Goals

  • Re-partition disk to allow more space for /var/log
  • Create another VM and reinstall Debian - mainly for cleanup
  • Move all running services to Docker
  • Configure VM backups on Proxmox hypervisor
  • Clean up Proxmox hypervisor update / upgrade errors
    • Remove enterprise repository
    • Add non-subscription repository
  • Add admin user to Proxmox hypervisor (stop logging in as root)

Re-installing Debian

Similar to Initial setup of my Raspberry Pi 5. Simple, straightforward, the Debian TUI installer handles everything nicely. Proxmox automatically connects the VM to the internet when you create it.

Partitioning scheme:

  • 100GB for /
  • 100GB for /var (previously only allocated 10GB - ran out quick)
  • 14GB for swap (same as RAM)
  • remainder for /home

Install with SSH server and no desktop environment.

Configuring Debian install

I won’t write these out in detail, but I’m trying to get the process down so I’d like to record every step.

  • Log in as root via console
    • Verify sshd is enabled
    • Install sudo
    • Edit /etc/sudoers file to allow wheel to enter all commands with no password
    • Create the wheel group and add admin user
    • Change passwords for root user and admin user
  • Configure ssh login and dotfiles
    • ssh-copy-id from client machine
    • scp -r .config from client machine
  • Log in as admin user via ssh
    • Change shell to /bin/zsh; create symbolic link ./zshrc that points to .config/zsh/zshrc; log out and back in
    • Install packages (see below)
    • Configure static IP
    • Change ssh server settings in /etc/ssh/sshd_config
      • Disable password login
      • Disable root login
      • Disable X11 forwarding
      • Verify syntax (sudo sshd -t)
      • Reload sshd

Packages

# get a list of manually installed packages on previously configured machine
apt-mark showmanual | sort -u | less
sudo apt install \
git curl neovim zsh zsh-syntax-highlighting tldr nmap net-tools \
lf rsyslog htop tmux pv open-iscsi cryptsetup trash-cli

iSCSI drive

Add authorized IP to TrueNAS first.

Then follow the steps here.

Creating media user and group

This is the user that will own all the files in the mounted directory.

sudo groupadd media
sudo usermod -aG media user # add primary user to media group
sudo useradd -g media -s /sbin/nologin media

Changing permissions of the mounted iSCSI share

sudo chown -R media:media /media/shared

Allow members of the media group to read and write in addition to the media user:

sudo find /media/shared -type d -exec chmod 775 {} \;
sudo find /media/shared -type f -exec chmod 664 {} \;

Docker services

Docker installation and folder setup

Note

Have to replace $VERSION_CODENAME with the hardcoded release (bookworm)

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \ https://download.docker.com/linux/debian bookworm stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

My docker management has been miserable so far, so I am trying a different structure for the files and folders, to keep them separate from the default /var and /etc locations.

  • /home/user/docker subdirectories for docker-compose.yml files
  • /docker/ subdirectories for docker image data
  • chown -R media:media on root docker directory
  • run all docker containers as media user

slskd

# /home/user/docker/slskd/docker-compose.yml
 
version: "2"
services:
  slskd:
    image: slskd/slskd
    container_name: slskd
    ports:
      - "5030:5030"
      - "5031:5031"
      - "50300:50300"
    environment:
      - SLSKD_REMOTE_CONFIGURATION=true
    volumes:
      - /docker/slskd/var:/app
      - /media/shared:/data
    user: 1001:1002
    restart: unless-stopped
# /docker/slskd/var/slskd.yml
 
# ...
 
directories:
  incomplete: /data/slskd/incomplete
  downloads: /data/music/clean/slsk
shares:
  directories:
    - /data/music/clean/slsk
    - /data/music/clean/bestqualityavailable
 
# ...
 
web:
  port: 5030
  https:
    disabled: false
    port: 5031
    force: true
	
# ...
 
soulseek:
  username: [slsk username]
  password: [password]
  listen_port: 2234
 
# ...

Jellyfin

# /home/user/docker/jellyfin/docker-compose.yml
 
services:
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1001
      - GUID=1002
      - TZ=America/Chicago
      - JELLYFIN_PublishedServerUrl=http://10.0.0.5
    ports:
      - 8096:8096
    volumes:
      - /docker/jellyfin/config:/config
      - /docker/jellyfin/cache:/cache
      - type: bind
        source: /media/shared
        target: /media
    restart: unless-stopped

Transmission

# /home/user/docker/transmission/docker-compose.yml
 
services:
  transmission:
    image: lscr.io/linuxserver/transmission:latest
    container_name: transmission
    environment:
      - PUID=1001
      - PGID=1002
      - TZ=America/Chicago
      # - TRANSMISSION_WEB_HOME= #optional
      # - USER= #optional
      # - PASS= #optional
      # - WHITELIST= #optional
      # - PEERPORT= #optional
      # - HOST_WHITELIST= #optional
    volumes:
      - /docker/transmission/config:/config
      - /media/shared/transmission:/downloads
      # - /media/shared/:/watch
    ports:
      - 9091:9091
      - 51413:51413
      - 51413:51413/udp
    restart: unless-stopped

filebrowser

# /home/user/docker/filebrowser/docker-compose.yml
 
version: "3"
 
services:
  filebrowser:
    image: hurlenko/filebrowser
    user: 1001:1002
    ports:
      - 8080:8080
    volumes:
      - /media/shared:/data
      - /docker/filebrowser:/config
    environment:
      - http://10.0.0.5=/filebrowser
    restart: unless-stopped

nginx

My end goal is to have subdomains (e.g. jellyfin.nas.local) that point to the actual services on my LAN. I figured I’d give this a crack with an nginx reverse proxy to docker services, as that’s something I’m doing on this domain.

I added a rule to point nas.local, nas.lan, and nas.net

Unfortunately, it seems to be a massive pain, at least with my WireGuard VPN.

  • None of the requests from my client PC connected to the VPN go through my LAN DNS server. Defaults to 1.1.1.1.
  • If I use the .local tld, my browser will recognize it as a proper URL, but not get the proper name through my LAN Pi-hole DNS.
  • An unused tld such as .lan defaults to Google search unless prefixed with http:// (thanks, firefox)
  • If I use the .net tld, it defaults to trying to resolve that through another DNS provider, as in the first example.

So, this has been tabled for now. A goal for the future.

cronjobs

Reference

  • Script to update docker containers
  • apt update && apt upgrade weekly
  • updatedb daily

Remaining

Services

  • Syncthing
  • Navidrome - still investigating this one. It doesn’t seem to have many mobile clients available.
  • Webmin (? - I never use this, not really sure I’m going to install it)
  • beets

Tasks

  • Configure backups!

EOF