impulsivefps
/
LemonSec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
LemonSec/SETUP-TRUENAS-NEXTCLOUD.md

245 lines
5.3 KiB
Markdown
Raw Blame History

# Quick Setup: TrueNAS Nextcloud + LemonSec
## Your Setup
- ✅ Proxmox VM running Docker/Portainer
- ✅ TrueNAS Scale VM running Nextcloud
- ✅ Need: Family access to Nextcloud via secure domain
## Timeline: 15 minutes to working Nextcloud
---
## Phase 1: Prepare (5 min)
### 1. Get Your IPs
```bash
# On Proxmox VM (where LemonSec will run)
ip addr show | grep "inet " | head -3
# Note: e.g., 192.168.1.50
# On TrueNAS Scale VM
# Check TrueNAS UI or: ip addr
# Note: e.g., 192.168.1.100
# Get Nextcloud port in TrueNAS
# Apps → Nextcloud → Note the Node Port (e.g., 9001)
```
### 2. Configure Environment
```bash
cd LemonSec
cp .env.example .env
nano .env
```
Fill in:
```
CF_API_EMAIL=youremail@example.com
CF_API_KEY=your-cloudflare-global-api-key
TZ=Europe/Stockholm
TRUENAS_IP=192.168.1.100
TRUENAS_NEXTCLOUD_PORT=9001
```
### 3. Generate Secrets
```bash
# PowerShell (on Windows)
$jwt = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) })
$jwt | Set-Content secrets/authelia_jwt_secret.txt -NoNewline
$session = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) })
$session | Set-Content secrets/authelia_session_secret.txt -NoNewline
$storage = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) })
$storage | Set-Content secrets/authelia_storage_key.txt -NoNewline
# Or on Linux:
# openssl rand -hex 32 > secrets/authelia_jwt_secret.txt
# openssl rand -hex 32 > secrets/authelia_session_secret.txt
# openssl rand -hex 32 > secrets/authelia_storage_key.txt
```
---
## Phase 2: Deploy Core (5 min)
### 1. Start LemonSec
```bash
docker-compose up -d
# Check logs
docker-compose logs -f traefik
# Wait for: "Configuration loaded from files..."
# Press Ctrl+C when stable
```
### 2. Setup CrowdSec
```bash
docker-compose exec crowdsec cscli bouncers add traefik-bouncer
# Copy the API key
# Edit .env, add:
# CROWDSEC_API_KEY=paste-key-here
# Restart
docker-compose up -d
```
### 3. Start External Routing
```bash
docker-compose -f docker-compose.yml -f docker-compose.external.yml up -d
```
---
## Phase 3: Cloudflare DNS (3 min)
Login to [Cloudflare Dashboard](https://dash.cloudflare.com)
### Add DNS Records
| Type | Name | Target | Proxy |
|------|------|--------|-------|
| A | cloud | YOUR_PROXMOX_PUBLIC_IP | 🟠 |
| A | auth | YOUR_PROXMOX_PUBLIC_IP | 🟠 |
| A | * | YOUR_PROXMOX_PUBLIC_IP | 🟠 |
### SSL/TLS Settings
- **SSL/TLS encryption**: Full (strict)
- **Always Use HTTPS**: ON
---
## Phase 4: TrueNAS Nextcloud Config (2 min)
### In TrueNAS Scale:
1. **Apps****Installed Applications****Nextcloud****Edit**
2. **Add Environment Variables**:
```
NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu
OVERWRITEPROTOCOL=https
OVERWRITEHOST=cloud.lemonlink.eu
OVERWRITECLIURL=https://cloud.lemonlink.eu
TRUSTED_PROXIES=192.168.1.50
```
(Replace 192.168.1.50 with your Proxmox VM IP)
3. **Save** and wait for app to update
---
## Phase 5: Test (Immediately)
### 1. Test Nextcloud
```bash
# From anywhere
curl -I https://cloud.lemonlink.eu
# Should return 200 or redirect to login
```
### 2. Access Web UI
Open: `https://cloud.lemonlink.eu`
You should see Nextcloud login page!
### 3. Create Family Accounts
Login as admin → **Users****Create** for each family member
---
## Optional: Add Authelia Protection
If you want extra login security before Nextcloud:
### Edit docker-compose.external.yml
```yaml
# Change this line:
- "traefik.http.routers.nextcloud.middlewares=authelia@docker,security-headers@file,rate-limit@file"
# From: (no authelia)
# - "traefik.http.routers.nextcloud.middlewares=security-headers@file,rate-limit@file"
```
### Restart
```bash
docker-compose -f docker-compose.yml -f docker-compose.external.yml up -d
```
### Setup Authelia User
```bash
# Generate password hash
docker run --rm authelia/authelia:latest \
authelia crypto hash generate argon2 \
--password 'FamilyPassword123!'
# Edit authelia/users_database.yml
# Add family members with the hash
# Restart authelia
docker-compose restart authelia
```
Now family logs in to Authelia first, then Nextcloud.
---
## For Family Members
Send them this info:
```
🍋 Your Nextcloud Access
URL: https://cloud.lemonlink.eu
Login with your credentials (created by admin)
Mobile Apps:
- iOS: App Store → "Nextcloud"
- Android: Play Store → "Nextcloud"
- Desktop: nextcloud.com/install
Server address in apps: https://cloud.lemonlink.eu
```
---
## Troubleshooting
### "Access through untrusted domain"
```bash
# Shell into TrueNAS
k3s kubectl exec -it -n ix-nextcloud deployment/ix-nextcloud -- /bin/sh
# Check config
cat /var/www/html/config/config.php | grep trusted
# Should include 'cloud.lemonlink.eu'
```
### "502 Bad Gateway"
- Check TrueNAS IP and port in .env
- Verify Nextcloud app is running in TrueNAS
- Test direct access: `curl http://TRUENAS_IP:PORT`
### "Too Many Redirects"
- Ensure OVERWRITEPROTOCOL=https is set
- Check Cloudflare SSL mode is "Full (strict)"
---
## Next Steps (After Nextcloud Works)
1.**Backup** - Set up automatic backups
2.**Monitoring** - Enable `--profile monitoring`
3.**More Services** - Add Portainer, etc.
4.**Security** - Review `docs/SECURITY.md`
---
## Files You Modified
Keep backups of these:
- `.env` - Your secrets and IPs
- `authelia/users_database.yml` - Family logins
- `docker-compose.external.yml` - Service routing
Reference in New Issue View Git Blame Copy Permalink