d.rymcg.tech

d.rymcg.tech is a collection of open-source Docker Compose projects and command line tools to manage your remote Docker services from your workstation.

Features

• Docker can be deployed anywhere, e.g.:

  • A public server in the cloud (DigitalOcean droplet, AWS EC2, etc.)
  • A public server running at home via direct port forwarding from your internet router.
  • A private server (at home or in the cloud) that requires a VPN to connect (WireGuard).
  • A public server (at home and/or roaming), without direct port forwarding, but accessible with the help of a public (cloud) sentry VPN (WireGuard).

• d.rymcg.tech has a clean separation for the roles of workstation and server:

  • All source files and CLI tools live on your workstation. All administration is performed on your workstation. You should never need to directly SSH into the server's shell. A workstation may control several servers.
  • The server's only job is to build and run the Docker containers that your workstation tells it how to.

• All configuration is sourced from environment variables written in .env files on your workstation. Each service deployment has a separate .env_{CONTEXT}_{INSTANCE} file (per project directory, per docker context, per instance).

• Every sub-project has a Makefile, with common targets, to wrap all Docker commands and administrative functions for that project, e.g.:

  • make config is a wizard to help you configure the .env file.
  • make install installs the configured application on the server.
  • make open opens the installed application in your workstation's web browser.
  • make uninstall tears down, and removes, a project's containers, but keep the data volumes.
  • make destroy is like uninstall, but will delete the data volumes as well.
  • make readme opens the current project's README.md in your workstation's web browser.
  • Note: make requires that your current working directory is where the Makefile is, so you must cd into the proper sub-directory before running make.

• This project provides a command line alternative to make named d.rymcg.tech (or d alias) that provides a global command structure and re-wraps all of the sub-project make commands, but unlike make, it works from any directory (e.g., d make whoami config, d make whoami install ...)

• The d.rymcg.tech command and d alias operate on your current Docker context. To switch between contexts you run d context (runs docker context use XXX). You may also setup additional Bash aliases to control various Docker contexts explicitly (e.g., prod make whoami config, prod make whoami install.) and which are not dependent on the current context.

• This repository is non-proprietary and designed for anyone to use. It only offers services that have open source licenses. If you would like to add additional open-source services to this repository, consider opening a Pull Request to add to this collection. You may also create projects in external git repositories, license them however you wish, and still benefit from the same command line tooling.

• Traefik is deployed as the front door proxy for all of your services (HTTP / TCP / UDP). Traefik provides TLS termination and sentry authentication/authorization middleware (mTLS, OAuth, HTTP Basic, IP source range). Applications define their own routes (domain names, paths, etc.), and other Traefik middleware config, via container labels.

• d.rymcg.tech focuses on the needs of the full-stack self-hoster. You can deploy your own Certficate Authority and DNS (delegate) server for the automatic creation of (wildcard) TLS certificates with Step-CA and acme-dns. (Be your own Let's Encrypt alternative.)

Documentation

The documentation for this project is spread amongst several Markdown files, according to project and/or topic.

Follow these topical guides to get started:

• Create your workstation environment:

  • WORKSTATION_LINUX.md - setup your workstation on Linux.
  • WORKSTATION_WSL.md - setup your workstation on Windows (WSL).

• Create a Docker server and configure the firewall:

  • DOCKER.md - install Docker Engine on bare metal PC, virtual machine, Raspberry Pi, or cloud server.

• Install applications:

  • TOUR.md - follow this tour guide to install your first set of services.

Extra reading

• INSTANCES.md - how to create multiple instances of the same service.
• EXTERNAL_PROJECTS.md - how to integrate external project directories.
• BACKUP_ENV.md - how to backup your workstation's .env files.
• SECURITY.md - how to secure a Docker server.
• MAKEFILE_OPS.md - how to write Makefiles.
• RCLONE.md - create Docker volumes on top of remote/cloud storage (S3, SFTP, Dropbox, etc.)
• LICENSE.txt - the license for this project.
• Portable Docker: Build and Deploy Anywhere with WireGuard Tunneling - a book about running a public Docker server at home, or while roaming, behind restrictive NAT routers, with the help from a public wireguard sentry server running in the cloud.

Services

Each of the sub-projects in this repository have their own README.md in their respective sub-directory.

Install these services first:

• Acme-DNS - a DNS server for ACME challenges (TLS certificate creation)
• Traefik - HTTP / TLS / TCP / UDP reverse proxy
• Whoami - HTTP test service

Install these core services as needed:

• Forgejo
  • A git host (fork of Gitea/Gogs, which is similar to self-hosted GitHub).
  • This can act as an OAuth2 identity service, which supports 2FA including hardware tokens, and can provide authentication to all of your other services.
  • A single instance should be used for your entire organization, so you don't need to install this on every server.
• Traefik-forward-auth
  • Traefik OAuth2 authentication middleware.
  • Required if you want OAuth2 authentication. You'll combine this with your Forgejo instance (or another external Oauth provider) to add authentication to any of your apps.
  • This is a Traefik middleware, and must be installed on every server that you want to enforce OAuth on (but they could all share a single external Forgejo instance).
• Step-CA
  • A self-hosted Certificate Authority (CA).
  • Provides ACME services for automatic TLS certficate creation.
  • Issue client certificates for Mutual TLS (mTLS).
  • A single instance should be used for your entire organization, so you don't need to install this on every server.
• Postfix-Relay
  • A simple email forwarding service (SMTP) which can be used by any other container that needs to send email.
  • This is a private Docker service, so you must install it on each server you want to send mail from.

