Ups… I completely forgot about that, lol, but tomorrow I’ll take care of it! 
PS: Thanks for pointing that out! 
Best regards,
PapaGigas
1 Like
One (well… two, because of tailscale’s subdomain) for every service running on the ‘proxy’ network!
Best regards,
PapaGigas
1 Like
Well… it’s after midnight… so technically it’s already “tomorrow”! 
34 - Open Kali Linux' terminal and run the following command to create Traefik's "user:password" pair: # Replace 'user' with your username
echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
35 - Copy and paste the generated credentials into the .env file where it says: # All dollar signs in the password hash need to be doubled for escaping
TRAEFIK_DASHBOARD_CREDENTIALS=admin:$$2y$$05$$6UmMkA88gn5ndU8m1iHwbebfFs7Huc9cY6iIQDuceRNOdSM.Ji3uG # The default password is: admin
I hope this time everything is ok… can you please check? 
Best regards,
PapaGigas
1 Like
About the Kali instance… with whoami, it tells me I’m “abc”. Don’t know why. Used the Username I put in Traefik instead.
sed now works as intended.
(5) REV-PROXY44. Tiny typo: “tyoe”
.
I ran into issues about step 54, it didn’t want to let me save, because of a ‘records with the same name’ error.
I assume the problem is that the guide assumes the Domain registrar is cloudflare?
From what I’ve been doing/reading, is… what I’m doing here is basically updating the DNS registries so that if someone accesses my domain (I just registered one), they will be sent to the IP of my truenas instance?
I’ve now changed the Nameservers to the ones Clourflare provides, soo… I’ll see when that happens and if the tunnel thing then can be set up as it is described in the guide.
Thank you for your effort
.
Edit:
I’ve been setting up (3) REMOTE. 37. You can’t delete the user you are currently logged in as. One needs to log out, log in with the new user, go back to user settings and then you can delete “guacadmin”
I mean… hopefully everyone is capable of doing that, but I wanted to mention it anyway.
- Rustdesk 1.3.9 released… 4 days ago. Maybe change the URL to https://github.com/rustdesk/rustdesk/releases and mention to use the newest?
Edit 2&3:
(5) rev-proxy, 59. “[…] CNAME record […] already exists”
I’ve had a similar issue when I was doing 54., because I forgot the "*."home.arpa. is the name meant to be *.home.arpa again? Especially as without it it could simply be @?
As you’re not around and hopefully rest to get better, I’ll try and report
1 Like
I’ve added a warning after step 15 regarding that:
# WARNING: If you're not using a Cloudflare's domain name, you'll need to update the nameservers at your registrar and wait for Cloudflare's check to be done!
PS: I’ll take care of the rest ASAP!
Best regards,
PapaGigas
Suggestion: instead have it be:
[…] you will need to change the nameserver of your domain at your registrar to cloudflare […]
.
(5) REV-PROXY 67. whoami.myip works from within my network, but it doesn’t work from a guest network on the same router nor from a computer using a mobile phone hotspot. Is that expected behaviour?
Not sure if that needs to be mentioned, it’s just me being curious.
(5) REV-PROXY 67., Updating, changing, deleting, adding all the custom CNAME results is… an chore and a half. You list 40 subdomains there and each has two entries.
I was searching, but I couldn’t find a file or something in which those are saved. Is there a way to just copy&past a whole bunch of these entries? Or a command line tool to automate that?
I’ve now done it manually, but if there is, everyone following in my footsteps would probably appreciate it^^
1 Like
Sorry, I’ve been really sick so I couldn’t do much…
# WARNING: If you're using a different registrar, change your nameservers to Cloudflare's and wait for the verification process to complete!
PS: I’ll take care of the rest as soon as I can!
Best regards,
PapaGigas
1 Like
If you’re not in the same network, you won’t be able to access your Docker services… unless you’re connected via TailScale or using the Cloudflare Tunnel!
Best regards,
PapaGigas
1 Like
I’ve updated the guide, what do you think?
EDIT: I’ve also changed the REMOTE stack installation instructions:
37 - Log out, then log back in using your new "Username" and "Password".
38 - Navigate to "guacadmin > Settings > Users" in Guacamole's interface.
39 - Click on the "guacadmin" user and click on "Delete" to remove Guacamole's default user.
40 - Download and install the latest RustDesk client. # https://github.com/rustdesk/rustdesk/releases
EDIT 2: I’ve also added this notes to REV-PROXY:
34.# NOTE: All dollar signs in the password hash must be escaped by doubling them. This is why we need to use "sed -e s/\\$/\\$\\$/g"!
57.# NOTE: This will create a DNS record that directs your domain's traffic to your Cloudflare Tunnel, allowing it to flow securely through!
60.# NOTE: This will create a DNS record that points 'whoami' to '@' (your root domain), allowing you to access it through your Cloudflare Tunnel!
Best regards,
PapaGigas
1 Like
I’ve added “Step 8: Install Gotify” and “Step 9: Configure Alerts” to TrueNAS setup instructions.
PS: I’ve also added this commands to “Step 5: Configure Datasets”:
storage dataset create name=tank/docker/notifications share_type=APPS
storage dataset create name=tank/docker/notifications/gotify share_type=APPS
EDIT: I’ve also added instructions to create a network bridge in “Step 2: Configure Network Settings” and changed the “home” network settings in " Step 6: Create Docker Networks" accordingly!
EDIT2: I’ve also changed every “ie:” to “e.g.:” in the guide, lol, sorry about the mix-up… neither English nor Latin is my native language!
EDIT3: I’ve also changed the LOCAL-AI stack so people that haven’t installed the VPN-SEARCH stack can disable the web search on Open WebUI!
Best regards,
PapaGigas
2 Likes
I’ve added “Tinyauth” to the AUTH stack…
PS: I’ve also added Tinyauth’s traefik label to all services on the proxy network!
EDIT: I’ve also added this entries to the list of CNAME’s for pihole in REV-PROXY stack:
cname=tinyauth.home.arpa,truenas
cname=tinyauth.ts.home.arpa,truenas
EDIT2: I’ve also added this steps to the REV-PROXY stack:
64 - Navigate to "Network" in the Cloudflare's dashboard.
65 - Scroll down to the "Onion Routing" setting and toggle it off.
EDIT3: I’ve also added this steps to the WEBSITE stack:
# WARNING: Steps 24-63 cover the configuration of WAF rules. Optional, but recommended. # Source: https://webagencyhero.com/cloudflare-waf-rules-v3
24 - Navigate to "Security > Security rules" in the Cloudflare's dashboard.
25 - Click "+ Create rule" followed by "Custom rules".
26 - Type "Allow Good Bots" on the "Rule name" field.
27 - Click "Edit expression" on the "Expression Preview" section.
28 - Copy and paste the following expression where it says "For example: ip.src == 66.249.66.1":
(cf.client.bot) or (cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher"}) or (http.user_agent contains "letsencrypt" and http.request.uri.path contains "acme-challenge")
29 - Select "Skip" from the "Choose action" dropdown menu.
30 - Check all options from the "WAF components to skip" section, except "All remaining custom rules".
31 - Click "More components to skip" to expand.
32 - Check all the remaining options from the "WAF components to skip" section.
33 - Select "First" from the "Select order" dropdown menu.
34 - Click "Deploy" to confirm.
35 - Click "+ Create rule" followed by "Custom rules".
36 - Type "Aggressive Crawlers" on the "Rule name" field.
37 - Click "Edit expression" on the "Expression Preview" section.
38 - Copy and paste the following expression where it says "For example: ip.src == 66.249.66.1":
(http.user_agent contains "yandex") or (http.user_agent contains "sogou") or (http.user_agent contains "semrush") or (http.user_agent contains "ahrefs") or (http.user_agent contains "baidu") or (http.user_agent contains "python-requests") or (http.user_agent contains "neevabot") or (http.user_agent contains "CF-UC") or (http.user_agent contains "sitelock") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not cf.client.bot) or (http.user_agent contains "Bot" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) or (http.user_agent contains "mj12bot") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "mojeek") or (ip.src.asnum in {135061 23724 4808} and http.user_agent contains "siteaudit")
39 - Select "Managed Challenge" from the "Choose action" dropdown menu.
40 - Select "Last" from the "Select order" dropdown menu.
41 - Click "Deploy" to confirm.
42 - Click "+ Create rule" followed by "Custom rules".
43 - Type "Challenge Large Providers / Country" on the "Rule name" field.
44 - Click "Edit expression" on the "Expression Preview" section.
45 - Copy and paste the following expression where it says "For example: ip.src == 66.249.66.1":
(ip.src.asnum in {7224 16509 14618 8075 396982} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"}) or (not ip.src.country in {"US"} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "acme-challenge" and not http.request.uri.query contains " ?fbclid" and not ip.src.asnum in {32934})
46 - Select "Managed Challenge" from the "Choose action" dropdown menu.
47 - Select "Custom" from the "Select order" dropdown menu.
48 - Select "Aggressive Crawlers" from the "Select which rule this will fire after" dropdown menu.
49 - Click "Deploy" to confirm.
50 - Click "+ Create rule" followed by "Custom rules".
51 - Type "Challenge Path / VPN Managed Challenge" on the "Rule name" field.
52 - Click "Edit expression" on the "Expression Preview" section.
53 - Copy and paste the following expression where it says "For example: ip.src == 66.249.66.1":
(ip.src.asnum in {60068 9009 16247 51332 212238 131199 22298 29761 62639 206150 210277 46562 8100 3214 206092 206074 206164 213074}) or (http.request.uri.path contains "wp-login")
54 - Select "Managed Challenge" from the "Choose action" dropdown menu.
55 - Select "Last" from the "Select order" dropdown menu.
56 - Click "Deploy" to confirm.
57 - Click "+ Create rule" followed by "Custom rules".
58 - Type "Block Web Host / Paths / TOR" on the "Rule name" field.
59 - Click "Edit expression" on the "Expression Preview" section.
60 - Copy and paste the following expression where it says "For example: ip.src == 66.249.66.1":
(ip.src.asnum in {200373 198571 26496 31815 18450 398101 50673 7393 14061 205544 199610 21501 16125 51540 264649 39020 30083 35540 55293 36943 32244 6724 63949 7203 201924 30633 208046 36352 25264 32475 23033 32475 212047 32475 31898 210920 211252 16276 23470 136907 12876 210558 132203 61317 212238 37963 13238 2639 20473 63018 395954 19437 207990 27411 53667 27176 396507 206575 20454 51167 60781 62240 398493 206092 63023 213230 26347 20738 45102 24940 57523 8100 8560 6939 14178 46606 197540 397630 9009 11878}) or (http.request.uri.path contains "xmlrpc") or (http.request.uri.path contains "wp-config") or (http.request.uri.path contains "wlwmanifest") or (cf.verified_bot_category in {"AI Crawler" "Other"}) or (ip.src.country in {"T1"})
61 - Select "Block" from the "Choose action" dropdown menu.
62 - Select "Last" from the "Select order" dropdown menu.
63 - Click "Deploy" to confirm.
64 - Click "+ Create rule" followed by "IP access rules".
# NOTE: If "IP access rules" isn't available, click "Return to old dashboard" and navigate to "Security > WAF > Tools" in the Cloudflare's dashboard.
65 - Add "New IP access rule"" with the following settings: # Replace 'I.P.v.4' with your TrueNAS public IP address (and select it from the dropdown menu)
IP: I.P.v.4
Action: Allow
Zone: All websites in account
Notes: Home
66 - Click "Create" to confirm.
PS - If your TrueNAS public IP address changes, repeat steps 64-66 using the new public IP address, then delete the outdated rule.
Best regards,
PapaGigas
1 Like
I’ve added a SECURITY stack to the guide, to use CrowdSec and ClamAV!
PS: I’ve also made the necessary changes to REV-PROXY stack.
EDIT: CrowdSec and ClamAV installation instructions are done!
Best regards,
PapaGigas
This seems like a neat project. Great work!
1 Like
Thanks for the feedback!
Best regards,
PapaGigas
I’ve added a GAMES stack for running Pterodactyl (game servers)!
EDIT: The installation instructions are done!
Best regards,
PapaGigas
I’ve finished the installation instructions for the Windows stack.
I guess the guide it’s now complete… unless anyone has any suggestions?
PS: I’ll be doing a bit of network refactoring (just to tidy things up) and after that, I’ll remove the “Work in progress… please be patient! :)” note from the site.
EDIT: I’ve added the list of applications covered in this guide to the first post in this thread!
Best regards,
PapaGigas
Great work, I have small favour, would you mind adding Zigbee2Mqtt and NodeRed to the guide?
Thanks.
1 Like
No problem… I’ll do that ASAP!
EDIT: I’ve added Zigbee2Mqtt to the guide, but I have a question:
Are you using a USB stick connected to your TrueNAS system?
EDIT2: I’ve also added the installation instructions for an ethernet Zigbee coordinator!
EDIT3: I’ve added a DEV stack to the guide… still a work in progress!
Best regards,
PapaGigas
1 Like
Nope, my stick is PoE form SMLIGHT-Tech.
1 Like
I’ve covered that with the installation instructions for an ethernet Zigbee coordinator… I hope it works!
Btw… what’s the service you want to link to Node-Red? MQTT?
Best regards,
PapaGigas