deployment/docs/doc_en.md

# Homelab Docker Server

## Version Information

The secrets will be set up progressively, taking into account the compatibility of each service.

This project configures a Homelab Docker server with a simple setup. In the future, more services will be added.

## Project Inspiration and More Details

### CrowdSec

- [CrowdSec Blog - Enhance Docker Compose Security](https://www.crowdsec.net/blog/enhance-docker-compose-security)
- [Traefik Bouncer GitHub](https://git.hhf.technology/maxlerebourg/crowdsec-bouncer-traefik-plugin)
- [Traefik Bouncer Tutorial](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin)

### Project Architecture Inspiration and Authentik Documentation:

- [GitHub - hhf](https://git.hhf.technology/hhf/authentik_traefik)
- Thanks to @hhf

## Initial Setup

1. **Rename the `.env.example` file to `.env`.**

2. **Fill in the variables in the `.env` file:**

   - `DOMAINNAME`: Domain name.
   - `TZ`: Time zone.
   - Create an account on [CrowdSec](https://www.crowdsec.net) (free).
   - Create a secret with the API key generated on Cloudflare for Let's Encrypt. See the [tutorial here](https://youtu.be/n1vOfdz5Nm8?si=a7WRX2rLfm4HydtU&t=1012).
   - Add the Cloudflare API key to `/secret/cf_dns_api_token`.

3. Generate the secrets for Authentik:

# Secrets to Create

The following secrets (defined in the base `compose.yaml` file) need to be created:

I recommend creating secrets with the following syntax:

```bash
echo -n 'VALUE_CHANGEME' > SECRET_NAME_CHANGEME
```

Check out Traefik's info at https://doc.traefik.io/traefik/https/acme/#providers. Cloudflare specific information: https://go-acme.github.io/lego/dns/cloudflare/

- `cf_email`
- `cf_dns_api_token`
  ```bash
  echo -n 'CHANGEME@gmail.com' > cf_email
  echo -n 'CHANGEME-LONGAPI-CHANGEME' > cf_dns_api_token
  ```

Specific to Authentik (https://docs.goauthentik.io/docs/installation/docker-compose#preparation)

- `authentik_postgresql_db`
- `authentik_postgresql_user`
- `authentik_postgresql_password`
- `authentik_secret_key`
  ```bash
  echo -n 'authentik_db' > authentik_postgresql_db
  echo -n 'authentik_user' > authentik_postgresql_user
  openssl rand 36 | base64 -w 0 > authentik_postgresql_password
  openssl rand 60 | base64 -w 0 > authentik_secret_key
  ```

Create a Gmail account and enter the information:

- `gmail_smtp_username`
- `gmail_smtp_password`
  ```bash
  echo -n 'CHANGEME@gmail.com' > gmail_smtp_username
  echo -n 'CHANGEME' > gmail_smtp_password
  ```

Go to https://dev.maxmind.com/geoip/geolite2-free-geolocation-data to generate a free license key (https://www.maxmind.com/en/accounts/current/license-key) for use.

- `geoip_account_id`
- `geoip_license_key`
  ```bash
  echo -n 'CHANGEME' > geoip_account_id
  echo -n 'CHANGEME' > geoip_license_key
  ```

---

4. **Let's Encrypt Configuration in `/appdata/traefik/config/traefik.yaml`:**

   **Development Mode**

   - During installation, ensure the line `caServer: https://acme-v02.api.letsencrypt.org/directory` is commented out.
   - Replace `CHANGEME` with your email.

   **Switch to Production:**

   - Delete the `acme.json` file in `/appdata/traefik/data/`.
   - Uncomment the line `caServer: https://acme-v02.api.letsencrypt.org/directory` in `/appdata/traefik/config/traefik.yaml`.
   - Restart the project to obtain a production SSL certificate.

## Project Launch

1. **Start the project:**

   Navigate to the `/my-compose/` folder where the `docker-compose.yaml` file is located, then run the command:

   ```bash
   docker compose up -d
   ```

2. **Check the services:**

   To check if all services are active, run:

   ```bash
   docker ps
   ```

   _Tip: To read the logs of a specific container, use:_

   ```bash
   docker logs 'container_name'
   ```

3. **Add the security engine on CrowdSec:**

   - Go to [CrowdSec](https://www.crowdsec.net), click on "Add Security Engine," and copy the token displayed after `sudo`.

   ![add security engine](images/crowdsec_1.png)
   ![add security engine](images/crowdsec_2.png)

4. **Run the following command in the terminal:**

   ```bash
   docker exec crowdsec cscli console enroll -e context 'retrieved token'
   ```

   ![add security engine](images/crowdsec_3.png)

5. **Return to the CrowdSec website:**

   - In the "Engines" section, accept the invitation. You should see an active item appear.

   ![add security engine](images/crowdsec_4.png)

6. **Create the Traefik bouncer:**

   To allow CrowdSec to read Traefik logs, run:

   ```bash
   docker exec crowdsec cscli bouncers add traefik-bouncer
   ```

7. **Add the API key:**

   - Copy the generated API key and set the variable `CROWDSEC_TRAEFIK_BOUNCER_LAPI_KEY` in the `.env` file located in `/my-compose/.env`.

8. **Restart the project:**

   ```bash
   docker compose up -d --force-recreate
   ```

9. **Wait a few minutes for the CrowdSec service to activate:**

   - After a few minutes, you should see the active page on the CrowdSec web interface.

   ![add security engine](images/crowdsec_6.png)

## Additional Information

- **Logs**: To read the startup logs of CrowdSec or Traefik, use the following commands:

  ```bash
  docker logs --tail 100 -f traefik
  ```

  ```bash
  docker logs --tail 100 -f crowdsec
  ```

- **If errors occur:** Delete the `config` folder and restart the services with:

  ```bash
  docker compose up -d --force-recreate
  ```

  If that fails, delete the `appdata/crowdsec/db` and `appdata/crowdsec/config` folders and restart the setup from scratch (bouncer + add engine).

- **Add a database other than SQLite:**

  - First, launch the project with SQLite.
  - Follow the tutorial [CrowdSec database custom](https://docs.crowdsec.net/docs/next/local_api/database/).
  - Edit the file `appdata/crowdsec/config/crowdsec/config.yaml`.
  - Delete the `appdata/crowdsec/data` folder.
  - Reconfigure from scratch (engine + bouncer).

- **Available `cscli` commands:** Check the documentation [here](https://docs.crowdsec.net/docs/cscli/).

### Qbittorrent (documentation coming soon)

To retrieve the Qbittorrent password: run the command

`docker logs qbittorrent`.

### Servarr (documentation coming soon):

### Authentik

Follow this documentation [Authentik](https://git.hhf.technology/hhf/authentik_traefik/blob/traefik3/README.md)