added guidance for domainless setup, self-signed cert generation and DDNS setup.

2026-03-09 04:31:49 +01:00
parent 47e3bb630d
commit 00320f328c
6 changed files with 178 additions and 4 deletions
--- a/deploy.sh
+++ b/deploy.sh
@@ -341,10 +341,6 @@ cd /opt/stacks/convertx
 docker compose up -d
 echo -e "${cyan}convertx${nc} has been launched from http://convert.$domain, verify it is online"

-cd /opt/stacks/wireguard
-docker compose up -d
-echo -e "${cyan}wireguard${nc} has been launched from http://vpn.$domain, verify it is online"
-
 cd /opt/stacks/it-tools
 docker compose up -d
 echo -e "${cyan}it-tools${nc} has been launched from http://tools.$domain, verify it is online"
@@ -393,6 +389,9 @@ cd /opt/stacks/pihole
 docker compose up -d
 echo -e "${cyan}pihole${nc} has been launched from http://dns.$domain, to use pihole as your DNS provider, set your DNS to $localip in your router for DHCP and on your device for any device with a static ip. Currently, the DNS is configured to use the joindns4.eu DNS, which *also* has built-in adblocking."

+cd /opt/stacks/wireguard
+docker compose up -d
+echo -e "${cyan}wireguard${nc} has been launched from http://vpn.$domain, verify it is online"

 cd /opt/stacks/downloader
 docker compose up -d
--- a/gencerts.sh
+++ b/gencerts.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# Script to generate self-signed certificates for Nginx Proxy Manager
+
+# Prompt for domain
+read -p "Enter the domain for the certificates (e.g., example.com): " DOMAIN
+
+if [ -z "$DOMAIN" ]; then
+    echo "Error: Domain not provided."
+    exit 1
+fi
+
+CERTS_DIR="/opt/stacks/browser/data/certs"
+
+# Create certs directory if it doesn't exist
+mkdir -p "$CERTS_DIR"
+
+# Function to generate root CA
+generate_root_ca() {
+    echo "Generating Root CA..."
+    openssl genrsa -out "$CERTS_DIR/rootCA.key" 4096
+    openssl req -x509 -new -nodes -key "$CERTS_DIR/rootCA.key" -sha256 -days 3650 -out "$CERTS_DIR/rootCA.crt" -subj "/CN=$DOMAIN Root CA"
+}
+
+# Function to generate intermediate CA
+generate_intermediate_ca() {
+    echo "Generating Intermediate CA..."
+    openssl genrsa -out "$CERTS_DIR/intermediateCA.key" 4096
+    openssl req -new -key "$CERTS_DIR/intermediateCA.key" -out "$CERTS_DIR/intermediateCA.csr" -subj "/CN=$DOMAIN Intermediate CA"
+    openssl x509 -req -in "$CERTS_DIR/intermediateCA.csr" -CA "$CERTS_DIR/rootCA.crt" -CAkey "$CERTS_DIR/rootCA.key" -CAcreateserial -out "$CERTS_DIR/intermediateCA.crt" -days 3650 -sha256
+}
+
+# Function to generate wildcard certificate
+generate_wildcard_cert() {
+    echo "Generating Wildcard Certificate..."
+    openssl genrsa -out "$CERTS_DIR/wildcard.key" 4096
+    openssl req -new -key "$CERTS_DIR/wildcard.key" -out "$CERTS_DIR/wildcard.csr" -subj "/CN=*.$DOMAIN" -addext "subjectAltName = DNS:$DOMAIN,DNS:*.$DOMAIN"
+    openssl x509 -req -in "$CERTS_DIR/wildcard.csr" -CA "$CERTS_DIR/intermediateCA.crt" -CAkey "$CERTS_DIR/intermediateCA.key" -CAcreateserial -out "$CERTS_DIR/wildcard.crt" -days 3650 -sha256
+}
+
+# Function to export certificates for cross-platform compatibility
+export_certs() {
+    echo "Exporting certificates for cross-platform compatibility..."
+
+    # Export root CA to .pfx (Windows)
+    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.pfx" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
+
+    # Export intermediate CA to .pfx (Windows)
+    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.pfx" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
+
+    # Export wildcard cert to .pfx (Windows)
+    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.pfx" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
+
+    # Export root CA to .p12 (Cross-platform)
+    openssl pkcs12 -export -out "$CERTS_DIR/rootCA.p12" -inkey "$CERTS_DIR/rootCA.key" -in "$CERTS_DIR/rootCA.crt" -passout pass:
+
+    # Export intermediate CA to .p12 (Cross-platform)
+    openssl pkcs12 -export -out "$CERTS_DIR/intermediateCA.p12" -inkey "$CERTS_DIR/intermediateCA.key" -in "$CERTS_DIR/intermediateCA.crt" -passout pass:
+
+    # Export wildcard cert to .p12 (Cross-platform)
+    openssl pkcs12 -export -out "$CERTS_DIR/wildcard.p12" -inkey "$CERTS_DIR/wildcard.key" -in "$CERTS_DIR/wildcard.crt" -passout pass:
+}
+
+# Main script execution
+generate_root_ca
+generate_intermediate_ca
+generate_wildcard_cert
+export_certs
+
+echo "Certificates generated and saved in $CERTS_DIR:"
+echo "- Root CA: rootCA.crt, rootCA.key, rootCA.pfx, rootCA.p12"
+echo "- Intermediate CA: intermediateCA.crt, intermediateCA.key, intermediateCA.pfx, intermediateCA.p12"
+echo "- Wildcard: wildcard.crt, wildcard.key, wildcard.pfx, wildcard.p12"
--- a/setup/Domainless
+++ b/setup/Domainless
@@ -0,0 +1,83 @@
+You can set up your cloud without purchasing a domain. 
+
+to do this, skip DNS setup during initial install, this means you cannot reach the various services via hostname yet.
+
+Then, go to http://?localip?:5380 and log in with your admin password, this is your pihole dashboard.
+
+go to settings > local dns records and add two records:
+
+| domain        | IP
+| ?domain?      | ?localip?
+| *.?domain     | ?localip?
+
+
+now you can reach your cloud with whichever domain you want as long as you are on the pihole DNS.
+
+The VPN is set up by default to use this DNS, so you will also be able to reach your cloud when using your VPN, allowing use on the go.
+
+in your router's DHCP settings, set ?localip? as the DNS server.
+
+in any device with a static ip, configure its dns server to ?localip?
+
+
+next, you'll need to deal with HTTPS certificates on your proxy server. Because we cannot use letsencrypt, we'll have to do this ourselves. You can skip this, but that results in vaultwarden not working.
+
+run the gencerts.sh script, this will generate the certs for you and put them in a folder inside browser.?domain? which should now be reachable over http
+
+on ?localip?:81, log in, go to certificates > add certificate > custom
+
+fill in your main domain as the Name
+
+for the certificate key, use the wildcard.key file
+for the certificate, use the wildcard.crt file
+for the intermediate certificate, use the intermediate.crt file
+
+
+because this certificate is not backed by a public certificate authority like letsencrypt, you have to manually trust the root cert on each device you want to use the cloud on, or deal with "certificate untrusted" warnings.
+
+below are guides for doing this:
+
+
+windows:
+
+download and double-click rootCA.pfx
+select "Local Machine" and click next, password is empty.
+choose "place all certificates in the following store" and choose "Trusted Root Certification Authorities"
+click finish and confirm with "yes" if prompted.
+
+macOS:
+
+download and double-click rootCA.pfx
+if prompted for a password, leave it blank and click yes
+open Keychain Access (applications/utilities/keychain access)
+locate the imported rootCA.pfx certificate in the login or system keychains.
+double-click the certificate, expand the "trust" section and set "When using this certificate" to "always trust"
+
+Linux:
+
+download the rootCA.crt file
+copy rootCA.crt to /usr/local/share/ca-certificates/ using the following command from the directory rootCA.crt is in, or by using your file manager.
+sudo cp rootCA.crt /usr/local/share/ca-certificates/
+
+then update the CA store by rebooting or running the following command:
+sudo update-ca-certificates
+
+android:
+
+download rootCA.crt to your device
+open settings > security > encryption & credentials > install a certificate
+select rootCA.crt and set a Name
+reboot if prompted
+
+IOS:
+
+download rootCA.crt to your device
+open the file in safari and tap "install"
+go to settings > general > VPN & Device management > configuration profile and install the certificate
+enable full trust in settings > general > about > certificate trust settings
+
+
+now that you've set your DNS correctly and trusted the cert, you should be able to visit all of your sites via https://dash.?domain? 
+
+the certificate is valid for 10 years, after which you can generate a new one with gencerts.sh
+
--- a/setup/Dynamic
+++ b/setup/Dynamic
@@ -0,0 +1,15 @@
+If you have a dynamic public IP, you'll have to set up DDNS since a normal DNS only points to an ip statically, and if your ip changes, everything goes down until you update the DNS record.
+
+
+DDNS does this automatically. 
+
+select a reliable service:
+noip.com
+duckdns.org 
+dyn.com 
+dynv6.com 
+
+follow their install instructions. Generally, your router will have DDNS support. 
+
+If it does not, you can install a DDNS client on your server (apt install ddclient)
+
--- a/stacks/pihole/compose.yml
+++ b/stacks/pihole/compose.yml
@@ -7,6 +7,7 @@ services:
    ports:
      - 53:53/tcp
      - 53:53/udp
+      - 5380:80
    environment:
      TZ: ?timezone?
      FTLCONF_WEBSERVER_API_PASSWORD: ?adminpass?
--- a/stacks/wireguard/compose.yml
+++ b/stacks/wireguard/compose.yml
@@ -4,6 +4,7 @@ services:
    environment:
      WG_HOST: ?publicip?
      PASSWORD: ?adminpass?
+      WG_DEFAULT_DNS: ?localip?
    volumes:
      - ./wireguard:/etc/wireguard
    ports:
@@ -17,6 +18,8 @@ services:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    restart: unless-stopped
+    dns: 
+      - ?localip?
    image: weejewel/wg-easy
 networks:
  dockge_default: