kelin/EZ-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update documentation files with recent tweaks

Browse Source
This commit is contained in:
Kelin
2026-02-08 18:42:16 -05:00
parent 0de82e55b6
commit 30143d5f75
5 changed files with 94 additions and 1659 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
docs/automated-setup.md
View File

@@ -7,50 +7,30 @@ For most users, the automated setup script handles everything from system prepar
- **Root/sudo access**
- **Internet connection**
- **Ports 80 and 443 forwarded** from your router to your **core server only** (required for SSL certificates)
- **VS Code with GitHub Copilot** (for AI assistance)
**Note**: For multi-server setups, only the core server needs ports forwarded. Remote servers connect via Docker TLS (port 2376).
**Note**: For multi-server setups, only the core server needs ports forwarded.
## Simple Setup
# Deploy Core Server
1. **Connect to your server** via SSH
>Tip: Use VS Code on your local machine to ssh
in to your server for the easiest install!
## Connect to your server via SSH
>Tip: Use VS Code on your local machine to ssh in to your server for the easiest install!
2. **Install git if needed**
## Install commands
```bash
sudo apt update && sudo apt upgrade -y && sudo apt install git
```
3. **Clone the repository**:
```bash
git clone https://github.com/kelinfoxy/EZ-Homelab.git
cd EZ-Homelab
```
4. **Configure environment**:
```bash
cp .env.example .env
nano .env # Edit with your domain and tokens
```
**Required variables in .env:**
- `DOMAIN` - Your DuckDNS domain (e.g., yourdomain.duckdns.org)
- `DUCKDNS_TOKEN` - Your DuckDNS token from [duckdns.org](https://www.duckdns.org/)
- `ACME_EMAIL` - Your email for Let's Encrypt certificates
- `SURFSHARK_USERNAME` and `SURFSHARK_PASSWORD` - If using VPN
**Note:** The `.env` file stays in the repository folder (`~/EZ-Homelab/.env`). The deploy script copies it to stack directories automatically. Authelia secrets (JWT, session, encryption key) are auto-generated by the setup script - leave them with default values for now.
5. **Run the unified setup script:**
```bash
./scripts/ez-homelab.sh
sudo apt update && sudo apt upgrade -y && sudo apt install git -y && git clone https://github.com/kelinfoxy/EZ-Homelab.git
&& cd EZ-Homelab
```
The script will guide you through:
- System preparation (if needed)
- Domain and credential configuration
- Service stack selection
- Authelia secrets generation
- SSL certificate setup
- Service deployment
## Run the ez-homelab.sh script with sudo:
`sudo ./scripts/ez-homelab.sh`
### Select option 1 Install Prerequesites
* This will install docker and prepare the local environment.
### Logout and back in to apply docker group changes
### Run the script without sudo and select Option 2: Deploy Core Server
* It will prompt for required env variables and create/update ~/EZ-Homelab/.env
**Note:** Certificate generation may take 2-5 minutes. All services will use the wildcard certificate automatically.
@@ -61,55 +41,27 @@ For most users, the automated setup script handles everything from system prepar
