Source Code for the Home Server setup. This includes the git server hosting this repository as well. #terraform #docker https://git.captnemo.in/nemo/nebula/
Go to file
Nemo fede2951c6 testing 2018-02-26 01:10:35 +05:30
cloudflare Switches wildcard DNS entries to long-TTL CNAMEs 2017-12-26 21:08:38 +05:30
digitalocean testing 2018-02-26 01:10:35 +05:30
docker Adds heimdall 2018-02-18 13:18:20 +05:30
gitea Traefik monitoring 2018-02-10 02:26:31 +05:30
heimdall Adds heimdall 2018-02-18 13:18:20 +05:30
media Hopefully get sound ALSA on airsonic 2018-02-19 21:37:02 +05:30
monitoring Airsonic is back 2018-02-18 05:04:09 +05:30
mysql Adds tt-rss and radarr 2018-01-30 01:39:36 +05:30
radicale Switch to common traefik labels for radicale 2018-02-06 20:02:25 +05:30
resilio resilio added 2018-02-19 03:21:41 +05:30
tt-rss Switches to common labels for tt-rss 2018-02-06 20:04:44 +05:30
.editorconfig Work on proxying content via sydney 2017-11-26 16:53:34 +05:30
.gitignore Work on proxying content via sydney 2017-11-26 16:53:34 +05:30
README.md Minor updates 2018-02-18 02:16:56 +05:30
main.tf resilio added 2018-02-19 03:21:41 +05:30
providers.tf Adds digital ocean droplet 2018-02-03 13:06:19 +05:30
variables.tf Airsonic is back 2018-02-18 05:04:09 +05:30

README.md

nebula

Nebula header image

Where stars are born.

Manages the local infrastructure of my home server. I'm also doing blog posts around the same:

  1. Part 1, Hardware
  2. Part 2, Terraform/Docker
  3. Part 3, Learnings
  4. Part 4, Migrating from Google (and more)

The canonical URL for this repo is https://git.captnemo.in/nemo/nebula/. A mirror is maintained on GitHub.

modules

  1. docker: to actually run the services. Catch-all for miscellaneous containers
  2. cloudflare: to manage the DNS.
  3. mysql: to create mysql users and databases.
  4. media: Media related containers (Jackett, Ombi, Radarr, Sonarr, Daapd)
  5. Monitoring: Monitoring related resources (Cadvisor, Grafana, NodeExporter, Prometheus, Transmission-Exporter)
  6. Gitea: Just git.captnemo.in
  7. tt-rss: Tiny-Tiny RSS Web reader
  8. Radicale: CardDav/CalDav webserver

Self-learning project for terraform/docker.

Planned

  1. ~Setup DigitalOcean~
  2. Add DO infrastructure via ansible
  3. ~Add traefik for proper proxying~
  4. Maybe add docker swarm (or k8s?) across both the servers. Might setup the k8s API on the Raspberry Pi.

Service List

Currently running the following (all links are to the store.docker.com links for the docker images that I'm using:

Databases

  • MariaDB for a simple database backend
  • MongoRocks as a mongoDB server. Uses RocksDB as the backend

Media

Plumbing

  • Traefik as a reverse-proxy server, and TLS termination
  • CAdvisor, for basic monitoring

Misc

Lots of the above images are from the excellent LinuxServer.io, and they're doing great work 👍

Security Headers Note

The following security headers are applied using traefik on all traefik frontend docker backends:

  • HSTS
  • Redirect HTTP->HTTPS
  • contentTypeNosniff: true
  • browserXSSFilter: true
  • XFO: Allow-From home.bb8.fun
  • referrerPolicy: no-referrer
  • X-Powered-By: Allomancy
  • X-Server: BlackBox
  • X-Clacks-Overhead "GNU Terry Pratchett" (On some domains)

Currently waiting on traefik 1.5.0-rc2 to fix security specific headers issue (marked as TODO above). (Now resolved with new traefik release)

Upstream

Issues I've faced/reported as a result of this project:

  1. Airsonic HTTPS proxying is broken. Reported: https://github.com/airsonic/airsonic/issues/641. Turned out to be a known issue: https://github.com/airsonic/airsonic/issues/594.
  2. Traefik docker backend security headers were broken with dashes. Reported at https://github.com/containous/traefik/issues/2493, and fixed by https://github.com/containous/traefik/pull/2496
  3. Headphones dies repeatedly with no error logs. Yet-to-report.
  4. Terraform doesn't parse mariadb version numbers. Report: https://github.com/terraform-providers/terraform-provider-mysql/issues/6. Got this fixed myself by filing a PR: https://github.com/hashicorp/go-version/pull/34. Another PR pending in the provider to bump the go-version dependency.
  5. elibsrv didn't support ebook-convert, only mobigen. PR is at https://github.com/captn3m0/elibsrv/pull/1. I've to get this merged upstream for the next release.
  6. ubooquity docker container doesn't let you set admin password: https://github.com/linuxserver/docker-ubooquity/issues/17. (Couldn't reproduce, closed)
  7. Traefik customresponseheaders can't contain colons on the docker backend: https://github.com/containous/traefik/issues/2517. Fixed with https://github.com/containous/traefik/pull/2509
  8. Traefik Security headers don't overwrite upstream headers: https://github.com/containous/traefik/issues/2618
  9. Transmission exporter broke with different data types while unmarshalling JSON in go. I filed a PR https://github.com/metalmatze/transmission-exporter/pull/2

Plumbing

Their is a lot of additional infrastructure that is not-yet part of this repo. This includes:

  1. The Digital Ocean droplet running DNSCrypt and simpleproxy to proxy over a openvpn connection to this box.
  2. openbox, kodi configuration to run on boot along with the Steam Controller for the HTPC setup
  3. Docker main configuration with half-baked CA setup
  4. btrfs-backed subvolumes and snapshotting for most things in /mnt/xwing/ (in-progress)
  5. User-creation on the main server. (I'm using a common user for media applications and specific users for other applications)

License

All code in this repository is shared under the MIT License.