Highly opinionated server setup to cater to my needs
- Ubuntu Server
- Server Setup
- Client Setup
- Enable passwordless ssh access from remote machine to server (required for ansible to work)
- Install python and pip
- Update the
group_vars/allfile to fill out the required information there - Update the
hosts.yamlfile to fill out the template - Expose required ports on your router
- Run the ansible runner script
- After the installation
- Setup Fishet
- Setup Grafana
- Setup Home Assistant
- Setup Jellyfin
- Setup qBittorrent
- Setup Calibre
- Setup Calibre Web
- Setup Radarr/Sonarr/Readarr/Lidarr
- Setup Prowlarr
- Setup Bazarr
- Setup Tdarr
- Setup Jellyseerr
- Setup Jellystat
- Setup Immich
- Setup Guacamole
- Setup Ombi
- Use Squid
- Use Sambashare
- Exposed Services
- Appendix
NOTE: If things dont work for some reason, try restarting and seeing if that fixes it.
Probably get a VM from Oracle Always Free Tier stuff.
Use your own server
https://ubuntu.com/download/desktop
https://linuxize.com/post/how-to-enable-ssh-on-ubuntu-18-04/
sudo apt update
sudo apt install openssh-server
sudo systemctl enable ssh
sudo systemctl start sshThis is to make sure it doesnt turn off mid install or when idle. If its a laptop, make sure power off when lid is closed is also turned off.
You can do this via the UI or refer to this stackoverflow post.
If using kubernetes, allocate a static IP to your machine on your router. If you do not do this, you can end up with an inaccessible cluster till you update the IPs again. Refer to appendix
ssh-keygen -t ed25519 -C "primary-key"
file ~/.ssh/id_ed25519.pub
ssh-copy-id -p <ssh-port> <remote-user>@<server-ip>If youre using a machine that only allows for publickey auth, then you can upload your key that you just generated with the following command
ssh-copy-id -i ~/.ssh/id_ed25519.pub -o 'IdentityFile ~/.ssh/<your-existing-private-key-for-access>.key' -p <ssh-port> <remote-user>@<server-ip>sudo apt update
sudo apt install python3 pipAt the very least, search for the items with tags # FILL OUT
NOTE: You can add additional directories for services via the group_vars file as well under the persistence section.
- name: disk-2
host_path: "/mnt/b/downloads"The above section will mount /mnt/b/downloads onto the pod as /data-mnt/disk-2/downloads
- This is an optional step
- This is if you use CloudFlare for your domain name and want the public IP updated automatically every set amount of time incase it is changed on the server.
- NOTE: Make sure the services installed in this dont overlap with any existing implied DNS entries you may have (keep this in mind if you see any weird behaviour, im not an expert here and im too tired to think about this at the moment)
- Register your domain name on CloudFlare
- Go to the main CloudFlare page
- Then
Websites - Then select the relevant
Zone(basically the website you used in thegroup_vals/allfile) - Go to the
Overviewpage- On the right side you can see the
Zone ID - Put this in the
group_vars/allfile - Here you can also see the link to the API token page
- On the right side you can see the
- Go to the
DNSpage-
Put in the following records (REQUIRED)
Type Name Content Proxy Status TTL A<YOUR_DOMAIN_NAME><YOUR_PUBLIC_IP>DNS onlyAutoA*.<YOUR_DOMAIN_NAME><YOUR_PUBLIC_IP>DNS onlyAuto -
Now you can also use
<YOUR_DOMAIN_NAME>in thegroup_vars/allfile instead of the server's IP address
-
- Create a Custom API token from the api-tokens page with the following permissions and include the specific
Zone(or website) fromZone Resourcessection- To edit DNS entries
Zone:DNS:Edit
- To read
ZoneinformationZone:Zone:Read
- Put this token/key in the
group_vars/allfile
- To edit DNS entries
- If not needed, remove the line below line from
setup.yaml- import_playbook: install-and-configure-cloudflare-dns-updater-service.yaml - Using DNS01 challenge instead of HTTP01 challenge for certificates
- If you wish to use a DSN01 challenge instead of HTTP challenge (common if youre running services on non-standard ports), you will want to set
charts.services.cert_manager.dns01_challengetotrueingroup_vars/allfile. - Go to the
DNSpage-
Put in the following records (REQUIRED)
Type Name Content Proxy Status TTL TXT_acme-challenge"content doesnt matter"DNS onlyAuto
-
- If you wish to use a DSN01 challenge instead of HTTP challenge (common if youre running services on non-standard ports), you will want to set
- Expose (port forward on your router) ports for the services you wish to have available externally based on the list here.
