QNAP TS-877 Truenas Journal

Apparently part of my jailmaker setup was incomplete.

When i rebooted truenas, the jailmarker docker jail lan ip changed !!!

so i went back to the doc and spotted this

To configure a **static IP** with our bridge interface, we need to edit the 80-container-host0.networkfile located in/etc/systemd/network. Change the [Network] section to look like this:

so i followed that part of the instruction to set a static ip for the bridge. then i rebooted once done.

tested it working again same ip i used before.

Ok got another docker container url to work, this time dashy.

2044×717 107 KB

So why does this matter? Because now you can use stuff like say vaultwarden, which is strict about valid certs, now that will work for sure. You simply just have to add it’s url through nginxproxymanager for that to work.

part of the changes i did to get reverse proxy working,

i had changed the truenas system general settings port 80 and 443 to e.g. port 82 and 8443

but now that i think about it, because docker is now kicked off to it’s own static ip, and truenas has it’s own static ip, they no longer need to fight over 80 and 443.

so i will switch back and see if my theory pans out or not.

as i thought it still works.

I think this setup works best. it would suck having to type the port to access truenas each time.

the domain had been setup for the docker jail only.

seems to be some slowdown when using the duckdns domain.

https://www.reddit.com/r/selfhosted/comments/17gkfud/nginx_proxy_manager_is_slowing_down_my_network/

hm

if not for the slow performance, i wouldn’t mind keeping as is. but at this rate, i may just shutdown npm and try getting traefik again. but in mean while, just get some more dockers up and running again. will worry about reverse proxies later.

it wasn’t like this the last time i tried it x-x;

In pfsense do this in dns resolver under custom options

server:

local-zone: "yourdomain.duckdns.org" redirect

local-data: "yourdomain.duckdns.org A 192.168.0.24"

server:include: /var/unbound/pfb_dnsbl.*conf

i use pfblocker thats y i got this extra stuff.

but basically what this does is, make your duckdns domain that points to your internal lan ip for your docker, load on your lan.

Alternative to doing this is going to c:\Windows\System32\Drivers\etc\hosts

and adding entries e.g.

192.168.0.24 yourdomain.duckdns.org

the router entry is better since it works across your lan. whereas windows you have to set up on each machine which is a pain.

but anyway, after making this change, the load speed for the duckdns for local for my docker now is super fast. problem solved.

yes letsencrypt still works. tested both on chrome and firefox

managed to find the pci slot cover/bracket for the qxp-400es

800×411 33.4 KB

apparently this cost 10 usd.

but worse is total when including shipping which comes down to USD52.75 total.

No thx

so since the official route was a total rip off, then alternative is the custom route

just need the bracket with that design (where it doesn’t have the thing sticking out. Have that width. then finally that hole slot design for SFF-8088 (if none just laser cut it). Those other vent holes not needed

in nginx proxy manager according to wolf’s guide, he said you can put hostname same as your docker name. but when i tried that didn’t work.

this did however

588×629 23.7 KB

i recommend if you do bridging, you set a static ip for the docker.

*update

Noticed when i enable my mullvad which it’s own dns, the domain for local docker becomes slow. Still works just noticeably slower. When turn off vpn, it’s fast again.

So i imagine in this case, if you also modified the windows 11 host file and added the dns urls there, this may solve that issue.

Entries in host files for that would be something like

192.168.0.24                 nginxproxymanager.yourdomain.duckdns.org

192.168.0.24                dashy.yourdomain.duckdns.org

iperf speed test from desktop to truenas docker (TS-877)

1485×1094 126 KB

How to use iperf3 for network speed test

pre-requisite

• download iperf for your windows here
  iPerf - Download iPerf3 and original iPerf pre-compiled binaries

• extract the iperf windows contents to this location e.g.

C:\iperf-3-win64\iperf3.exe

now go to windows start, type cmd, right click it, open as administrator

then type
cd C:\\

cd C:\iperf-3-win64\

then

iperf3 -c “your truenas docker lan ip address without the quotes”

e.g.

iperf3 -c 192.168.0.24

Calculator

Home Networking: How to test your network, a guide to iperf

*recommended to watch for understanding iperf and how to use it

https://www.reddit.com/r/homelab/comments/11v94kz/new_10g_network_iperf_3_maxing_out_at_6_gbitssec/

run iperf test in both directions. Basically run the test with and without the -R command

an example how to run it in reverse using the -R command
iperf3 -P 4 -R -c 192.168.0.24

i did the test my results for desktop to truenas docker (TS-877) are

8.83 Gbits/sec

reverse mode
7.22 Gbits/sec

been testing deploying containers

example

services:
  syncthing:
    image: lscr.io/linuxserver/syncthing:latest
    container_name: syncthing
    hostname: syncthing #optional
    environment:
      - PUID=1000
      - PGID=999
      - TZ=newyork
    volumes:
      - /mnt/docker/data/syncthing/appdata/config:/config

    ports:
      - 8384:8384
      - 22000:22000/tcp
      - 22000:22000/udp
      - 21027:21027/udp
    restart: unless-stopped
networks: {}

i had created a docker user in truenas

1000:999

UID:GID

seems to work. doing further testing

Noted that when dockge deployed, the owner is still root.

i use syncthing to sync between android mobile to nas to backup

• keepass database
• aegis 2fa database

both encrypted of course

refer to this video how to set that up

*update

ok i got this setup. it’s working and using the docker user in compose environment and seems to work.

so i guess i don’t have to use 0:0 for deploying dockers unless there is a special reason to do so.

So what’s nice about this setup?

For starters keepassdx is an android app for locking/unlocking/access to your keepass database to access your credentials. so on your android you can access stuff using credentials through that app. It can be unlocked with fingerprint making it convenient and secure.

It’s not just keepass. It can also backup aegis which is a 2fa app (WAY better than google authenticator). Aegis can do local encrypted backups which can be easily restored. This is what you will be backing up/sync using syncthings to keep a copy on both your mobile android and your truenas.

It also works great on the go and does not require the cloud.

Once you are back home for the day, syncthings will reach out to your nas on the network and sync ANY changes that happened automatically.

So no, you don’t crappy solutions like lastpass and those paid subscription password managers.

The alternative to keepass is something like vaultwarden. But to use this, you must have a working https cert for it to work. Otherwise the android client will complain and you cannot use it. keep that in mind.

and the cherry ontop, i setup the local domain via nginxproxymanager

https://syncthing.yourdomain.duckdns.org/

going to keep the ball rolling and add more dockers

yikes, the custom route to make this pci slot they wanted to charge 90 usd. even just ordering the original cost less than that.

nevermind i rather just use it as is. sucks but it’s workable and not cost me a bomb x-x;

the most important is that the ts-877 pcie slot issue was resolved. good enuff.

sadly i dont have a 3d printer x-x; sigh

there are 3d printing services that might be affordable. but you need to send them your 3d file which i don’t have. but you can find some here

added uptime-kuma

843×520 26.7 KB

even if your device does not support uptime tracking, kuma can add it. very useful for troubleshooting. if anything goes down you will know since you can setup alerts.

when adding dockers to kuma tested working when link docker server and the docker container names.

interesting case study

so i wanted to update the docker config by jailmaker, to add further bind mounts i forgot to add before.

so i updated the config file, saved.

went to truenas shell

jlmkr list

jlmk stop docker

jlmkr start docker

when it loads up it tells you what was in the config it is loading. i did not see the new changes.

so what i had to do was, stop the docker jail

then jlmkr remove docker

then i installed the docker config again from the start

jlmkr create --start --config /mnt/xxxxxx/docker/config docker

at this part you should go and change the networking to make it static, because that gets lost when you recreate the docker jail.

so follow the static network setup mentioned here

after that, go to truenas shell

jlmkr shell docker

install dockge
cd /mnt/docker/compose/dockge

docker compose up -d

then go into dockge. you will notice all your docker compsoe created earlier are still there. so simply just start all of them 1 at a time.

i tested on dashy and nginx proxy manager.

npm is responsible for adding my https://dashy.mydomain.duckdns.org

so i tested that npm and dashy both working as it was before.

my point here is, this is the process i discovered if you need to change the jailmaker docker config, and the fact that getting things back up and running without issue is possible though tedious.

in case you are worried and needed to make changes to the config and don’t know what to do.

maybe there is a better way, but i tried looking at the jailmaker docs but it didn’t discuss this. it only covers initial install but nothing about what if you needed to change config later, then what?

You shouldn’t have to do that.

How did you edit the config?

jlmkr edit docker

Followed by jlmkr restart docker

i use winscp login via sftp

then i browse to the /mnt/xxxx/docker/

location then i can edit the file

this way the owner is root.

yeah i could have done it cmdline/shell but i’m terrible at that x-x;

hm

i’ll try that later ty.

The config file should be in /mnt/poolname/jailmaker/jails/docker/config

i wasn’t sure so i had put it in the docker share outside jail. but i will make that change thx.

but, now that it has been deployed, does moving it there now cause issues? like do i have to redo the docker jail if i am moving the config to the new location? or does it not have any affect

deployed filebrowser

services:
  filebrowser:
    image: filebrowser/filebrowser:latest
    container_name: filebrowser
    #    user: 1000:1000

    environment:
      - PUID=1000
      - PGID=999
      - TZ=newyork
    ports:
      - 8080:80
    volumes:
      - /mnt/Storage:/srv/Storage:ro
      - /mnt/Storage2:/srv/Storage2:ro
      - /mnt/test:/srv/test:ro
      - /mnt/docker/data/filebrowser/config/settings.json:/config/settings.json
      - /mnt/docker/data/filebrowser/config/database.db:/database.db
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
networks: {}

i had left json empty same for db.

when i deploy, it runs, but it says unhealthy. yet i can enter filrbrowser just fine. even change settings, and use filebrowser without issue. even checked restarting the container, still works. so why does it say unhealthy? weird.

anyway i created a test share, this is the guinea pig dataset so i can test how it behaves BEFORE i try anything with where my actual data i use is.

Caution upon caution i also have the the RO flags added just in case.

Although i did add the RO to the bin mount for the jailmaker docker config, so maybe not necessary perhaps?

Tried googling about what could go wrong, all i could find was this
https://www.reddit.com/r/selfhosted/comments/140ih3l/help_required_to_have_filebrowser_docker/

yes i also tried switching puid and guid to 0:0 but same. so i left it as 1000:999 since it just works regardless.

this is my watchtower docker compose if anyone wants to copy it. it monitors all my docker containers, and auto updates if it notices any new updates. it’s setup to ignore anything with the flag (meaning you have to add the flag in the container compose that you want watchtower to not auto update). why i do this is because i don’t want auto update to work on specific critical containers, which i update manually. because those containers can have bigger effects if there are major changes and i was not prepared for it so something breaks, or it’s a bad release (which does happen from time to time)

services:
  watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    environment:
      WATCHTOWER_SCHEDULE: 0 0 4 * * *
      TZ: America/New_York
      WATCHTOWER_CLEANUP: "true"
      WATCHTOWER_DEBUG: "true"
#    command: --cleanup --schedule "0 15 03 * * *"   


#      WATCHTOWER_LABEL_ENABLE: "true"


### https://containrrr.dev/watchtower/container-selection/


      WATCHTOWER_NOTIFICATIONS: email
      WATCHTOWER_NOTIFICATION_EMAIL_FROM: your email@something.com
      WATCHTOWER_NOTIFICATION_EMAIL_TO: your email@something.com
      WATCHTOWER_NOTIFICATION_EMAIL_SERVER: smtp-relay.brevo.com
      WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT: 587
      WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER: your email@something.com
      WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD: supersecretpassword
      WATCHTOWER_NOTIFICATION_EMAIL_DELAY: 2

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

    network_mode: host
    restart: unless-stopped



# https://pkg.go.dev/github.com/robfig/cron@v1.2.0#hdr-CRON_Expression_Format

for smtp i used brevo. then you don’t have to use your important email to add in credentials in order to get smtp for alerts to work. brevo is free and has some limits, but it’s sufficient for my requirements xd.

those numbers is cron. use this if you want to decipher how to configure that

i’m not going to list all my docker compose only some i think might be of interest. if there is any requests feel free to ask away. i posted my docker list earlier.

i am merely going through my list deploying what is still relevant and others not. checking what worked, what didn’t etc. will have a final conclussion yet whether all my docker containers i need were successfully brought over from QNAP QTS, or not. Too early to say yet, but what i can say right now it’s more or less a success, so no regrets.

It did take some time to learn what jailmaker is, how to install and use it. But it’s not particularly hard once you figure it out. There is the official guides, and i also narrated how i used it and issues i encounter, and how i resolved it if you are trying to learn about it.

ok short break