Synology NAS to let you use the "wg" and "wg-quick" commands of WireGuard.

The first step is to identity the CPU architecture your Synology NAS is running and to ensure your Kernel is above 3.10.

You can easily check all of that by searching for your Synology NAS model in the official documentation: What kind of CPU does my Synology NAS have?.

As soon as you have identity it, you can either download a pre-built version in the GitHub releases section or you can built it yourself.

Pre-built versions

It's pretty straight forward, you just have to download the .spk file matching your Synology NAS' CPU architecture.

Manual build

To build manually your package, you will have to run the following commands:

1. Connect to your Synology NAS via SSH and use a folder dedicated for that purpose
   cd /volume1/testing
2. Download the source code from GitHub
   git clone https://github.com/runfalk/synology-wireguard.git
3. Browse the source code's folder freshly cloned
   cd synology-wireguard/
4. Start the building process
   docker build -t synobuild .
5. Generate the package matching your Synology NAS' CPU architecture. On my side, it's "braswell" with DSM 6.2
   docker run --rm --privileged --network=host --env PACKAGE_ARCH=braswell --env DSM_VER=6.2 -v $(pwd):/result_spk synobuild
6. You can find the .spk file in the WireGuard. Version number will change so use the tab key.
   cd WireGuard-0.0.20210124 && ls *.spk

Package installation

You can now easily install the package with this command line or through the DSM interface: synopkg install WireGuard-braswell-1.0.20210124.spk

To activate the package, just run synoservice --start pkgctl-WireGuard.
Use synoservice --status pkgctl-WireGuard to check if the package is running correctly.

Use WireGuard

You can now use "wg" and "wg-quick" commands of WireGuard directly on your Synology NAS.

Feel free to share your projets with WireGuard in the comments. 🚀

Following my setup of AdGuard Home, I found out it can manage DNS-over-HTTPS and DNS-over-TLS but it needs valid SSL certificates for that purpose.

In addition, I was looking for a solution to generate easily a wildcard certificate to manage all subdomains applications I'm hosting on my Synology NAS without having to regenerate independantly all certificates everytime I launch a new subdomain.

I will explain to you how to generate quickly a valid SSL certificate for your Synology NAS self-hosted subdomains which can also be used in AdGuard Home.

Why didn't you used the Synology DSM built-in let's encrypt generator?

You might know that Synology offers an interface to generate the certificate with Let's Encrypt for you natively, nevertheless it doesn't support yet the wildcard, this is why I used an alternative way to do it.

Setting up your docker compose file

version: "2.1"
services:
  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1026
      - PGID=100
      - TZ=Europe/Paris
      - URL=yourdomain.tld
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
      - EMAIL=youremailaddress@protonmail.com
      - DHLEVEL=2048
    volumes:
      - /volume1/docker/letsencrypt:/config

Few explanations regarding this docker compose:

• URL is your domain
• SUBDOMAINS=wildcard which means it will work for *.yourdomain.tld
• VALIDATION=dns as it's the only validation method authorized to generate wildcard certificates
• DNSPLUGIN=cloudflare as I'm using Cloudflare
• EMAIL is the email you associate to your certificate, it's mandatory.

If you need more detail, you can check on GitHub.

How does it look on my Synology NAS:

letsencrypt/
      |_ docker-compose.yaml
      |_ config/         

And now, you just have to launch your docker-compose file with the following command cd letsencrypt && docker-compose up -d

You will see the config folder being populated with the following folders

• crontabs
• dns-conf
• etc
• fail2ban
• keys
• logs
• nginx
• php
• www
• ...

Please monitor the logs with sudo docker logs letsencrypt to ensure the container startup phase is totally complete as it can takes time the first time.

As soon as the startup is completed, browse your volume and open dns-conf/cloudflare.ini. You need to put in that file, your Cloudflare account email address and your Cloudflare account Global API Key so the container can manage by himself the DNS challenge to prove you are the domain owner.
You need to fill the file like this:

dns_cloudflare_email = youremailaddress@protonmail.com
dns_cloudflare_api_key = yourglobalapikey

You can now save the file and restart the container with this command sudo docker-compose restart and you can check your logs again, everything should have finished smoothly. If there is any issues, it will propose you some solutions.

2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for yourdomain.tld will be requested
E-mail address entered: youremailaddress@protonmail.com
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please manually download/update the GeoIP2 db and save as /config/geoip2db/GeoLite2-City.mmdb
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

Congratulations, you have generated your wildcard certificate for your domain with Let's Encrypt and Cloudflare! 🎉

You can now get it by browsing your Let's Encrypt files in /etc/letsencrypt/live/yourdomain.tld . If it doesn't work, all certificates related files are also saved in /etc/letsencrypt/archive/yourdomain.tld

It's now time to use it!

If you want to use this certificate in your Synology NAS, you will need privkey1.pem and fullchain1.pem.
Just follow these few steps:

1. Login to your Synology NAS DSM interface
2. Open "Control Panel"
3. Open "Security"
4. Select the tab "Certificate"
5. Click on "Add" > "Add a new certificate" > "Next"
6. Give it a name and select "Import certificate" > "Next"
7. Set your privkey1.pem in "Private Key"
8. Set your fullchain1.pem in "Certificate"
9. Finish with "OK"

Your certificate is now available and can be assigned to your website! 🎉

Now let's set it up in AdGuard Home!

1. Login to your AdGuard Home interface
2. Open "Settings" > "Encryption settings"
3. Scroll to the section "Certificates" and paste your fullchain1.pem file content inside
4. Scroll to the section "Private Key" and paste your privkey1.pem file content inside
5. Finish with "Save config"

Congratulations, you have setup your wildcard certificate in AdGuard Home, you can now activate DNS-over-HTTPS and DNS-over-TLS! 🎉