./run.sh- You can add
-vvvvto get more verbose output
- This is an optional step
- Consider setting up fishnet to help Lichess run game analysis!
- Kubernetes installations are also supported and documented here
- Add the recommended dashboards (Make sure you select the correct job in the variables section, you can default to
kubernetes-service-scraper) - Would recommend adding a panel with the following query as it is useful to monitor pods as well
- For average CPU usage
avg(irate(container_cpu_usage_seconds_total[2m])) by (pod,container) - For memory usage
max(container_memory_working_set_bytes{} / (1024*1024)) by (pod) - For memory reservation
max(kube_pod_container_resource_requests{resource="memory"}) by (pod) / (1024*1024) - For memory limit
max(kube_pod_container_resource_limits{resource="memory"}) by (pod) / (1024*1024)
- For average CPU usage
- You can find information on how to use Loki in Grafana here
- Portal for adding and monitoring home automation devices (like Zigbee or Thread devices)
- To add zigbee support to your home assistant backed server, you can buy the Home Assistant Connect ZBT-1
- Follow onscreen instruction to create an account
- Getting started information is present on the home-assistant website
- Initial setup is just following on-screen instructions.
- If asked to select server, delete it and refresh the page.
- Point Jellyfin to use the directories mentioned in the playbooks for shows, movies, music and books.
- By default, on the Jellyfin pod, the directories it will be:
/data-mnt/disk-1/shows /data-mnt/disk-1/movies /data-mnt/disk-1/music /data-mnt/disk-1/books
- By default, on the Jellyfin pod, the directories it will be:
- Add any other config required.
- For Hardware acceleration go to
Admin > Dashboard > Playback- Enable
Hardware acceleration - Select
Video Acceleration API (VAAPI)which is setup already to use the integrated Intel GPU. Not tested with anything else (like a dedicated AMD/Nvidea GPU)- You should see CPU usage drop and GPU usage go up, disable it if you dont or troubleshoot.
- You can use the
intel-gpu-toolspackage to monitor (notice GPU usage when hardware encoding is enabled, and no GPU usage when it is disabled) at least the intel GPU by running the command below on the host:sudo intel_gpu_top
- Select the formats for which hardware acceleration should be enabled
- Recommend not selecting
HEVC 10bitbecause for some reason that breaks it
- Recommend not selecting
- Defaults to CPU/software encoding if hardware acceleration does not work for a file, I think.
- More information on their Jellyfin's page for Hardware Acceleration
- Enable
- For Hardware acceleration go to
- Setup Know Proxies to have valid
X-Forwarded-Forconfig as per the documentation- Go to
Admin > Dashboard > Networking - Input the range
10.233.64.0/18intoKnown Proxies(which is what Kubespray uses by default) for the pod range (where the ingress controller will start as well)- You can use a less restrictive range if you wish as well, eg.
10.0.0.0/8
- You can use a less restrictive range if you wish as well, eg.