**That's it!** Your homelab is ready.
**Access Dockge at `https://dockge.yourdomain.duckdns.org`**
## Multi-Server Setup
----
To deploy services across multiple servers (e.g., Raspberry Pi, mini PCs):
# Deploy Additional Server
### Core Server Setup (First)
1. Follow the main setup above (steps 1-5)
2. This server gets ports 80/443 forwarded from your router
3. This server generates the shared CA for Docker TLS communication
>**You must have one and only one core server**
### Remote Server Setup (After Core)
1. **Clone repository on remote server**:
```bash
git clone https://github.com/kelinfoxy/EZ-Homelab.git
cd EZ-Homelab
```
## Follow the steps above but select Option 3: Deploy Additional Server
2. **Copy `.env` from core server**:
```bash
# On core server
cd ~/EZ-Homelab
cat .env # Copy the contents
* It will prompt for required env variables if missing from ~/EZ-Homelab/.env
* It includes variables for connecting to the core server
# On remote server
nano ~/EZ-Homelab/.env # Paste and save
```
----
3. **Run setup with Infrastructure-Only option**:
```bash
./scripts/ez-homelab.sh
# Select option 3: "Deploy Infrastructure Only (Remote Server)"
```
## What Gets Deployed Where
4. **When prompted, provide core server IP** for CA import
5. **Script automatically**:
- Copies shared CA from core server via SSH
- Configures Docker TLS with shared certificates
- Generates server certificates signed by shared CA
- Sets up Docker daemon for TLS on port 2376
- Deploys Traefik for local container discovery
- Deploys Sablier for local lazy loading
### What Gets Deployed Where
| Component | Core Server | Remote Servers |
|-----------|-------------|----------------|
| DuckDNS | ✅ Yes | ❌ No |
| Authelia | ✅ Yes | ❌ No |
| Traefik | ✅ Yes (multi-provider) | ✅ Yes (local only) |
| Sablier | ✅ Yes (own stack) | ✅ Yes (own stack) |
| Traefik | ✅ Yes | ❌ No |
| Sablier | ✅ Yes | ✅ Yes |
| Dockge | ✅ Yes | ✅ Yes |
| Services | ✅ Any | ✅ Any |
@@ -118,22 +70,8 @@ To deploy services across multiple servers (e.g., Raspberry Pi, mini PCs):
- **No Port Forwarding**: Remote servers don't need router configuration
- **Automatic Discovery**: Core Traefik finds services on all servers
- **Local Control**: Each Sablier manages its own server's containers
- **Secure Communication**: All inter-server traffic uses TLS encryption
### Troubleshooting Multi-Server Setup
If remote server setup fails:
1. **Check SSH access** from remote to core server
2. **Verify firewall** allows port 2376 on remote servers
3. **Test TLS connection** from core:
```bash
cd /opt/stacks/core/shared-ca
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem \
--tlskey=key.pem --host=tcp://REMOTE_IP:2376 ps
```
4. **Check logs**: See setup script output for specific errors
## What the Unified Setup Script Does
## What the ez-homelab.sh Script Does
The `ez-homelab.sh` script is a comprehensive guided setup and deployment tool:
@@ -147,29 +85,24 @@ The `ez-homelab.sh` script is a comprehensive guided setup and deployment tool:
- ✅ Enables SSH server
**Interactive Configuration:**
- ✅ Guides through domain setup (DuckDNS)
- ✅ Prompts for admin username, email, and password
- ✅ Generates three cryptographic secrets (JWT, session, encryption)
- ✅ Generates argon2id password hash using Docker (30-60s process)
- ✅ Allows service stack selection
- ✅ Prompts for all required env variables
- ✅ Generates three secrets for Authelia (JWT, session, encryption)
- ✅ Generates argon2id password hash for admin password using Docker
- ✅ Validates Docker is available before operations
**Infrastructure Setup & Deployment:**
- ✅ Creates directory structure (`/opt/stacks/`)
- ✅ Sets up Docker networks (homelab, traefik, dockerproxy, media)
- ✅ Creates directory structure (`/opt/stacks/` & `opt/dockge`)
- ✅ Sets up Docker networks (homelab, traefik, dockerproxy)
- ✅ Deploys selected service stacks with individual deployment scripts
- ✅ Obtains wildcard SSL certificate (*.yourdomain.duckdns.org)
- ✅ Configures Traefik for multi-server support (if applicable)
- ✅ Generates and distributes TLS certificates for Docker API (multi-server)
- ✅ Configures Traefik for multi-server support
- ✅ Detects NVIDIA GPU and offers driver installation
- ✅ Opens Dockge when ready
**Safety Features:**
- Interactive guidance with clear prompts
- Timeout handling (60s for Docker operations)
- Comprehensive error messages with troubleshooting hints
- Safe to re-run (idempotent operations)
- Confirmation prompts for destructive actions
## Release-Specific Notes
- **Current Version**: Production-ready with comprehensive multi-server support

21
docs/how-it-works.md
View File

@@ -1,6 +1,6 @@
# How Your AI Homelab Works
# How Your EZ Homelab Works
Welcome to your AI-powered homelab! This guide explains how all the components work together to create a production-ready, self-managing infrastructure. Don't worry if it seems complex at first - the AI assistant handles most of the technical details for you.
