Services on home server

install.sh

#!/bin/sh

set -eu

echo 'net.ipv4.conf.all.src_valid_mark = 1' | \
  sudo tee '/etc/sysctl.d/10-wireguard.conf' >/dev/null

sudo sysctl net.ipv4.conf.all.src_valid_mark=1

docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID="$(id -u)" \
  -e PGID="$(id -g)" \
  -e TZ=Europe/Rome \
  -e INTERNAL_SUBNET=10.13.13.0 \
  -e ALLOWEDIPS=0.0.0.0/0 \
  -e SERVERPORT=51820 \
  --network=host \
  -v "/root/.local/etc/wireguard:/config" \
  -v /lib/modules:/lib/modules \
  --restart unless-stopped \
  linuxserver/wireguard

# docker run -d \
#   --name=tvheadend \
#   --network=host \
#   --restart unless-stopped \
#   -e PUID="$(id -u)" \
#   -e PGID="$(id -g)" \
#   -e TZ=Europe/Rome \
#   -v "$HOME/.config/tvheadend":/config \
#   -v /data/recordings:/recordings \
#   --device /dev/dvb:/dev/dvb \
#   linuxserver/tvheadend:latest

docker run -d \
  --name portainer \
  --network=host \
  --restart unless-stopped \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portainer_data:/data \
  portainer/portainer-ce:latest

docker run -d \
  --name pihole \
  --network=host \
  --restart unless-stopped \
  -e TZ=Europe/Rome \
  -e PROXY_LOCATION=filottete.local \
  -e VIRTUAL_HOST=filottete.local \
  -v /root/.local/etc/dnsmasq.d:/etc/dnsmasq.d \
  -v /root/.local/etc/pihole:/etc/pihole \
  pihole/pihole:latest

docker run -d \
  --name plex \
  --network=host \
  --restart unless-stopped \
  -e TZ="Europe/Rome" \
  -e PLEX_UID="$(id -u)" \
  -e PLEX_GID="$(id -g)" \
  -e VERSION=docker \
  -e UMASK=022 \
  -v "${HOME}/.config/plex":/config \
  -v /data:/data \
  linuxserver/plex
# --device /dev/dvb:/dev/dvb \

sudo setcap 'cap_net_bind_service=+ep' /home/git/.local/bin/rgit
cat <<'EOF' | sudo tee /etc/systemd/system/rgit.service >/dev/null
[Unit]
Description=rgit
DefaultDependencies=no
After=network.target

[Service]
Type=simple
User=git
Group=git
ExecStart=/home/git/.local/bin/rgit --db-store /home/git/.cache/rgit --projects-list /home/git/projects.list 0.0.0.0:617 /home/git/repositories

[Install]
WantedBy=default.target
EOF
sudo systemctl enable --now rgit

sudo ufw disable
sudo ufw reset
sudo ufw limit OpenSSH

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-avahi" >/dev/null
[Avahi]
title=Avahi
description=Avahi protocol
ports=5353/udp
EOF
sudo ufw allow avahi

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-pihole" >/dev/null
[PiHole]
title=PiHole
description=PiHole
ports=53/tcp|80/tcp|53/udp|67/udp
EOF
sudo ufw allow pihole

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-plex" >/dev/null
[Plex]
title=Plex
description=Plex media server
ports=32400/tcp|1900/udp|3005/tcp|5353/udp|8324/tcp|32410/udp|32412:32414/udp|32469/tcp
EOF
sudo ufw allow plex

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-portainer" >/dev/null
[Portainer]
title=Portainer
description=Portainer
ports=8000/tcp|9443/tcp|9000/tcp
EOF
sudo ufw allow portainer

# cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-tvheadend" >/dev/null
# [TVHeadEnd]
# title=TVHeadEnd
# description=TVHeadEnd
# ports=9981:9982/tcp
# EOF
# sudo ufw allow tvheadend

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-wireguard" >/dev/null
[WireGuard]
title=WireGuard
description=WireGuard VPN
ports=51820/udp
EOF
sudo ufw allow wireguard

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-mpd" >/dev/null
[mpd]
title=Music Player Daemon
description=Music Player Daemon
ports=6600/tcp
EOF
sudo ufw allow mpd

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-nfs" >/dev/null
[NFSServer]
title=NFS
description=NFS
ports=111/tcp|111/udp|32771/udp|32771/tcp|53840/udp|56203/tcp|52464/udp|57369/tcp|50069/udp|41243/tcp|35748/udp|43631/tcp|2049/tcp|2049/udp|20048/tcp|20048/udp
EOF
sudo ufw allow nfsserver

cat <<'EOF' | sudo tee "/etc/ufw/applications.d/ufw-rgit" >/dev/null
[rgit]
title=rgit
description=rgit
ports=617/tcp
EOF
sudo ufw allow rgit

sudo ufw enable