- Go to
Admin > Dashboard- Restart Jellyfin (Shutdown server from the
Dashboardand k8s will restart, or delete the pod)
- Restart Jellyfin (Shutdown server from the
- Go to
- Add any plugins you may want
- Visit awesome-jellyfin for ideas
- For example, for different UI themes go to the themes page
- Open Subtitles
- Requires creating an account on their website
- Intro skipper
- To skip intros
- Refer to the page above for installation
- Trackt
- To track the shows you watch
- Create a Trackt account
- Go to
Admin > Dashboard > Plugins > All- Enable Trackt
- Restart Jellyfin (Shutdown server from the
Dashboardand k8s will restart, or delete the pod)
- Go to
Admin > Dashboard > Plugins > Trackt- Select the user
Authorize Device- Follow onscreen instructions
- Go to
Admin > Dashboard > Scheduled Tasks > Trackt- Create a daily scheduled task for importing data from and exporting data to tract.tv
- MyAnimeSync
- To sync anime with MyAnimeList
- Visit awesome-jellyfin for ideas
- Default login credentials are randomly generated, you need to look at ansible logs to get the default login credentials.
- Look for the substring
You can log into qBittorrentin the logs to find the creds in the formadmin/<RANDOM_PASSWORD>- If
<RANDOM_PASSWORD>is not seen, that means that a password was found to be set already and that a randomly generated password was not used. Please try to remeber the password or reinstall to override configuration to use default passwords again.
- If
- Look for the substring
- Change the default login details
- Go to
Tools > Options > Web UI > Authentication
- Go to
- Set default download location to one the mentioned directories (or make sure to put it in the right directory when downloading for ease)
- Go to
Tools > Options > Downloads > Default Save Path - Recommend using
/data-mnt/disk-1/downloads
- Go to
- Set seeding limits
- Recommend seeding limits for when seeding ratio hits "1" to give back to the community. It is under
Tools > Options > BitTorrent > Seeding Limits
- Recommend seeding limits for when seeding ratio hits "1" to give back to the community. It is under
- Set torrent download/upload limits
- Recommended to keep 12 active torrents, 6 downloads and 6 uploads. It is under
Tools > Options > BitTorrent > Torrent Queueing
- Recommended to keep 12 active torrents, 6 downloads and 6 uploads. It is under
- Do base setup
- Set folder to be
/data-mnt/disk-1/booksand selectYesfor it to rebuild the library if asked.
- Set folder to be
- Go to
Preferences > Sharing over the net- Check the box for
Require username and password to access the Content server - Check the box for
Run the server automatically when calibre starts - Click on
Start server - Go to the
User accounts taband create a user- Make a note of the credentials for use in
Readarrsetup
- Make a note of the credentials for use in
- Restart the app/pod
- You can do so by also pressing
CTRL + Ron the main screen
- You can do so by also pressing
- Check the box for
- Default login is
admin/admin123 - Set folder to be
/data-mnt/disk-1/books - To enable web reading, click on
Admin(case sensitive) on the top right- Click on the user, default is
admin - Enable
Allow ebook viewer - Change password to something more secure
- Save settings
- Click on the user, default is
-
Service function
Service Purpose Readarr Books Sonarr TV Shows Radarr Movies Lidarr Music -
Go to
Settingsand click onShow Advanced -
Enable authentication
- Set
AuthenticationtoForms (Login Page) - Set
Authentication RequiredtoEnabled - Set username and password for access
- Set
-
Add torrent client
- Go to
Settings > Download Clients > Add > qBittorent - Add the host:
qbittorrent - Add the port:
10095 - Add the username:
<qBittorrent_username> - Add the password:
<qBittorrent_password> - Enable the
Remove Completedoption.- This will copy the download from the downloads directory to the destination directory for the service. Once the seeding limits are reached, it will delete the torrent and its files from the downloads directory.
- More information on sonarrs's wiki page and radarr's wiki page under
Remove Completed Downloads. They should all have the same idea though.
- Go to
-
Set the root directories to be the following
-
Go to
Settings > Media ManagementService Root Directory Readarr /data-mnt/disk-1/books/Sonarr /data-mnt/disk-1/shows/Radarr /data-mnt/disk-1/movies/Lidarr /data-mnt/disk-1/music/ -
Enable renaming
-
-
Adjust quality definitions
- Go to
Settings > Quality - Set the
Size LimitorMegabytes Per Minute(or equivalent) to appropriate numbers- This will ensure your downloads are not "too big"
- For movies and shows,
2-3GiB/hwould usually be sufficient as thePreferredvalue, and you can leave theMaxvalue a bit higher to ensure a better chance of download grabs- Min: 0
- Preferred: 30
- Max: 70 (you can also use 2000 but you might get bigger files more often)
- Go to
-
Go to
Settings > Media Management- If present, make sure
Use Hardlinks instead of Copyis enabled - Enable the
Unmonitor Deleted MoviesorUnmonitor Deleted Episodesoption if you want to unmonitor media (not redownload) when deleted from Jellyfin.
- If present, make sure
-
Radarr/Sonarr specific config
- Go to
Settings > Profiles- If present, for all relevant profiles (or just all of them), set the
Languagefor the profile to beOriginal(or whatever language you prefer it to be instead) to download the media in that specific language. - Create a
Release Profilewith the following if you have a machine that is not very powerful and cannot transcode well (or at all, like in: #36)- Block list
- hevc
- flac
- mkv
- 265
- Make it apply to
anyindexer
- Block list
- Create a `Release Profile" with the following to ban bad file extensions
- Block list
- Copy paste the following
.lnk, .zipx, sample.mkv, sample.avi, sample.mp4, .py, vbs, htm, .hm, .php, .torrent, exe, bat, .cmd, .com, .cpl, .dIl, .js, .jse, .msi, .msp, .pif, .scr, .vbs, vbe, .wsf, .wsh, .hta, .reg, inf, .ps1, .ps2, .psm1, .psd1, .sh, .apk, .app, .iso, imd, .jar, .bin, .tmp, .vb, .vxd, .OCx, drv, .sVS, .scf, .ade, .adp, .bas, .chm, .crt, .hlp, .ins, isp, .key, .mda, .mdb, .mdt, mdw, .mdz, .potm, .potx, .ppam, .ppSx, .pptm, .sldm, .sldx, xlam, .xlsb, xlsm, xtm, .nsh, .mht, .mhtml, .Zip, .rar, .Src, 1Tami, .1tami
- Copy paste the following
- Block list
- If present, for all relevant profiles (or just all of them), set the
- [EXPERIMENTAL] Enforce downloads of original language media only
- Go to
Settings > Custom Formats- Add a new Custom Format with
LanguageCondition- Set
Language: Original - Set
Required: True
- Set
- Add a new Custom Format with
- Go to
Settings > Profiles- Select all [relevant] profiles and set the following
Minimum Custom Format Scoreto0(sum of the custom formats scores)- Your new Custom Format's score to be
0(if the value is lower than the minimum score then downloads will be blocked)
- Select all [relevant] profiles and set the following
- Go to
- Go to
-
Readarr specific config
- Go to
Settings > Media Management- Add root folder (you cannot edit an existing one)
- Set the path to be
/data-mnt/disk-1/books/ - Enable
Use Calibreoptions the the following defaults- Calibre host:
calibre-webserver - Calibre port:
8081 - Calibre Username:
<calibre_username> - Calibre Password:
<calibre_password>
- Calibre host:
- Set the path to be
- Enabled
Rename Booksand use the defaults
- Add root folder (you cannot edit an existing one)
- Go to
- Enable authentication
- Set
AuthenticationtoForms (Login Page) - Set
Authentication RequiredtoEnabled - Set username and password for access
- Set
- Add
FlareSolverrservice as a proxy, refer to this guide for help- Go to
Settings > Indexers - Add a new proxy for
FlareSolverr- Add a tag to it, for example
flaresolverr- NOTE: This tag needs to be used for any indexer that needs to bypass CloudFlare and DDoS-Gaurd protection
- The default host will be
http://flaresolverr:8191/
- Add a tag to it, for example
- Go to
- Follow the official Quick Start Guide
- Add all the indexers you wish to use, some good ones listed below. Find more indexers on Prowlarr's Supported Indexers page.
