{"id":15136264,"url":"https://github.com/barsikus007/nas","last_synced_at":"2025-10-27T04:31:07.754Z","repository":{"id":197685297,"uuid":"699112775","full_name":"barsikus007/NAS","owner":"barsikus007","description":"Modern dockerized NAS setup. Targed architecture is x64 (was arm64).","archived":false,"fork":false,"pushed_at":"2024-12-10T16:36:06.000Z","size":271,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-12-19T09:43:23.319Z","etag":null,"topics":["arm64","docker","docker-compose","nas","nextcloud","traefik"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/barsikus007.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-02T00:11:48.000Z","updated_at":"2024-12-10T17:55:31.000Z","dependencies_parsed_at":"2023-10-11T07:10:43.466Z","dependency_job_id":"89a23099-9628-4d6d-9bd4-2f009ce47d9f","html_url":"https://github.com/barsikus007/NAS","commit_stats":{"total_commits":35,"total_committers":1,"mean_commits":35.0,"dds":0.0,"last_synced_commit":"f07c37eca5ead334e6e1442237cc3f10a12fc443"},"previous_names":["barsikus007/nas"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/barsikus007%2FNAS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/barsikus007%2FNAS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/barsikus007%2FNAS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/barsikus007%2FNAS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/barsikus007","download_url":"https://codeload.github.com/barsikus007/NAS/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238437089,"owners_count":19472331,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm64","docker","docker-compose","nas","nextcloud","traefik"],"created_at":"2024-09-26T06:20:17.334Z","updated_at":"2025-10-27T04:31:07.748Z","avatar_url":"https://github.com/barsikus007.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NAS\n\n## Install\n\n1. Install docker (ex: `curl -fsSL https://get.docker.com | sh`)\n2. Copy `*.env.example` files to `*.env` and edit\n3. Edit `compose.yaml` templates at the beginning\n4. Create `APPDATA_VOLUME` and `STORAGE_VOLUME` folders/mountpoints\n   \u003c!-- Copy `apps/` to your folder specified in `APPDATA_VOLUME` env var --\u003e\n5. Open `80`, `443` (traefik entrypoints), `3478` (nextcloud-talk entrypoint) and `51413` (transmission seeding) ports in router and firewall\n6. `docker compose up -d --build \u0026\u0026 sudo chown -R --reference=${HOME} ${APPDATA_VOLUME}/*`\n   1. Use  `docker compose up -d --build --wait` or `./bin/graceful_start.sh` to start\n   2. Change the ownership of the files under `APPDATA_VOLUME` (e.g. `source .env \u0026\u0026 sudo chown -R --reference=${HOME} ${APPDATA_VOLUME}/*`) immediately after volume creation\n7. Wait for containers to be in a healthy state, then stop some of them to patch `docker compose stop organizr \u0026\u0026 ./bin/appdata_patcher.sh \u0026\u0026 docker compose up -d organizr`\n8. Configure web applications manually as indicated in the section below\n\n### P.S\n\n- devices: compose sections\n  - adapt `jellyfin` compose config to your hardware decoders\n  - add your disks to `scrutiny` compose config\n- TODO `subo bash -c 'echo \"ignore-warnings ARM64-COW-BUG\" \u003e\u003e ${APPDATA_VOLUME?}/gitlab/data/redis/redis.conf'`\n\n## GUI configuration\n\n- LLDAP `lldap.${HOST}`\n  - Setup Organizr to pass auth on lldap endpoint if needed (TODO)\n  - Create users\n  - TODO\n- NextCloud AIO `aio.cloud.${HOST}`\n  - Specify `cloud.${HOST}` in certain field\n  - Change TZ\n  - Specify apps to install and install\n    - I prefer to enable all except ClamAV (antivirus) and Docker Socket Proxy\n  - Specify backup location `/tank/backup` and generate password\n- NextCloud `cloud.${HOST}`\n  - `/settings`\n    - `/apps/disabled`\n      - `/files_external` Enable `External storage support` app\n      - `/user_ldap`Enable `LDAP user and group backend` app\n    - `/admin/externalstorages`\n      - Storage;Local;None;/tank/storage;All users\n    - `/admin/ldap`\n      - [TODO](https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md)\n    - `/admin/overview` Create backup in AIO after setup\n- Organizr `${HOST}`\n  - LDAP `/#settings-settings-main` =\u003e `Authentication` =\u003e set `Bind Password`\n  - Setup tabs TODO\n- JellyFin `media.