Homelab Dashboard: Difference between revisions
Wikisailor (talk | contribs) |
Wikisailor (talk | contribs) |
||
| Line 36: | Line 36: | ||
Before the container will start correctly in SSL mode, we must have a basic conf.yml in the same directory as our compose.yaml. This file defines our users and our "Fruit Cluster" links. | Before the container will start correctly in SSL mode, we must have a basic conf.yml in the same directory as our compose.yaml. This file defines our users and our "Fruit Cluster" links. | ||
touch / | touch sudo nano /mnt/archive_data/docker_data/stacks/dashy/conf.yml | ||
'''''Note''' we are using a non standard directory for our stacks, the more | |||
To ensure Dashy stays updated when Raisin renews the Wildcard certs, make sure the deploy-wildcard.sh script on Raisin includes the Blackberry sync. It should have the Blackberry host in the servers list and the dashy restart in the if statements something like | To ensure Dashy stays updated when Raisin renews the Wildcard certs, make sure the deploy-wildcard.sh script on Raisin includes the Blackberry sync. It should have the Blackberry host in the servers list and the dashy restart in the if statements something like | ||
# Restart Dashy (Blackberry) | # Restart Dashy (Blackberry) | ||
Revision as of 00:28, 25 February 2026
Introduction
We have decided to setup a homelab dashboard to monitor and administer the entire estate of Virtual machines, Proxmox hosts and all of the services that we have created. initially we will use the dashy dashboard but may well change for something else if dashy proves to be to difficult or in some way unsuitable.
Dashy Setup
in the interests of security for this sensitive project we are extending your "Full-Chain TLS" SME standard to Blackberry. This ensures that even if a client bypasses the proxy (Raisin) and hits Blackberry directly on the network, the traffic is still encrypted and presents the valid *.seaoffate.net certificate. It will also mean that within the Pfsense side of the LAN any client will still meet the same secure SSL certificate system provided by Letsencrypt. 🛡️We will mount our existing SSL certificates (synced from Raisin) directly into the Dashy container and configure Dashy to serve HTTPS natively. Details of how the Certs are downloaded and installed can be found here.
Installation on Blackberry
🛠️ The "Dockge-Way" Setup, on our Dockge UI on Blackberry, create a new stack called dashy, and use this single, hardened configuration
services:
dashy:
image: lissy93/dashy:latest
container_name: dashy
restart: unless-stopped
# We map 443 on the host to 443 in the container for standard HTTPS
ports:
- "443:443"
volumes:
- ./conf.yml:/app/public/conf.yml
# Mount your Let's Encrypt certs (synced from Raisin to Blackberry)
- /etc/nginx/ssl/seaoffate.net/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro
- /etc/nginx/ssl/seaoffate.net/privkey.pem:/etc/ssl/private/privkey.pem:ro
environment:
- NODE_ENV=production
# Force Dashy to use the standard HTTPS port and specific cert paths
- PORT=443
- SSL_PUB_KEY_PATH=/etc/ssl/certs/fullchain.pem
- SSL_PRIV_KEY_PATH=/etc/ssl/private/privkey.pem
Post-Installation Steps
Certificate Synchronization Hook
Before the container will start correctly in SSL mode, we must have a basic conf.yml in the same directory as our compose.yaml. This file defines our users and our "Fruit Cluster" links.
touch sudo nano /mnt/archive_data/docker_data/stacks/dashy/conf.yml
Note we are using a non standard directory for our stacks, the more To ensure Dashy stays updated when Raisin renews the Wildcard certs, make sure the deploy-wildcard.sh script on Raisin includes the Blackberry sync. It should have the Blackberry host in the servers list and the dashy restart in the if statements something like
# Restart Dashy (Blackberry)
if [ \$(docker ps -q -f name=dashy) ]; then
echo ' Restarting Dashy...'
docker restart dashy
fi
Authentication Hardening
To fulfill the "Secure Application" requirement, we enable Dashy’s internal authentication. Even with a valid SSL cert, no data is visible without a login. Dashy requires a SHA-256 hash for the admin password. Run this on any terminal:
echo -n "YourSecretPassword" | sha256sum
Take the resulting string and place it in the auth section of your conf.yml on Blackberry
sudo nano /opt/dockge/stacks/dashy/conf.yml
Verification
Once started, you can verify the "Full-Chain TLS" by visiting:
- Internal(inside Pfsence): https://192.168.100.85 (Should show the valid seaoffate.net certificate from letsencrypt ).
- Internal(inside Pfsence): https://blackberry (Assuming the internal nameserver ctns1 has the DNS entry for blackberry set should show the valid seaoffate.net certificate from letsencrypt).
- Internal(inside Pfsence): https://dashy.seaoffate.net (Assuming the internal nameserver ctns1 has the DNS entry for dashy set should show the valid seaoffate.net certificate from letsencrypt).
- Internal:(outside Pfsence) https://dashy.seaoffate.net (Assuming the DNS rewrite foe seaoffate.net on adguard set and Raisin reverse proxy rule is set, should show the valid seaoffate.net certificate from letsencrypt).
- External(though mobile phone Internet): https://dashy.seaoffate.net (Assuming the DNS for dashy is set on Cloudflare's control panel and dashy is proxied through Raisin it should show the Cloudflare SSL certificate).