- Standard
1337x Add "flaresolverr" tag LimeTorrents The Pirate Bay EZTV - Anime
Anidex Add with higher priority, example "1", since it has good english subtitled content Add "flaresolverr" tag Bangumi Moe Nyaa.si Tokyo Toshokan - It is recommended to use private indexers for books and music as they are harder to find otherwise
- Standard
- Add all the indexers you wish to use, some good ones listed below. Find more indexers on Prowlarr's Supported Indexers page.
- Add Sonarr, Radarr, Lidarr and Readarr to the
Settings > Apps > Applicationsection using the correct API token and kubernetes service names- By default prowlarr server will be:
http://prowlarr:9696 - By default the services will be:
http://sonarr:8989 http://radarr:7878 http://lidarr:8686 http://readarr:8787 - Select extra
Sync Catagoriesfor each application if required- I would recommend keeping the default categories for the most part
- For the apps
SonarrandRadarr, it might be worthwhile using bothTVandMoviescategories - NOTE: If you dont know what to do, add all of them for every app (comes at the cost of slower searches). But this may also result in some weird behaviour which would need troubleshooting.
- By default prowlarr server will be:
- Enable authentication
- Go to
Settings > General - Under
SecurityselectFormas the form ofAuthentication - Set username and password for access
- Go to
- Follow the official Setup Guide
- Go to
Settings > RadarrandSettings > Sonarr- Click on
Enable - Fill out the details and save
-
Use the API tokens from the respective services, found under
Settings > General > Security > API Key -
Use the kubernetes service name and port
Service Name Port radarr 7878 sonarr 8989 -
Set a suitable minimum score, probabl
70is fine
-
- Fill out the path mappings if the directories in which data is stored is different for both services (by default both services will use the same directory to access data, so you dont need to change anything for a default install)
- Click on
- Go to
Settings > Languages- Add a language profile and set defaults for movies and series'
- You may need to set language filters first before being able to create a profile with the languages in them
- Add both, for hearing impaired and regular ones, to increase your chances
- Go to
Settings > Providerand add providers for subtitles- Decent options are:
- Opensubtitles.com
- TVSubtitles
- YIFY Subtitles
- Supersubtitles
- Anime Tosho (needs AniDB Integration)
- Thanks to this reddit post for instructions.
- Go to AniDB and sign up for an account
- Login to your account
- Go to AniDB client registration page.
- Add a new Project on the
Add New Projecttab - Fill out the form
- Type:
Media Center - State:
Working - Public Project:
No, private only - Target OS:
Web - Language:
Python - Contact info as required
- Server URL
- Type:
- Once the project is created, go back to the
Projectstab and then click on the project you just created - On the Project Details Page, click over
Add Clientbutton, so we will be creating a client for your Project now - Fill the Form for the Client, Make sure you don't forget the
Client Nameand theVersionbecause we will be needing it for Bazarr! Also make sure the API is changed toHTTP API. - On the bottom part of the
Integrationsclick over the+button, and setup the AniDB Client. Make sure you fill up exactly how it was configure on AniDB. ClickSave - Next, you are still on Bazarr settings page, and now you should click over
+on the top part to add a new Provider, and selectAnime Tosho.
- Decent options are:
- Go to
Settings > Subtitlesand make changes if needed - Manually add the language profile to all the scanned media after first installation
- Go to
- NOTE:
- If it doesnt work, manually restart the pod few times. It just works, not sure why. If that doesnt work, try reinstalling.
- Used for transcoding media to help reduce storage requirements
- NOTE: This will use a lot of your resources
- It will get the same mounts as the ones defined in Radarr and Sonarr
- Follow setup instructions shown after logging into it
- For the most part, the default plugins they have are fine, feel free to tweak/experiment more (and contribute back if you find something useful!)
