impulsivefps
/
LemonSec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
LemonSec/SETUP.md

5.0 KiB
Raw Blame History

LemonSec Setup Guide

Complete setup instructions for different deployment methods.

Table of Contents

  1. Portainer Git Deployment (Recommended)
  2. Docker Compose Manual
  3. TrueNAS Nextcloud Specifics
  4. Migration from NPM

Portainer Git Deployment (Recommended)

Best for Proxmox users with Portainer already installed.

Prerequisites

  • Portainer running on Proxmox VM
  • Git repository at https://git.lemonlink.eu/impulsivefps/LemonSec
  • Cloudflare account
  • TrueNAS Scale with Nextcloud

Quick Steps

  1. Push code to Git:
cd LemonSec
git init
git remote add origin https://git.lemonlink.eu/impulsivefps/LemonSec.git
git add .
git commit -m "Initial commit"
git push -u origin main
  1. Generate Secrets:
openssl rand -hex 32  # Run 3 times

Save the 3 outputs for AUTHELIA_*_SECRET variables.

  1. Deploy in Portainer:
  • Stacks → Add Stack → Repository
  • URL: https://git.lemonlink.eu/impulsivefps/LemonSec
  • Add environment variables (see below)
  • Deploy

Required Environment Variables

Variable Description Example
CF_API_EMAIL Cloudflare email you@example.com
CF_API_KEY Cloudflare API key global-api-key
TRUENAS_IP TrueNAS VM IP 192.168.1.100
TRUENAS_NEXTCLOUD_PORT Nextcloud port 9001
AUTHELIA_JWT_SECRET Random hex string openssl rand -hex 32
AUTHELIA_SESSION_SECRET Random hex string openssl rand -hex 32
AUTHELIA_STORAGE_KEY Random hex string openssl rand -hex 32

Full detailed guide: PORTAINER-DEPLOY.md

Docker Compose Manual

For systems without Portainer or for development.

Prerequisites

  • Docker 20.10+
  • Docker Compose 2.0+
  • Git

Steps

  1. Clone repository:
git clone https://git.lemonlink.eu/impulsivefps/LemonSec.git
cd LemonSec
  1. Configure environment:
cp .env.example .env
nano .env
  1. Generate secrets:
mkdir -p secrets
openssl rand -hex 32 > secrets/authelia_jwt_secret.txt
openssl rand -hex 32 > secrets/authelia_session_secret.txt
openssl rand -hex 32 > secrets/authelia_storage_key.txt
  1. Deploy:
docker-compose up -d
  1. Setup CrowdSec:
docker-compose exec crowdsec cscli bouncers add traefik-bouncer
# Add key to .env and restart

TrueNAS Nextcloud Setup

If your Nextcloud runs on TrueNAS Scale (separate VM).

Architecture

Internet → Cloudflare → Traefik (Proxmox) → TrueNAS (Nextcloud)

Configuration

  1. Get TrueNAS Info:

    • TrueNAS IP: 192.168.1.100
    • Nextcloud Port: Check Apps → Nextcloud (e.g., 9001)

  2. Set environment variables:

TRUENAS_IP=192.168.1.100
TRUENAS_NEXTCLOUD_PORT=9001
  1. Configure TrueNAS Nextcloud: In TrueNAS → Apps → Nextcloud → Edit, add:
NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu
OVERWRITEPROTOCOL=https
OVERWRITEHOST=cloud.lemonlink.eu
TRUSTED_PROXIES=192.168.1.50  # Your Proxmox VM IP
  1. DNS: Cloudflare → DNS:
  • A record: cloud → YOUR_PUBLIC_IP (orange cloud)
  1. Test: Visit https://cloud.lemonlink.eu

Detailed guide: SETUP-TRUENAS-NEXTCLOUD.md

Migration from Nginx Proxy Manager

If you're currently using NPM and want to migrate to LemonSec.

Strategy

  1. Parallel running (recommended):

    • Deploy LemonSec alongside NPM
    • Migrate services one by one
    • Test thoroughly
    • Only then remove NPM

  2. Direct migration:

    • Export NPM config
    • Convert to Traefik format
    • Deploy and verify

Migration Mapping

NPM Traefik
Proxy Hosts Labels on router containers
SSL Certificates Automatic via certresolver
Access Lists Authelia middleware
Custom Locations Path rules
Redirection Hosts Redirect middleware

Full migration guide: MIGRATE-FROM-NPM.md

Post-Deployment Checklist

  • Nextcloud accessible at https://cloud.lemonlink.eu
  • SSL certificate valid (green lock)
  • Family can login with Nextcloud credentials
  • Mobile apps sync successfully
  • CrowdSec showing decisions (docker exec crowdsec cscli decisions list)
  • Authelia accessible at https://auth.lemonlink.eu
  • Backups configured

Troubleshooting

"CF_API_EMAIL not set"

→ Check environment variables in Portainer UI

"502 Bad Gateway" for Nextcloud

→ Verify TRUENAS_IP and TRUENAS_NEXTCLOUD_PORT → Test: curl http://TRUENAS_IP:PORT from Proxmox VM

"Access through untrusted domain"

→ Add domain to TrueNAS Nextcloud environment variables

SSL Certificate issues

→ Check Cloudflare API credentials → Verify DNS records exist in Cloudflare

Next Steps

  1. Add family to Authelia (if using SSO)
  2. Enable monitoring (Prometheus/Grafana)
  3. Add more services (Vaultwarden, etc.)
  4. Configure backups
  5. Review security settings