this post was submitted on 26 Dec 2023
58 points (85.4% liked)

Selfhosted

40382 readers
507 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

First, I would like to thank this community for being an understanding, open-minded and Novice friendly like myself. I have learned a lot in the past few weeks thanks to this community, unlike Reddit's toxic communities where asking a question is illegal.

I have built most of my NAS; the only missing component (CPU) I will be collecting in the morning. I just wanted to ask general questions or tips. Dos and Donts. I will be using Unraid as OS.

you are viewing a single comment's thread
view the rest of the comments
[–] Lem453@lemmy.ca 5 points 11 months ago* (last edited 11 months ago) (2 children)

version: "3.4"

volumes:
  sonarr-config:
    name: sonarr-config
    driver_opts:
      type: nfs
      o: addr=192.168.37.25,nolock,soft,rw
      device: :/zfspool1/dockerData/arr-stack/sonarr
  radarr-config:
    name: radarr-config
    driver_opts:
      type: nfs
      o: addr=192.168.37.25,nolock,soft,rw
      device: :/zfspool1/dockerData/arr-stack/radarr
  prowlarr-config:
    name: prowlarr-config
    driver_opts:
      type: nfs
      o: addr=192.168.37.25,nolock,soft,rw
      device: :/zfspool1/dockerData/arr-stack/prowlarr
  sabnzbd-config:
    name: sabnzbd-config
    driver_opts:
      type: nfs
      o: addr=192.168.37.25,nolock,soft,rw
      device: :/zfspool1/dockerData/arr-stack/sabnzbd
  qbittorrent-config:
    name: qbittorrent-config
    driver_opts:
      type: nfs
      o: addr=192.168.37.25,nolock,soft,rw
      device: :/zfspool1/dockerData/arr-stack/qbittorrent
  media-tv:
    name: media-tv
    driver_opts:
      type: nfs
      o: addr=192.168.37.31,nolock,soft,rw
      device: :/mnt/user/media/TV Shows
  media-movies:
    name: media-movies
    driver_opts:
      type: nfs
      o: addr=192.168.37.31,nolock,soft,rw
      device: :/mnt/user/media/Movies
  media-downloads:
    name: media-downloads
    driver_opts:
      type: nfs
      o: addr=192.168.37.31,nolock,soft,rw
      device: :/mnt/user/downloads

networks:
  traefik_proxy:
    name: traefik_proxy
    external: true


services:
  arr-stack-gluetun:
    container_name: arr-stack-gluetun
    hostname: arr-stack-gluetun
    image: qmcgaw/gluetun
    deploy:
      resources:
        limits:
          cpus: '4'
          memory: 4G
        reservations:
          cpus: '2'
          memory: 1G
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    env_file:
       - ../stack.env #get mullvad key from here "WIREGUARD_PRIVATE_KEY", "WIREGUARD_ADDRESSES", "SERVER_CITIES"
    networks:
      # only this container needs access to the proxy network. It also doesn't need any ports exposed to access
      # the other services like qbit, etc. Traefik points to this container and because the other services use
      # the service network type they can be accessed through here. 
      traefik_proxy:
        ipv4_address: 172.18.0.6
    environment:
 
      - VPN_SERVICE_PROVIDER=private internet access
      - OPENVPN_USER=xxxxxxxxz
      - SERVER_HOSTNAMES=lu.privacy.network
      - TZ=America/Chicago
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"

      # qbittorrent traefik labels
      - "traefik.http.routers.arr-stack-qbittorrent.entrypoints=websecure"
      - "traefik.http.routers.arr-stack-qbittorrent.rule=Host(`torrent.local.domain.com`)"
      - "traefik.http.routers.arr-stack-qbittorrent.tls=true"
      - "traefik.http.routers.arr-stack-qbittorrent.service=arr-stack-qbittorrent"
      - "traefik.http.services.arr-stack-qbittorrent.loadbalancer.server.port=8085"
      - "traefik.http.routers.arr-stack-qbittorrent.middlewares=authentik"

      # prowlarr traefik labels
      - "traefik.http.routers.arr-stack-prowlarr.entrypoints=websecure"
      - "traefik.http.routers.arr-stack-prowlarr.rule=Host(`prowlarr.local.domain.com`)"
      - "traefik.http.routers.arr-stack-prowlarr.tls=true"
      - "traefik.http.routers.arr-stack-prowlarr.service=arr-stack-prowlarr"
      - "traefik.http.services.arr-stack-prowlarr.loadbalancer.server.port=9696"
      - "traefik.http.routers.arr-stack-prowlarr.middlewares=authentik"

      # sabnzbd traefik labels
      - "traefik.http.routers.arr-stack-sabnzbd.entrypoints=websecure"
      - "traefik.http.routers.arr-stack-sabnzbd.rule=Host(`sabnzbd.local.domain.com`)"
      - "traefik.http.routers.arr-stack-sabnzbd.tls=true"
      - "traefik.http.routers.arr-stack-sabnzbd.service=arr-stack-sabnzbd"
      - "traefik.http.services.arr-stack-sabnzbd.loadbalancer.server.port=8080"
      - "traefik.http.routers.arr-stack-sabnzbd.middlewares=authentik"