- In the
Tdarrtab,Staging Section, enableAuto accept successful transcodes - For the workers, start off with just 1 CPU worker and see how much that affects your server's stability before you add more.
- Add all the libraries from all the disks that have been configured for radarr and sonarr with relevant caches
- Potentially use the cache dir that lives on the same disk (for example, libraries on
disk-1to use the cache dir ondisk-1under/data-mnt/disk-1/cache)- According to documentation, it is recommended to use an SSD as the cache (preferably, but not as a requirement, where the original data does not live)
- Enable the
Folder Watchtoggle to make sure new files are auto picked up over time as well.- If this does not automatically pick up new files, you may need to enable the
Scanner settings->Run an hourly scan (Find New)option for each library
- If this does not automatically pick up new files, you may need to enable the
- After adding the libraries, you can run a
Scan All (Fresh)for it to find any existing media.
- Potentially use the cache dir that lives on the same disk (for example, libraries on
- NOTE: GPU Transcoding is not tested as of 20250518
- You probably want a dedicated GPU for this otherwise your CPU might get overloaded (if using integrated graphics)
- To make it work, the first step would be to go to the
Tdarrtab, go to the relevant nodes (likeInternal Node) and enableAllow GPU workers to do CPU tasks. ThenRestartthe nodes at the top of that view. - TBD (figure out GPU passthrough for Tdarr)
- One stop shop for Sonarr/Radarr requests
- Run the first time setup for Jellyfin
Choose Server Type- Select
Jellyfin
- Select
Account sign in- Jellyfin URL:
http://jellyfin:8096 - Email Address:
<YOUR_EMAIL> - Username:
<JELLYFIN_USERNAME> - Password:
<JELLYFIN_PASSWORD> - You can then login using your Jellyfin credentials
- If you do not wish to do so, set a local user password by editing your account under
Usersto login with your email ID instead
- If you do not wish to do so, set a local user password by editing your account under
- Jellyfin URL:
Configure Media Server- Click on
Sync Libraries- Enable all Libraries that get listed
- Also run a manual scan
- Click on
Configure Services- Setup all the services
- Use the correct API keys, hostnames and ports for the services
Service Name Port jellyfin 8096 sonarr 8989 radarr 7878 - Quality profile can be
HD-1080porHD - 720/1080p - Select the applicable root folders
- Check relevant options that suit your needs
- General
- Enable
Tag Requests - Enable
Scan - Enable
Default Server
- Enable
- Sonarr specific
- Enable
Season Folders
- Enable
- General
- Use the correct API keys, hostnames and ports for the services
- Setup all the services
- Go to
Usersand either add new users or import from Jellyfin directly- This is not required by default
- Give them
Manage Requestsand other permissions for ease where applicable
- Go to
Settings -> Usersand give them allAuto-ApproveandAuto-RequestPermissions by default for ease.
- Setup login credentials
- Link to Jellyfin
- Jellyfin URL:
http://jellyfin:8096 - Generate an API key from Jellyfin and use it here
- It will be in Jellyfin under
Dashboard -> API Key
- It will be in Jellyfin under
- Jellyfin URL:
- Just follow onscreen instructions to create an account
- Setup the config as you please from there!
- Sample command for importing a google photos takeout archive using immich-go
immich-go upload from-google-photos \ --server=<IMMICH_URL>:30443 \ --api-key=<IMMICH_API_KEY> \ --log-file=$HOME/immich-go.logs.$(date +'%Y%m%d.%H%M%S') \ --session-tag=true \ --include-trashed=true \ --include-untitled-albums=true \ --manage-burst=Stack \ --people-tag=true \ --sync-albums \ --on-server-errors=stop \ --concurrent-uploads 2 \ <PATH_TO_TAKEOUT>/takeout*.zip
- Clientless remote desktop gateway supporting protocols like ssh, vnc and RDP.
