5.8 KiB
5.8 KiB
LemonSec Quick Start Guide
🚀 Deployment Steps
Step 1: Prepare Your Server
# On Proxmox (Debian/Ubuntu)
sudo apt update && sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER
# Log out and back in
Step 2: Configure Environment
cd LemonSec
# 1. Copy environment template
cp .env.example .env
# 2. Edit with your details
nano .env
# Required:
# - CF_API_EMAIL (your Cloudflare email)
# - CF_API_KEY (from https://dash.cloudflare.com/profile/api-tokens)
# - TAILSCALE_IP (from `tailscale ip -4`)
Step 3: Setup Authelia
# Generate password hash for admin user
docker run --rm authelia/authelia:latest \
authelia crypto hash generate argon2 \
--password 'YourSecurePassword123!'
# Edit users database
nano authelia/users_database.yml
# Replace the password hash with the one you generated
Step 4: Run Setup Script
# On Windows
.\setup.ps1
# On Linux (create first)
# bash setup.sh
Step 5: Start Core Services
# Start everything
docker-compose up -d
# Check Traefik is working
docker-compose logs -f traefik
# You should see "Configuration loaded from files..." and no errors
Step 6: Configure CrowdSec
# Generate API key for Traefik bouncer
docker-compose exec crowdsec cscli bouncers add traefik-bouncer
# Copy the key and add to .env:
# CROWDSEC_API_KEY=your-key-here
# Restart to apply
docker-compose up -d
Step 7: Verify DNS
In Cloudflare DNS, ensure you have:
| Type | Name | Target | Proxy |
|---|---|---|---|
| A | @ | YOUR_IP | 🟠 |
| A | * | YOUR_IP | 🟠 |
| A | auth | YOUR_IP | 🟠 |
Step 8: Test Access
# Test external (after DNS propagates)
curl -I https://auth.lemonlink.eu
# Test internal (via Tailscale)
curl -k -I https://traefik.local.lemonlink.eu:8443
📝 Adding Services
External Service (e.g., Nextcloud)
# In docker-compose.override.yml
services:
nextcloud:
image: nextcloud:latest
networks:
- services
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`cloud.lemonlink.eu`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.routers.nextcloud.middlewares=authelia@docker"
Internal Service (e.g., Portainer)
services:
portainer:
image: portainer/portainer-ce:latest
networks:
- services
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`docker.local.lemonlink.eu`)"
- "traefik.http.routers.portainer.entrypoints=internal"
- "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
- "traefik.http.routers.portainer.middlewares=authelia@docker"
🔍 Common Commands
# View all logs
docker-compose logs -f
# View specific service
docker-compose logs -f authelia
# Restart service
docker-compose restart traefik
# Check CrowdSec bans
docker-compose exec crowdsec cscli decisions list
# Unban an IP
docker-compose exec crowdsec cscli decisions delete --ip 1.2.3.4
# Update everything
docker-compose pull && docker-compose up -d
# Full reset (keeps data)
docker-compose down && docker-compose up -d
# Complete wipe (⚠️ destroys data)
docker-compose down -v
🐛 Troubleshooting
"Bad Gateway" Error
- Check service is running:
docker-compose ps - Check service logs:
docker-compose logs [service] - Verify port in labels matches container port
Certificate Issues
- Check Cloudflare API credentials
- Verify DNS records
- Check Traefik logs for ACME errors
- Use staging first: change
certresolvertoletsencrypt-staging
Authelia Redirect Loop
- Check
session.domainin authelia/configuration.yml - Verify time sync:
timedatectl status - Clear browser cookies
Can't Access Internal Services
- Verify Tailscale is connected:
tailscale status - Check if port 8443 is bound to Tailscale IP
- Test locally:
curl -k https://localhost:8443
CrowdSec Blocking Legitimate Traffic
# Check what's blocked
docker-compose exec crowdsec cscli decisions list
# Remove false positive
docker-compose exec crowdsec cscli decisions delete --ip YOUR_IP
# Add whitelist
docker-compose exec crowdsec cscli parsers install crowdsecurity/whitelists
📊 Monitoring Stack (Optional)
# Start monitoring
docker-compose --profile monitoring up -d
# Access (via Tailscale)
# - Grafana: https://grafana.local.lemonlink.eu:8443
# - Prometheus: https://prometheus.local.lemonlink.eu:8443
🔄 Backup Strategy
# Backup script (run weekly)
#!/bin/bash
DATE=$(date +%Y%m%d)
tar czf backup-$DATE.tar.gz \
traefik/ authelia/ crowdsec/ .env
# Backup volumes
docker run --rm \
-v lemonsec_authelia-data:/data \
-v $(pwd):/backup \
alpine tar czf /backup/authelia-$DATE.tar.gz -C /data .
🛡️ Security Checklist
- Changed default Authelia password
- Enabled 2FA in Authelia
- Set up email notifications
- Configured CrowdSec notifications
- Enabled Cloudflare "Under Attack" mode for DDoS
- Set up regular backups
- Reviewed access logs weekly
- Updated images monthly
📚 Next Steps
- Add your services - See
examples/directory - Configure monitoring - Enable
--profile monitoring - Set up notifications - Email/Discord alerts
- Review security - Follow
docs/SECURITY.md - Customize - Edit
docker-compose.override.yml
💬 Getting Help
- Traefik docs: https://doc.traefik.io/traefik/
- Authelia docs: https://www.authelia.com/
- CrowdSec docs: https://docs.crowdsec.net/
- Logs: Always check
docker-compose logs [service]first