216 lines
5.0 KiB
Markdown
216 lines
5.0 KiB
Markdown
# LemonSec Setup Guide
|
|
|
|
Complete setup instructions for different deployment methods.
|
|
|
|
## Table of Contents
|
|
|
|
1. [Portainer Git Deployment](#portainer-git-deployment-recommended) (Recommended)
|
|
2. [Docker Compose Manual](#docker-compose-manual)
|
|
3. [TrueNAS Nextcloud Specifics](#truenas-nextcloud-setup)
|
|
4. [Migration from NPM](#migration-from-nginx-proxy-manager)
|
|
|
|
---
|
|
|
|
## Portainer Git Deployment (Recommended)
|
|
|
|
Best for Proxmox users with Portainer already installed.
|
|
|
|
### Prerequisites
|
|
|
|
- Portainer running on Proxmox VM
|
|
- Git repository at `https://git.lemonlink.eu/impulsivefps/LemonSec`
|
|
- Cloudflare account
|
|
- TrueNAS Scale with Nextcloud
|
|
|
|
### Quick Steps
|
|
|
|
1. **Push code to Git**:
|
|
```bash
|
|
cd LemonSec
|
|
git init
|
|
git remote add origin https://git.lemonlink.eu/impulsivefps/LemonSec.git
|
|
git add .
|
|
git commit -m "Initial commit"
|
|
git push -u origin main
|
|
```
|
|
|
|
2. **Generate Secrets**:
|
|
```bash
|
|
openssl rand -hex 32 # Run 3 times
|
|
```
|
|
Save the 3 outputs for AUTHELIA_*_SECRET variables.
|
|
|
|
3. **Deploy in Portainer**:
|
|
- Stacks → Add Stack → Repository
|
|
- URL: `https://git.lemonlink.eu/impulsivefps/LemonSec`
|
|
- Add environment variables (see below)
|
|
- Deploy
|
|
|
|
### Required Environment Variables
|
|
|
|
| Variable | Description | Example |
|
|
|----------|-------------|---------|
|
|
| `CF_API_EMAIL` | Cloudflare email | `you@example.com` |
|
|
| `CF_API_KEY` | Cloudflare API key | `global-api-key` |
|
|
| `TRUENAS_IP` | TrueNAS VM IP | `192.168.1.100` |
|
|
| `TRUENAS_NEXTCLOUD_PORT` | Nextcloud port | `9001` |
|
|
| `AUTHELIA_JWT_SECRET` | Random hex string | `openssl rand -hex 32` |
|
|
| `AUTHELIA_SESSION_SECRET` | Random hex string | `openssl rand -hex 32` |
|
|
| `AUTHELIA_STORAGE_KEY` | Random hex string | `openssl rand -hex 32` |
|
|
|
|
**Full detailed guide**: [PORTAINER-DEPLOY.md](PORTAINER-DEPLOY.md)
|
|
|
|
---
|
|
|
|
## Docker Compose Manual
|
|
|
|
For systems without Portainer or for development.
|
|
|
|
### Prerequisites
|
|
|
|
- Docker 20.10+
|
|
- Docker Compose 2.0+
|
|
- Git
|
|
|
|
### Steps
|
|
|
|
1. **Clone repository**:
|
|
```bash
|
|
git clone https://git.lemonlink.eu/impulsivefps/LemonSec.git
|
|
cd LemonSec
|
|
```
|
|
|
|
2. **Configure environment**:
|
|
```bash
|
|
cp .env.example .env
|
|
nano .env
|
|
```
|
|
|
|
3. **Generate secrets**:
|
|
```bash
|
|
mkdir -p secrets
|
|
openssl rand -hex 32 > secrets/authelia_jwt_secret.txt
|
|
openssl rand -hex 32 > secrets/authelia_session_secret.txt
|
|
openssl rand -hex 32 > secrets/authelia_storage_key.txt
|
|
```
|
|
|
|
4. **Deploy**:
|
|
```bash
|
|
docker-compose up -d
|
|
```
|
|
|
|
5. **Setup CrowdSec**:
|
|
```bash
|
|
docker-compose exec crowdsec cscli bouncers add traefik-bouncer
|
|
# Add key to .env and restart
|
|
```
|
|
|
|
---
|
|
|
|
## TrueNAS Nextcloud Setup
|
|
|
|
If your Nextcloud runs on TrueNAS Scale (separate VM).