- Login using default credentials
guacadmin/guacadminand change them- Click on top right to go to
Settings - Go to
Preferences - Update your password in the
Change Passwordsection
- Click on top right to go to
- Add connections by going to top right and clicking on
Settings- Go to
Connections -> New Connection - Fill out the details of the connection type with relevant and options
- Main part is to full out the
ParametersSection - Good option to setup here is the SSH config for your server maybe
- Main part is to full out the
- To access these, click on top right and go to
Homeand click on the connection
- Go to
- One stop shop for Sonarr/Radarr/Lidarr requests
- Get the API keys for Jellyfin, Sonarr and Radarr
- Jellyfin
- Go to
Admin > Dashboard > API Keys - Generate a new API key with an appropriate name
- Go to
- Sonarr/Radarr/Lidarr
- Use the API tokens from the respective services, found under
Settings > General > Security > API Key
- Use the API tokens from the respective services, found under
- Jellyfin
- Set credentials for login
- Go to
Settings- Use the correct API keys, hostnames and ports for the services
Service Name Port jellyfin 8096 sonarr 8989 radarr 7878 lidarr 8686 - Click on the
Load ProfilesandLoad Root Foldersbuttons and use the appropriate defaults as used in the services seen here. - Setup
MoviesusingRadarr - Setup
TVusingSonarr- Enable the
Enable season foldersoption - Enable the
V3option
- Enable the
- Setup
MusicusingLidarr - Setup
Media ServerusingJellyfin - Dont forget to click on
Enablefor each of those setups as well
- Use the correct API keys, hostnames and ports for the services
- Go to
Users- Setup additional users
- Give the following roles to trusted users for convinience
Request Tv Request Movie Request Music Auto Approve Tv Auto Approve Movie Auto Approve Music
- Use the username and password from the
group_vars/allfile to use this as a proxy server - The address would be
<PUBLIC_IP>:<GROUP_VARS_PORT>or<DOMAIN_NAME>:<GROUP_VARS_PORT>or<LAN_IP>:<GROUP_VARS_PORT>
- For external access:
- To authenticate
- Thee username will be the
<ANSIBLE_USER>you used in thehosts.yamlfile - The password will be in the
group_vars/allfile (smb.passwordsection).
- Thee username will be the
- In Windows, connect to it using
\\<LAN_IP>\<SHARE_NAME_FROM_GROUP_VARS_ALL> - More information here
- You need to create DNS entries to access the Ingress services. The following entries are recommended:
*.<DOMAIN_NAME><DOMAIN_NAME>
- Setup NAT-ing for the the following ports on your router to gain external access. On your router:
-
Set a static IP for your server (if applicable) so the router doesnt assign a different IP to the machine breaking your port-forwarding setup
-
Following are some sample rules based on the
allfile defaults for port forwarding, feel free to tweak to your needs.Service Default access Where Server port Public facing port ssh ssh <LAN_IP>or<DOMAIN_NAME>22 <IN_LINE_WITH_HOSTS_FILE_OR_22>samba proxy \\<LAN_IP>\<SHARE_NAME>or\\<DOMAIN_NAME>\<SHARE_NAME>TCP: 139,445, UDP:137,138<BEST_NOT_TO_EXPOSE_THIS>squid proxy <LAN_IP>:<GROUP_VARS_PORT>or<DOMAIN_NAME>:<GROUP_VARS_PORT><IN_LINE_WITH_ALL_FILE><YOU_DECIDE>grafana Ingress grafana.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) jellyfin Ingress jellyfin.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) jellyseerr Ingress jellyseerr.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) ombi Ingress ombi.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) prowlarr Ingress prowlarr.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) bazarr Ingress bazarr.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) radarr Ingress radarr.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) sonarr Ingress sonarr.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) readarr Ingress readarr.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) lidarr Ingress lidarr.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) immich Ingress immich.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) librespeed Ingress librespeed.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) calibre-web Ingress calibre-web.<DOMAIN_NAME>30080 (HTTP) / 30443 (HTTPS) 80 (HTTP) / 443 (HTTPS) calibre LAN <LAN_IP>:30000(No ingress rules defined)30100 <BEST_NOT_TO_EXPOSE_THIS>NOTE: Security is an unkown when exposing a service to the internet.