${HOST}`\n  - `/web/index.html#!`\n    - `/addplugin.html?name=LDAP%20Authentication`\n      - Install LDAP plugin\n      - `/dashboard.html` Shutdown (docker will reboot jellyfin)\n      - `/configurationpage?name=LDAP-Auth`\n      - [TODO](https://github.com/lldap/lldap/blob/main/example_configs/jellyfin.md)\n    - `/networking.html` Allow remote connections to this server\n  - TODO Add Media Libraries\n- *arr\n  - TODO\n\n## Attack surface\n\n- WAN =\u003e fail2ban =\u003e docker network\n  - 80,443/tcp traefik\n    - 80 is redirected to 443\n    - 443 refer to docker-hosted services\n      - gitlab.${HOST} (TODO)\n      - whoami.${HOST} (for testing purposes)\n      - media.${HOST} -\u003e jellyfin (for non-web apps)\n      - bitwarden.${HOST} -\u003e vaultwarden (TODO)\n      - cloud.${HOST} -\u003e nextcloud (TODO)\n      - auth.${HOST} -\u003e authelia\n      - rest services use authelia auth\n  - 3478/all nextcloud-talk\n  - 21114-21119/tcp,21116/udp rustdesk\n  - 22000/all syncthing\n  - 51413/all transmission\n- LAN =\u003e docker network\n  - 8096 jellyfin webUI\n  - 1900/udp jellyfin service discovery (DNLA)\n  - 7359/udp jellyfin client discovery\n  - 21027/udp syncthing client discovery\n\n## Notes\n\n- Domain structure:\n  - `${HOST}` =\u003e organizr\n    - `www.${HOST}` =\u003e organizr\n    - `traefik.${HOST}` =\u003e traefik dashboard\n    - TODO\n- Folder structure for media system is:\n  - `${STORAGE_VOLUME}/downloads/`\n    - `${STORAGE_VOLUME}/downloads/{,in}complete` for downloads\n    - `${STORAGE_VOLUME}/downloads/torrents` for torrent files\n    - `${STORAGE_VOLUME}/downloads/media` for *arrs and jellyfin media\n- Lidarr disabled due to unusable use case for me\n  - If you need album release software, then uncomment `services.lidarr` section in `compose.yaml`\n- Transmission alt speed enabled due to broken pcie on rock-3a to reduce overload\n- Target of this build is AMD64\n  - It was ARM64 before, but I fucked enough with my rock-3a\n- CrowdSec cheatsheet\n  - `docker compose exec crowdsec cscli metrics`\n  - `docker compose exec crowdsec cscli alerts list`\n  - `docker compose exec crowdsec cscli decisions list`\n    - `docker compose exec crowdsec cscli decisions delete -i x.x.x.x`\n\n## TODO\n\n- software\n  - is stopping organizr needed for patching?\n  - why chown?\n  - speedtest\n  - move samba and traefik to brand new dir\n  - maybe add separate env file for acme provider\n  - ldap\n    - organizr\n    - nextcloud\n    - jellyfin\n  - patchers\n    - `apps/` patcher with `.env` values\n    - `{$APPDATA_VOLUME}/` patcher with `.env` values\n  - organizr SSO ?\n  - healthchecks ?\n    - flaresolverr\n    - glances\n    - portainer\n    - radarr\n    - scrutiny\n    - sonarr\n    - traefik\n    - whoami\n- alternate software\n  - [seafile](https://www.seafile.com/en/home/) ? (check nextcloud speed)\n  - [gitea](https://about.gitea.com) ? (instead of gitlab, less bloated?)\n- new software\n  - \u003chttps://github.com/immich-app/immich\u003e\n  - \u003chttps://github.com/ramanlabs-in/hachi\u003e\n    - probably, on client with webdav\n  - \u003chttps://github.com/fallenbagel/jellyseerr\u003e\n  - \u003chttps://www.photoprism.app\u003e\n- software late\n  - VPN (wireguard)\n    - inner\n    - outer\n  - security\n    - change lscr.env UID GID\n    - change passwds\n    - change ssh-key after complete setup\n    - use docker secrets\n    - secure whole server with vpn and/or firewall\n    - [traefik stsSeconds](https://hstspreload.org/)\n  - SMTP\n    - authelia\n- readme roadmap\n  - PBR section\n  - check for grammar issues\n- [podman](https://podman.io) migration\n  - (better than docker ?)\n  - why ?\n  - \u003chttps://github.com/nextcloud/all-in-one/discussions/3487\u003e\n\n## [ZFS cheatsheet](https://github.com/barsikus007/config/blob/master/linux/cheatsheet_server.md#zfs)\n\n## References\n\n- [Цикл статей: построение защищённого NAS, либо домашнего мини-сервера](https://habr.com/ru/articles/359346/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbarsikus007%2Fnas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbarsikus007%2Fnas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbarsikus007%2Fnas/lists"}