      # sonarr traefik labels
      - "traefik.http.routers.arr-stack-sonarr.entrypoints=websecure"
      - "traefik.http.routers.arr-stack-sonarr.rule=Host(`sonarr.local.domain.com`)"
      - "traefik.http.routers.arr-stack-sonarr.tls=true"
      - "traefik.http.routers.arr-stack-sonarr.service=arr-stack-sonarr"
      - "traefik.http.services.arr-stack-sonarr.loadbalancer.server.port=8989"
      - "traefik.http.routers.arr-stack-sonarr.middlewares=authentik"

      # radarr traefik labels
      - "traefik.http.routers.arr-stack-radarr.entrypoints=websecure"
      - "traefik.http.routers.arr-stack-radarr.rule=Host(`radarr.local.domain.com`)"
      - "traefik.http.routers.arr-stack-radarr.tls=true"
      - "traefik.http.routers.arr-stack-radarr.service=arr-stack-radarr"
      - "traefik.http.services.arr-stack-radarr.loadbalancer.server.port=7878"
      - "traefik.http.routers.arr-stack-radarr.middlewares=authentik"
    
  # _____________________________Downloaders__________________________
  arr-stack-qbittorrent:
    image: ghcr.io/linuxserver/qbittorrent:4.6.0
    container_name: arr-stack-qbittorrent
    network_mode: service:arr-stack-gluetun
    volumes:
      - qbittorrent-config:/config
      - media-downloads:/downloads:z
    deploy:
      resources:
        limits:
          cpus: '4'
          memory: 4G
        reservations:
          cpus: '2'
          memory: 1G
    depends_on:
      - arr-stack-gluetun
    environment:
      - WEBUI_PORT=8085
      - TZ=America/Chicago
      
      #file permissions need to be the same for all apps
      - PUID=1000
      - PGID=1000
      - UMASK_SET=022
    restart: unless-stopped
    labels:
    # Note 1: Default user is admin, pass is adminadmin
    # Note 2: Tools-> options-> web UI -> bypass localhost and whitelist:
    #    172.18.0.0/24, torrent.local.domain.com, arr-stack-gluetun

  arr-stack-sabnzbd:
    image: ghcr.io/linuxserver/sabnzbd:4.1.0
    container_name: arr-stack-sabnzbd
    network_mode: service:arr-stack-gluetun
    deploy:
      resources:
        limits:
          cpus: '4'
          memory: 4G
        reservations:
          cpus: '2'
          memory: 1G
    volumes:
      - sabnzbd-config:/config
      - media-downloads:/downloads:z
    depends_on:
      - arr-stack-gluetun
    environment:
      - TZ=America/Chicago
      #file permissions need to be the same for all apps
      - PUID=1000
      - PGID=1000
      #- UMASK_SET=022
    restart: unless-stopped
    
  # ______________________________Arrs__________________________________
  arr-stack-prowlarr:
    image: ghcr.io/linuxserver/prowlarr:1.9.4
    container_name: arr-stack-prowlarr
    deploy:
      resources:
        limits:
          cpus: '4'
          memory: 4G
        reservations:
          cpus: '2'
          memory: 1G
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=022
      - TZ=America/Chicago 
    volumes:
      - prowlarr-config:/config
    restart: unless-stopped
    network_mode: service:arr-stack-gluetun
    depends_on:
      - arr-stack-gluetun
     # - arr-stack-qbittorrent
     # - arr-stack-sabnzbd
 
    
  arr-stack-sonarr:
    image: ghcr.io/linuxserver/sonarr:3.0.10
    container_name: arr-stack-sonarr
    deploy:
      resources:
        limits:
          cpus: '4'
          memory: 4G
        reservations:
          cpus: '2'
          memory: 1G
    volumes:
      - sonarr-config:/config
      - media-tv:/media/TV Shows
      - media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=022
      - TZ=America/Chicago 
    restart: unless-stopped
    network_mode: service:arr-stack-gluetun
    depends_on:
      - arr-stack-gluetun

  arr-stack-radarr:
    image: ghcr.io/linuxserver/radarr:5.0.3
    container_name: arr-stack-radarr
    deploy:
      resources:
        limits:
          cpus: '4'
          memory: 4G
        reservations:
          cpus: '2'
          memory: 1G
    volumes:
      - radarr-config:/config
      - media-movies:/media/Movies
      - media-downloads:/downloads:z # this is only needed if qbit-torrent is used. It must be added to remote path in the app(complete foler)
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=022
      - TZ=America/Chicago 
    restart: unless-stopped
    network_mode: service:arr-stack-gluetun
    depends_on:
      - arr-stack-gluetun


Stuff like this is why I moved my docker from unraid to a VM where I can use docker compose. Docker compose is really the only way to get a clean setup with complex stuff like this. That being said I recommend beginners use unraid. You don't need a full vpn for torrents, a socks5 proxy will be fine and doesn't require and special docker settings.

My setup uses traefik reverse proxy. Internal HTTPS (let's encrypte wild card) and external HTTPS depending on what I want.

It uses authentik for single sign on and in this case provides LDAP for jellyfin and also provides web authentication for arr services.

The glutun container can be configured with any VPN and all services can only access the internet via the VPN.

My NAS is unraid, my docker host is a VM on proxmox. Media files are stored on HDDs on unraid and everything else is on on the docker SSD. Volumes are connected to where they need to be via NFS shares.

There are limits for cpu and ram so one container can't bring everything down.

The containers themselves all communicate via their own docker network and only the reverse proxy (traefik) allows access to the UI.

[–] HumanPerson@sh.itjust.works 2 points 11 months ago

Thank you so much. I have spent so long trying to find this.