Homelab Dashboard: Difference between revisions
Wikisailor (talk | contribs) |
Wikisailor (talk | contribs) |
||
| Line 32: | Line 32: | ||
===Post-Installation Steps === | ===Post-Installation Steps === | ||
====Certificate Synchronization Hook==== | |||
Before the container will start correctly in SSL mode, we must have a basic conf.yml in the same directory as our compose.yaml. This file defines our users and our "Fruit Cluster" links. | |||
touch /opt/dockge/stacks/dashy/conf.yml | |||
To ensure Dashy stays updated when Raisin renews the Wildcard certs, make sure the deploy-wildcard.sh script on Raisin includes the Blackberry sync. It should have the Blackberry host in the servers list and the dashy restart in the if statements something like | |||
# Restart Dashy (Blackberry) | |||
if [ \$(docker ps -q -f name=dashy) ]; then | |||
echo ' Restarting Dashy...' | |||
docker restart dashy | |||
fi | |||
====Authentication Hardening==== | |||
To fulfill the "Secure Application" requirement, we enable Dashy’s internal authentication. Even with a valid SSL cert, no data is visible without a login. | |||
Revision as of 22:53, 24 February 2026
Introduction
We have decided to setup a homelab dashboard to monitor and administer the entire estate of Virtual machines, Proxmox hosts and all of the services that we have created. initially we will use the dashy dashboard but may well change for something else if dashy proves to be to difficult or in some way unsuitable.
Dashy Setup
in the interests of security for this sensitive project we are extending your "Full-Chain TLS" SME standard to Blackberry. This ensures that even if a client bypasses the proxy (Raisin) and hits Blackberry directly on the network, the traffic is still encrypted and presents the valid *.seaoffate.net certificate. It will also mean that within the Pfsense side of the LAN any client will still meet the same secure SSL certificate system provided by Letsencrypt. 🛡️We will mount our existing SSL certificates (synced from Raisin) directly into the Dashy container and configure Dashy to serve HTTPS natively. Details of how the Certs are downloaded and installed can be found here.
Installation on Blackberry
🛠️ The "Dockge-Way" Setup, on our Dockge UI on Blackberry, create a new stack called dashy, and use this single, hardened configuration
services:
dashy:
image: lissy93/dashy:latest
container_name: dashy
restart: unless-stopped
# We map 443 on the host to 443 in the container for standard HTTPS
ports:
- "443:443"
volumes:
- ./conf.yml:/app/public/conf.yml
# Mount your Let's Encrypt certs (synced from Raisin to Blackberry)
- /etc/nginx/ssl/seaoffate.net/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro
- /etc/nginx/ssl/seaoffate.net/privkey.pem:/etc/ssl/private/privkey.pem:ro
environment:
- NODE_ENV=production
# Force Dashy to use the standard HTTPS port and specific cert paths
- PORT=443
- SSL_PUB_KEY_PATH=/etc/ssl/certs/fullchain.pem
- SSL_PRIV_KEY_PATH=/etc/ssl/private/privkey.pem
Post-Installation Steps
Certificate Synchronization Hook
Before the container will start correctly in SSL mode, we must have a basic conf.yml in the same directory as our compose.yaml. This file defines our users and our "Fruit Cluster" links.
touch /opt/dockge/stacks/dashy/conf.yml
To ensure Dashy stays updated when Raisin renews the Wildcard certs, make sure the deploy-wildcard.sh script on Raisin includes the Blackberry sync. It should have the Blackberry host in the servers list and the dashy restart in the if statements something like
# Restart Dashy (Blackberry)
if [ \$(docker ps -q -f name=dashy) ]; then
echo ' Restarting Dashy...'
docker restart dashy
fi
Authentication Hardening
To fulfill the "Secure Application" requirement, we enable Dashy’s internal authentication. Even with a valid SSL cert, no data is visible without a login.