This guide explains how all the components work together to create your homelab infrastructure.
## Quick Overview
@@ -29,8 +29,7 @@ EZ-Homelab supports two deployment architectures:
- **Core Server**: Handles external traffic (ports 80/443), runs DuckDNS/Traefik/Authelia
- **Remote Servers**: Run their own Traefik/Sablier for local container management
- Unified domain access: All services through `service.yourdomain.com`
- Servers communicate via HTTP/HTTPS (no Docker API TLS needed)
- Ideal for: Raspberry Pi clusters, NAS + desktop, distributed workloads
- Servers communicate via HTTP/HTTPS
**This guide covers both architectures**, with multi-server notes where relevant.
@@ -40,7 +39,6 @@ EZ-Homelab supports two deployment architectures:
Your central hub for accessing all services. Think of it as the "start menu" for your homelab.
- **What it does**: Shows all your deployed services with quick links
- **AI Integration**: The AI can automatically add new services and configure widgets
- **Customization**: Add weather, system stats, and service-specific widgets
- **Configuration**: [docker-compose/dashboards/](docker-compose/dashboards/) | [service-docs/homepage.md](service-docs/homepage.md)
### 🐳 **Dockge** (`https://dockge.servername.yourdomain.duckdns.org`)
@@ -48,14 +46,14 @@ Your primary management interface for deploying and managing services.
- **What it does**: Web-based Docker Compose manager
- **Stacks**: Groups services into logical units (media, monitoring, productivity)
- **One-Click Deploy**: Upload compose files and deploy instantly
- **Multi-Server**: Deploy on core or remote servers from one interface
- **Dockge Agents**: Deploy on core or remote servers from one interface
- **Configuration**: [docker-compose/dockge/](docker-compose/dockge/) | [service-docs/dockge.md](service-docs/dockge.md)
### 🔐 **Authelia** (`https://auth.yourdomain.duckdns.org`)
Your security gatekeeper that protects sensitive services.
- **What it does**: Single sign-on (SSO) authentication
- **Security**: Two-factor authentication, session management
- **Smart Bypass**: Automatically bypasses auth for media apps (Plex, Jellyfin)
- **Smart Bypass**: Bypasses auth for select apps (Plex, Jellyfin)
- **Multi-Server**: Core server only; protects all services across all servers
- **Configuration**: [docker-compose/core/](docker-compose/core/) | [service-docs/authelia.md](service-docs/authelia.md)
@@ -63,8 +61,8 @@ Your security gatekeeper that protects sensitive services.
Your intelligent traffic director and SSL certificate manager.
- **What it does**: Reverse proxy that routes web traffic to the right services
- **SSL**: Automatically obtains and renews free HTTPS certificates
- **Labels**: Services "advertise" themselves to Traefik via Docker labels
- **Multi-Server**: Core uses multi-provider (labels + YAML files); remote servers use labels only
- **Labels**: Services on core server "advertise" themselves to Traefik via Docker labels
- **Multi-Server**: Remote servers use yaml (on the core server) only
- **Configuration**: [docker-compose/core/](docker-compose/core/) | [service-docs/traefik.md](service-docs/traefik.md)
### 🦆 **DuckDNS**
@@ -115,7 +113,7 @@ Your download traffic protector.
**Multi-Server:**
- **Core Server Ports**: Only core forwards 80/443 to internet
- **Remote Servers**: No port forwarding needed; accessed through core
- **Traffic Flow**: Internet → Core Traefik → Remote Traefik → Service
- **Traffic Flow**: Internet → Core Traefik → Service
- **SSL**: Core handles all SSL termination
- **Unified Domain**: `service.yourdomain.com` works for all servers
@@ -127,6 +125,9 @@ Your download traffic protector.