|
|
|
|
### Architecture
|
|
|
|
```
|
|
Internet → Cloudflare → Traefik (Proxmox) → TrueNAS (Nextcloud)
|
|
```
|
|
|
|
### Configuration
|
|
|
|
1. **Get TrueNAS Info**:
|
|
- TrueNAS IP: `192.168.1.100`
|
|
- Nextcloud Port: Check Apps → Nextcloud (e.g., `9001`)
|
|
|
|
2. **Set environment variables**:
|
|
```
|
|
TRUENAS_IP=192.168.1.100
|
|
TRUENAS_NEXTCLOUD_PORT=9001
|
|
```
|
|
|
|
3. **Configure TrueNAS Nextcloud**:
|
|
In TrueNAS → Apps → Nextcloud → Edit, add:
|
|
```
|
|
NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu
|
|
OVERWRITEPROTOCOL=https
|
|
OVERWRITEHOST=cloud.lemonlink.eu
|
|
TRUSTED_PROXIES=192.168.1.50 # Your Proxmox VM IP
|
|
```
|
|
|
|
4. **DNS**:
|
|
Cloudflare → DNS:
|
|
- A record: `cloud` → YOUR_PUBLIC_IP (orange cloud)
|
|
|
|
5. **Test**:
|
|
Visit `https://cloud.lemonlink.eu`
|
|
|
|
**Detailed guide**: [SETUP-TRUENAS-NEXTCLOUD.md](SETUP-TRUENAS-NEXTCLOUD.md)
|
|
|
|
---
|
|
|
|
## Migration from Nginx Proxy Manager
|
|
|
|
If you're currently using NPM and want to migrate to LemonSec.
|
|
|
|
### Strategy
|
|
|
|
1. **Parallel running** (recommended):
|
|
- Deploy LemonSec alongside NPM
|
|
- Migrate services one by one
|
|
- Test thoroughly
|
|
- Only then remove NPM
|
|
|
|
2. **Direct migration**:
|
|
- Export NPM config
|
|
- Convert to Traefik format
|
|
- Deploy and verify
|
|
|
|
### Migration Mapping
|
|
|
|
| NPM | Traefik |
|
|
|-----|---------|
|
|
| Proxy Hosts | Labels on router containers |
|
|
| SSL Certificates | Automatic via certresolver |
|
|
| Access Lists | Authelia middleware |
|
|
| Custom Locations | Path rules |
|
|
| Redirection Hosts | Redirect middleware |
|
|
|
|
**Full migration guide**: [MIGRATE-FROM-NPM.md](MIGRATE-FROM-NPM.md)
|
|
|
|
---
|
|
|
|
## Post-Deployment Checklist
|
|
|
|
- [ ] Nextcloud accessible at `https://cloud.lemonlink.eu`
|
|
- [ ] SSL certificate valid (green lock)
|
|
- [ ] Family can login with Nextcloud credentials
|
|
- [ ] Mobile apps sync successfully
|
|
- [ ] CrowdSec showing decisions (`docker exec crowdsec cscli decisions list`)
|
|
- [ ] Authelia accessible at `https://auth.lemonlink.eu`
|
|
- [ ] Backups configured
|
|
|
|
## Troubleshooting
|
|
|
|
### "CF_API_EMAIL not set"
|
|
→ Check environment variables in Portainer UI
|
|
|
|
### "502 Bad Gateway" for Nextcloud
|
|
→ Verify TRUENAS_IP and TRUENAS_NEXTCLOUD_PORT
|
|
→ Test: `curl http://TRUENAS_IP:PORT` from Proxmox VM
|
|
|
|
### "Access through untrusted domain"
|
|
→ Add domain to TrueNAS Nextcloud environment variables
|
|
|
|
### SSL Certificate issues
|
|
→ Check Cloudflare API credentials
|
|
→ Verify DNS records exist in Cloudflare
|
|
|
|
## Next Steps
|
|
|
|
1. **Add family to Authelia** (if using SSO)
|
|
2. **Enable monitoring** (Prometheus/Grafana)
|
|
3. **Add more services** (Vaultwarden, etc.)
|
|
4. **Configure backups**
|
|
5. **Review security settings**
|