Install these applications at your preference:

• 13ft - a tool to block ads and bypass paywalls
• Actual - a personal finance tool
• ArchiveBox - a website archiving tool
• Aria2 - a multi-protocol downloader tool
• Audiobookshelf - an audiobook and podcast server
• Autoheal - a Docker container healthcheck monitor with auto-restart service
• Backrest - a backup tool based on restic
• Backup-Volume - a Docker volume backup tool
• Baikal - a lightweight CalDAV+CardDAV server
• Caddy - an HTTP server with automatic TLS (passthrough)
• CalcPad - a different take on the caculator
• Calibre - an ebook manager
• ComfyUI - an AI image/video/audio generator
• Commentario - a website comment service
• Copyparty - a file server webapp for multiple users and volumes
• Coturn - a TURN relay server for NAT traversal
• Datetime - a time viewing and conversion tool
• DOH-server - a DNS-over-HTTPs proxy resolver
• DrawIO - a diagram / whiteboard editor tool
• Ejabberd - an XMPP (Jabber) server
• Filebrowser - a web based file manager
• Firefox - a web browser embedded in a web page
• FreshRSS - an RSS reader / proxy
• Glances - a cross-platform system monitoring tool
• Gradio - a configurable web interface for machine learning
• Grocy - a grocery & household management/chore solution
• Homepage - a dashboard for all your apps
• Icecast - a SHOUTcast compatible streaming multimedia server
• Immich - a photo gallery
• Invidious - a Youtube proxy
• InvokeAI - an AI image generator
• Iperf - a bandwidth speed testing service
• IT-Tools - a collection of useful tools for developers and people working in IT
• Jitsi Meet - a video conferencing and screencasting service
• Jupyterlab - a web based code editing environment / reproducible research tool
• Kokoro Web - a browser-based AI voice generator that lets you create natural-sounding voices
• Lemmy - a link aggregator and forum for the fediverse
• Matterbridge - a chat room bridge (IRC, Matrix, XMPP, etc)
• Maubot - a matrix Bot
• Minio - an S3 storage server
• Mopidy - a streaming music server built with MPD and Snapcast
• Mosquitto - an MQTT server
• Nextcloud - a collaborative file server
• Nginx - a webserver configured with fast-cgi support for PHP scripts
• Node-RED - a graphical event pipeline editor
• Ntfy-sh - a simple HTTP-based pub-sub notification service
• Ollama - a service API for hosting Large Language Models
• Open WebUI - a self-hosted AI platform
• Pairdrop - a webapp (PWA) to send files and messages peer to peer
• Peertube - a decentralized and federated video platform
• Photoprism - a photo gallery and manager
• Piwigo - a photo gallery and manager
• Plausible - a privacy friendly web visitor analytics engine
• PostgreSQL - a database server configured with mutual TLS authentication for public networks
• PrivateBin - a minimal, encrypted, zero-knowledge, pastebin
• Prometheus - a systems monitoring and alerting toolkit (+ node-exporter + cAdvisor + Grafana)
• QBittorrent - a Bittorrent (libtorrent v2) client
• Redbean - a small website server bundled in a single executable zip file
• Redmine - a flexible project management web application
• Registry an OCI container registry
• S3-proxy - an HTTP directory index for S3 backend
• SearXNG - a privacy-respecting, hackable metasearch engine
• SFTP - a secure file server
• Shaarli - a bookmark manager
• Smokeping - a network latency measurement tool
• Speedtest Tracker - a network performance monitor
• Syncthing - a multi-device file synchronization tool
• Sysbox-Systemd - a traditional service manager for Linux running in an unprivileged container via sysbox-runc
• Tesseract - a front-end for Lemmy instances
• Thttpd - a tiny/turbo/throttling HTTP server for serving static files
• TriliumNext Notes - a note-taking/knowledge base application
• Vaultwarden - a bitwarden compatible password manager written in Rust (formerly bitwarden_rs)
• Websocketd - a websocket / CGI server
• Webtop - a containerized Linux desktop in your web browser
• WireGuard - a standalone VPN client that other containers may use as a router
• WireGuard-Gateway - a VPN client config that acts as a gateway node for your LAN.
• Wordpress - a ubiquitous blogging / CMS platform, with a plugin to build a static HTML site snapshot
• XBrowserSync - a bookmark manager
• YOURLS - a URL shortener