- **Backup**: Included in automatic backups
### Media & Large Data
>You may want additional drives for large downloads & media libraries
- **Location**: `/mnt/media/`, `/mnt/downloads/`
- **Purpose**: Movies, TV shows, music, downloads
- **Performance**: Direct mounted drives for speed

71
docs/multi-server-deployment.md
View File

@@ -16,37 +16,41 @@ This guide explains the **current multi-server architecture** where:
┌─────────────────────────────────────────────────────────────────┐
│ 🌐 PUBLIC INTERNET │
│ HTTPS Traffic (Ports 80/443 forwarded from router) │
└───────────────────────────────────────────────────────────────┘
HTTPS (SSL/TLS)
┌─────────────────────────────────────────────────────────────────┐
│ CORE SERVER │
┌────────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐
DuckDNS │ Traefik │ Authelia │ │ Core Services │ │
│ (SSL DNS) │ (multi- │ │ (SSO) │ │ (local) │
│ │ │ │ provider)│ │ │ │
└────────────┘ └────┬─────┘ └──────────┘ └──────────────┘
└───────────────────────────────────────────────────────────────┘
│ |
HTTP(S) ▼ HTTPS
| |
┌─────────────────────────────┼────┼──────────────────────────────┐
CORE SERVER │ |
| ▼ |
┌───────────────┐ ┌──────────┐ ┌────────────────┐
│ │ Core Services │ │ Traefik │ │ Local Services │
│ Authelia │ ---- │ │ ---- │ │
│ │ DuckDNS │ │ │ │ │ │
│ └───────────────┘ └────┬─────┘ └────────────────┘ │
│ │ │
│ ┌──────────────┼──────────────┐
│ │ Routes:
│ │ • Local (labels)
│ │ • Remote (YAML files)
└──────────┼──────────────┼──────────────┼────────────────────────┘
│ HTTP (internal network)
│ No SSL/TLS encryption │
▼ ▼ ▼
┌─────────────────────────────────────────┐
│ ADDITIONAL SERVER (e.g., Pi) │
│ ┌──────────┐ ┌───────┐ ┌──────────┐ │
│ │ Sablier │ │ Media │ │ Exposed │ │
│ │ (lazy │ │ Apps │ │ Ports │ │
│ │ loading) │ │ │ │ 5001, │ │
│ └──────────┘ └───────┘ │ 8085... │ │
└────────────────────────────┼──────────┘
┌──────────────┼────────────
│ Routes: │ │
│ • Local (labels)
│ • Remote (YAML files)
| | | |
| └──────────────┬────────────┘ |
| | |
└───────────────────────────────┼─────────────────────────────────┘
Direct port access
(no local reverse proxy)
HTTP (internal network) │
No SSL/TLS encryption │
┌───────────────────────────────┼─────────────────────────────────┐
│ ADDITIONAL SERVER │
| |
│ ┌───────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ Sablier │ │ Your Apps │ │ Dockge | |
│ │ lazy loading │ │ expose ports │ │ | |
│ │ │ │ │ │ | |
│ └───────────────┘ └────────────────┘ └────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
```
### Traffic Flow Summary
@@ -119,12 +123,3 @@ When you deploy an additional server:
- **Centralized Access**: All services accessed through one domain
- **Unified SSO**: Authelia on core server protects all services
- **Local Lazy Loading**: Sablier manages containers on each server independently
## Performance Considerations
- **Latency**: Direct routing (core → service) minimizes hops
- **Resource Usage**: Additional servers run only Sablier (~50MB) - no Traefik needed
- **Scalability**: Can add unlimited additional servers without complexity
- **Network**: Internal 1Gbps+ recommended between servers
- **Deployment Speed**: Additional servers deploy in ~2 minutes (vs 5-10 with local Traefik)

1424
docs/multi-server-implementation-plan.md
View File

File diff suppressed because it is too large Load Diff

86
docs/proxying-external-hosts.md
View File

@@ -5,7 +5,7 @@ This guide explains how to use Traefik and Authelia to proxy external services (
## Overview
Traefik can proxy services that aren't running in Docker, such as:
- Home Assistant on a Raspberry Pi
Yea- Home Assistant on a Raspberry Pi
- Other physical servers on your network
- Services running on different machines
- Any HTTP/HTTPS service accessible via IP:PORT
@@ -14,7 +14,7 @@ Traefik can proxy services that aren't running in Docker, such as:
### Step 1: Create Configuration File
Create a YAML file in `/opt/stacks/traefik/dynamic/` named `external-hosts.yml`:
Create a YAML file in `/opt/stacks/traefik/dynamic/` named `external-host-servername.yml` where servername is the remove server's host name:
```yaml
http:
@@ -68,26 +68,7 @@ Visit `https://ha.yourdomain.duckdns.org` - Traefik will:
2. Proxy the request to `http://192.168.1.50:8123`
3. Return the response with proper SSL
4. (Optionally) Require Authelia login if middleware is configured
## Common External Services to Proxy
### Home Assistant (Raspberry Pi)
```yaml
homeassistant-pi:
rule: "Host(`ha.yourdomain.duckdns.org`)"
service: http://192.168.1.50:8123
# No Authelia - HA has its own auth
```
### Router/Firewall Admin Panel
```yaml
router-admin:
rule: "Host(`router.yourdomain.duckdns.org`)"
service: http://192.168.1.1:80
middlewares:
- authelia@docker # Add SSO protection
```
``
## Advanced Configuration
### WebSocket Support
@@ -170,47 +151,6 @@ access_control:
policy: two_factor
```
## DNS Configuration
Ensure your DuckDNS domain points to your public IP:
1. DuckDNS container automatically updates your IP
2. Port forward 80 and 443 to your Traefik server
3. All subdomains (`*.yourdomain.duckdns.org`) point to same IP
4. Traefik routes based on Host header
## Troubleshooting
### Check Traefik Routing
```bash
# View active routes
docker logs traefik | grep "Creating router"
# Check if external host route is loaded
docker logs traefik | grep homeassistant
# View Traefik dashboard
# Visit: https://traefik.yourdomain.duckdns.org
```
### Test Without SSL
```bash
# Temporarily test direct connection
curl -H "Host: ha.yourdomain.duckdns.org" http://localhost/
```
### Check Authelia Logs
```bash
cd /opt/stacks/authelia
docker compose logs -f authelia
```
### Verify External Service
```bash
# Test that external service is reachable
curl http://192.168.1.50:8123
```
## AI Management
The AI can manage external host proxying by:
@@ -218,8 +158,7 @@ The AI can manage external host proxying by:
1. **Reading existing configurations**: Parse `/opt/stacks/traefik/dynamic/*.yml`
2. **Adding new routes**: Create/update YAML files in dynamic directory
3. **Configuring Authelia rules**: Edit `configuration.yml` for bypass/require auth
4. **Testing connectivity**: Suggest verification steps
5. **Adding Homepage entries**: Update dashboard configuration
4. **Adding Homepage entries**: Update dashboard configuration
Example AI prompt:
> "Add proxying for my Unifi Controller at 192.168.1.5:8443 with Authelia protection"
@@ -231,25 +170,16 @@ AI will:
4. Add to Homepage dashboard
5. Provide testing instructions
## Security Best Practices
1. **Always use Authelia** for admin interfaces (routers, NAS, etc.)
2. **Bypass Authelia** only for services with their own auth (HA, Plex)
3. **Use IP whitelist** for highly sensitive services
4. **Enable two-factor** for critical infrastructure
5. **Monitor access logs** in Traefik and Authelia
6. **Keep services updated** - Traefik, Authelia, and external services
## Example: Complete External Host Setup
Let's proxy a Raspberry Pi Home Assistant:
1. **Traefik configuration** (`/opt/stacks/traefik/dynamic/raspberry-pi.yml`):
1. **Traefik configuration** (`/opt/stacks/traefik/dynamic/extarnal-host-homeassistant.yml`):
```yaml
http:
routers:
ha-pi:
rule: "Host(`ha.yourdomain.duckdns.org`)"
rule: "Host(`homeassistant.yourdomain.duckdns.org`)"
entryPoints:
- websecure
service: ha-pi
@@ -275,7 +205,7 @@ http:
```yaml
access_control:
rules:
- domain: ha.yourdomain.duckdns.org
- domain: homeassistant.yourdomain.duckdns.org
policy: bypass
```
@@ -284,7 +214,7 @@ access_control:
- Home Automation:
- Home Assistant (Pi):
icon: home-assistant.png
href: https://ha.yourdomain.duckdns.org
href: https://homeassistant.yourdomain.duckdns.org
description: HA on Raspberry Pi
ping: 192.168.1.50
widget: