8.2 KiB
Arch Linux installation to serve as a docker host
guide by example
Purpose
Linux that will run docker.
This is not a very hand holding guide.
Google for plenty of tutorials and youtube videos alongside arch wiki.
Files and directory structure
/home/
└── bastard/
└── docker/
├── container-setup #1
├── container-setup #2
├── ...
Make installation usb
sudo dd bs=4M if=archlinux-2020.05.01-x86_64.iso of=/dev/sdX status=progress oflag=direct
The above command will fuck your machine up if you dunno what you are doing
Boot from the usb
This is BIOS/MBR setup as I am running on and old thinkpad with a busted screen,
plus I like the simplicity of it.
So if theres boot menu option choose non-uefi.
Installation
- create a single partition and mark it bootable
cfdisk /dev/sda
- build ext4 filesystem on it
mkfs.ext4 /dev/sda1
- mount the new partition
mount /dev/sda1 /mnt
- choose geographicly close mirror, ctrl+k deletes a line in nano
nano /etc/pacman.d/mirrorlist
- install the base system
pacstrap /mnt linux linux-firmware base base-devel linux linux-firmware grub dhcpcd
- gnerate fstab
genfstab -U /mnt > /mnt/etc/fstab
- chroot in to the new system
arch-chroot /mnt
- install grub
grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
- remove the bootable media and restart the machine
exit
reboot
Basic configuration after the first boot
- login as
root
- set password for root
passwd
- set hostname
echo docker-host > /etc/hostname
- add new user and set their password
useradd -m -G wheel bastard
passwd bastard
- edit sudoers to allow users group wheel to sudo
EDITOR=nano visudo
%wheel ALL=(ALL) ALL - check the network interface name
ip link
- enable aquiring dynamic IP
systemctl enable --now dhcpcd@enp0s25
- uncomment desidred locales in locale.gen
nano /etc/locale.gen
- generate new locales and set one system wide
locale-gen
localectl set-locale LANG=en_US.UTF-8
- select timezone and set it permanent
tzselect
timedatectl set-timezone 'Europe/Bratislava'
- set hardware clock and sync using ntp
hwclock --systohc --utc
timedatectl set-ntp true
- setup a swap file
fallocate -l 8G /swapfile
chmod 600 /swapfile
mkswap /swapfile
nano /etc/fstab
/swapfile none swap defaults 0 0 - enable colors in pacman.conf
nano /etc/pacman.conf
Color - reboot
reboot
Some packages to install
- login as the non root user
- install some packages
sudo pacman -S docker docker-compose openssh sshfs git cronie curl
sudo pacman -S borg zsh vim htop lm_sensors
- install yay for access to AUR packages
git clone https://aur.archlinux.org/yay-bin.git
cd yay-bin && makepkg -si
cd .. && rm -rf yay-bin
Setup docker
- have
docker
anddocker-compose
packages installed
sudo pacman -S docker docker-compose
- enable docker service
sudo systemctl enable --now docker
- add non-root user to the docker group
sudo gpasswd -a bastard docker
Setup SSH access
- have openssh packages installed
sudo pacman -S openssh
- edit sshd_config
sudo nano /etc/ssh/sshd_config
change whatever desires
ZSH shell
I like Zim
- have zsh package installed
- change users default shell to zsh
chsh -s /bin/zsh
curl -fsSL https://raw.githubusercontent.com/zimfw/install/master/install.zsh | zsh
ZSH shell
arch-chroot /mnt
- install grub
grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
- remove the bootable media and restart the machine
exit
reboot
Caddy v2 is used, details
here.
Bitwarden_rs documentation has a
section on reverse proxy.
Caddyfile
passwd.{$MY_DOMAIN} {
header / {
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Robots-Tag "none"
-Server
}
encode gzip
reverse_proxy /notifications/hub/negotiate bitwarden:80
reverse_proxy /notifications/hub bitwarden:3012
reverse_proxy bitwarden:80
}
Forward port 3012 TCP on your router
WebSocket protocol is used for notifications, so that all web based clients can immediatly sync when a change happens on the server.
- Enviromental variable
WEBSOCKET_ENABLED=true
needs to be set. - Reverse proxy needs to route
/notifications/hub
to port 3012. - Router needs to forward port 3012 to docker host, same as port 80 and 443 are forwarded.
To test if websocket works, have the desktop app open and make changes through browser extension, or through the website. Changes should immediatly appear in the desktop app. If it is not working, you need to manually sync for changes to appear.
Extra info
bitwarden can be managed at <url>/admin
and entering ADMIN_TOKEN
set in the .env
file. Especially if signups are disabled it is the only way
to invite users.
push notifications
Update
-
watchtower updates the image automaticly
-
manual image update
docker-compose pull
docker-compose up -d
docker image prune
Backup and restore
-
backup using BorgBackup setup that makes daily snapshot of the entire directory
-
restore
down the bitwarden containerdocker-compose down
delete the entire bitwarden directory
from the backup copy back the bitwarden directortory
start the containerdocker-compose up -d
Backup of just user data
User-data daily export using the official procedure.
For bitwarden_rs it means sqlite database dump and backing up attachments
directory.
Daily run of BorgBackup takes care of backing up the directory. So only database dump is needed. The created backup sqlite3 file is overwriten on every run of the script, but that's ok since BorgBackup is making daily snapshots.
-
create a backup script
placed insidebitwarden
directory on the hostbitwarden-backup-script.sh
#!/bin/bash # CREATE SQLITE BACKUP docker container exec bitwarden sqlite3 /data/db.sqlite3 ".backup '/data/BACKUP.bitwarden.db.sqlite3'"
the script must be executabe -
chmod +x bitwarden-backup-script.sh
-
cronjob on the host
crontab -e
- add new cron job
0 2 * * * /home/bastard/docker/bitwarden/bitwarden-backup-script.sh
- run it at 02:00
crontab -l
- list cronjobs
Restore the user data
Assuming clean start.
- start the bitwarden container:
docker-compose up -d
- let it run so it creates its file structure
- down the container
docker-compose down
- in
bitwarden/bitwarden-data/
replacedb.sqlite3
with the backup oneBACKUP.bitwarden.db.sqlite3
replaceattachments
directory with the one from the BorgBackup repository - start the container
docker-compose up -d