-
- If you cannot do NAT setup on your router and need the server to run ingress on 80 and 443, you can use this post's answer to run the ingress controller on host network
kind: ...
apiVersion: apps/v1
metadata:
name: nginx-ingress-controller
spec:
...
template:
spec:
hostNetwork: true <---------- Add this
containers:
- name: nginx-ingress-lb
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
ports:
- name: http
hostPort: 80 <---------- Add this
containerPort: 80
protocol: TCP
- name: https
hostPort: 443 <---------- Add this
containerPort: 443
protocol: TCP
...For troubleshooting, it might be useful to run the metrics server on your cluster
Refer to this guide for it.
In case of a migration, you may choose to wnat to migrate data from prometheus along with the app backups stored in the server's app-config dir.
Resources:
- https://devopstales.github.io/home/backup-and-retore-prometheus/
- https://prometheus.io/docs/prometheus/latest/querying/api/
- https://gist.github.com/ksingh7/d5e4414d92241e0802e59fa4c585b98b
kubectl -n monitoring patch prometheus kube-prometheus-stack-prometheus --type merge --patch '{"spec":{"enableAdminAPI":true}}'kubectl describe pod -n monitoring prometheus-kube-prometheus-stack-prometheus-0 | grep -i adminTo see
--web.enable-admin-apiStart port forwardning in a different terminal and leave it running
kubectl -n monitoring port-forward svc/kube-prometheus-stack-prometheus 9090Take snapshot
curl -v -X 'POST' -ks 'localhost:9090/api/v1/admin/tsdb/snapshot'TMP_DIR=$(mktemp -d)
kubectl cp -c prometheus prometheus-kube-prometheus-stack-prometheus-0:/prometheus/snapshots ${TMP_DIR}This is easier and in the context of this server's setup.
export TMP_DIR=$(mktemp -d)
export PV_DIR=$(kubectl get pv -o yaml $(kubectl get pv | grep monitoring/prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0 | cut -d' ' -f1) | grep "path:" | cut -d " " -f 6)
cp -r ${PV_DIR}/prometheus-db/snapshots/* ${TMP_DIR}Copy over your backup to any other host if applicable.
export PV_DIR=$(kubectl get pv -o yaml $(kubectl get pv | grep monitoring/prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0 | cut -d' ' -f1) | grep "path:" | cut -d " " -f 6)
# clear dir. Might not be needed
rm -rf ${PV_DIR}/prometheus-db/*
# copy over old data
mv ${TMP_DIR}/* ${PV_DIR}/prometheus-db/This repo will be of use: https://github.com/nicolaka/netshoot
Refer to this page for troubleshooting and fix.
Always keep a static IP for your nodes.
The TLDR fix is to run the following on your node:
# update configs
sudo sed -i 's/<OLD_IP>/<NEW_IP>/g' /etc/kubernetes/*.conf
sudo grep -R "192.168" /etc/kubernetes/*.conf
sudo sed -i 's/<OLD_IP>/<NEW_IP>/g' /etc/kubernetes/manifests/etcd.yaml
sudo grep -E 'listen-|advertise|initial-cluster|initial-advertise' /etc/kubernetes/manifests/etcd.yaml# restart kubelet
sudo systemctl daemon-reexec
sudo systemctl restart kubelet# backup certs
sudo cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
# remove old keys
sudo rm /etc/kubernetes/pki/apiserver.*
# regenerate certs
sudo kubeadm init phase certs apiserver \
--apiserver-advertise-address=192.168.0.8 \
--apiserver-cert-extra-sans=192.168.0.8,pedroops,PedroOps \
--control-plane-endpoint=192.168.0.8
# restart pods
sudo systemctl restart kubelet
# test
sudo kubectl cluster-info
sudo kubectl get nodes