Update readme and enable certificates in traefik.

docker-compose.yaml

@@ -10,6 +10,8 @@ networks:
     name: internal
 
 volumes:
+  letsencrypt:
+    name: letsencrypt
   mysql8-data:
     name: mysql8-data
   mysql8-backup:
@@ -37,6 +39,10 @@ services:
       - --providers.docker.swarmMode=false
       - --entryPoints.web.address=:80
       - --entryPoints.websecure.address=:443
+      - --certificatesresolvers.myresolver.acme.tlschallenge=true
+#      - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+      - --certificatesresolvers.myresolver.acme.email=christiansteinle@arcor.de
+      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
       - --log=true
       - --log.level=DEBUG
       - --accessLog=true
@@ -45,6 +51,7 @@ services:
       - "443:443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - letsencrypt:/letsencrypt
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.traefik.entrypoints=web"

readme.md

@@ -2,17 +2,115 @@
 
 This repo is used to deploy the containers for the home server infrastructure. If you want to move infrastructure to another host you have to install docker and docker-compose at first.
 
+## Requirements
+
+### Docker
+
+[Offical docker installation guide for ubuntu](https://docs.docker.com/engine/install/ubuntu/)
+
+To be able to use this repo, you must have running system with a running docker instance.
+Installing docker on ubuntu:
+
+````
+sudo apt update && sudo apt upgrade
+sudo apt install ca-certificates curl gnupg lsb-release
+````
+
+Next docker's GPG key must be added to repo list:
+
+``curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg``
+
+To setup the stable repostiory:
+
+````
+echo \
+"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
+$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+````
+
+Now docker engine can be installed:
+
+````
+sudo apt- update
+sudo apt install docker-ce docker-ce-cli containerd.io
+````
+
+### Networking with macvlan
+
+To expose containers to the local network a macvlan can be used. Containers that are
+attached to this network can not be reached from the host system. To be able to reach
+these containers from the host, a second bridge has to be created and traffic must be routed to this network.
+
+* Network-Adapter of host: ``enp3s0``
+* Name of the network bridge: ``docker-bridge``
+* Free IP address of subnet out of dhcp range: ``192.168.178.19``
+
+````
+ip link add docker-bridge link enp3s0 type macvlan mode bridge
+ip addr add 192.168.178.19/32 dev docker-bridge
+ip link set docker-bridge up
+ip route add 192.168.178.0/24 dev docker-bridge
+````
+
+### IPv6 networking
+
+IPv6 is not enabled by default in docker networking. If you don't want to disable the complete IPv6 networking stack
+in your routers configuration and use pihole or unbound, IPv6 has to be enabled.
+Configuration is a bit tricky, and there might be better possibilities to get the stack running.
+
+#### Determine data that has to be used:
+
+* Private IPv6 prefix of home network \
+  ``Fritz!Box -> Heimnetz -> Netzwerk -> Netzwerkeinstellungen -> IPv6-Einstellungen -> IPv6 Präfix des Heimnetz``
+* Unique local address of router \
+  ``Fritz!Box -> Heimnetz -> Netzwerk -> Netzwerkeinstellungen -> IPv6-Einstellungen -> Unique Local Address der Fritz!Box``
+* Unique local address prefix (ULA) \
+  ``Usually the first 64 bits of routers address``
+
+#### Docker settings
+
+Edit or create ``/etc/docker/daemon.json`` and use the private IPv6 prefix of home network
+
+````
+{
+"ipv6": true,
+"fixed-cidr-v6": "2a02:8070:c3b6:2b00::/64"
+}
+````
+
+Then do a docker restart ``sudo systemctl restart docker``. Reloading was not successful in my setup.
+
+#### Docker networking
+
+For the macvlan use the router as gateway and the correct subnet. Select an IP range that has a longer Prefix for the network.
+If the prefix is as long as the ULA prefix, there is no chance to build up a second macvlan network.
+
+````
+networks:
+  home:
+    external: false
+    driver: macvlan
+    enable_ipv6: true
+    driver_opts:
+      parent: enp2s0
+    ipam:
+      config:
+        - subnet: 192.168.178.0/24
+          gateway: 192.168.178.1
+          ip_range: 192.168.178.2/30 # .2 and .3
+        - subnet: fd00::/64
+          gateway: fd00::de15:c8ff:feec:9960
+          ip_range: fd00::1/80
+    name: home
+````
+
 ## Components and structure
 
-The root's docker-compose ist used to install common components like databases and traefik.
+The root's docker-compose is used to install common components like databases and traefik.
 Subdirectories are used to structure and keep components independent. You have to run the common part, after that you can run single components.
 
 ### Common
 
-Traefik needs an external network so it can properly work. Create docker network with name **proxy**:
-
-`docker network create --gateway 192.168.2.1 --subnet 192.168.2.0/24 proxy`
-
 - traefik 2
 - portainer
 - mysql 8
@@ -27,14 +125,11 @@ Traefik needs an external network so it can properly work. Create docker network
 
 ### Networking
 
-https://sensepost.com/blog/2020/building-a-hipster-aware-pi-home-server/ \
-https://github.com/chriscrowe/docker-pihole-unbound/blob/master/two-container/docker-compose.yaml
-
 - pihole
 - unbound
 - wireguard
 - smokeping: Not used at the moment
-- netdata
+- netdata: Not used at the moment
 
 ### Nextcloud
 
@@ -47,7 +142,7 @@ https://github.com/chriscrowe/docker-pihole-unbound/blob/master/two-container/do
 
 ### VPN
 
-- wireguard
+- wireguard: Not working at the moment
 
 ### Wiki