Media Server with Docker Compose

Caution

Due to a recent update you must use the .internal suffix for internal serviec name routing, such as http://vpn.internal:8888 - if you do not do this then they will not be able to connect! This needs to happen on all web-apps for all connections, and can safely be done before updating!

• Media Server with Docker Compose
  • Concept
  • Network
  • Installation
    • Google
    • Cloudflare
      • Domain name
      • Tunnel (incoming security)
      • Make subdomains accessible
      • Allow ssl certificates to be created
    • NordVPN
    • Media Paths
    • Plex
    • Services
  • Bootstrap

Important

This uses Cloudflare for incoming connections, NordVPN for outgoing, and Google Auth for logging in. If you cannot figure those out with help from google then this might not be the setup for you!

Warning

I do not use all of these services, so not everything is guaranteed to work.

Note

This is the barebones setup for a media server, it does not include any config (although over time I may add more documentation and templates explaining what to do).

Concept

Every service uses a similar folder layout, this includes having a config folder inside the service folder for easier backup and configuration.

When one service depends on another it should only be started first (with a couple of exceptions that require them to be healthy first).

There are some included scripts for use within various services directly - you do not need to install python or have anything more than bash available on the server.

Network

This has two networks defined in compose.yaml.

• The internal network does not have internet access, and is used for inter-service communication. All routing into the stack should come through traefik which acts as a bridge between the two.

  [!IMPORTANT] You must use the .internal suffix to service names to route the connections over the internal network, without that they will not connect!

• The external network allows for a service to contact the internet directly. (Ideally services should be using the http://vpn.internal:8888 service as an http(s) proxy instead.)

Installation

Important

The install.sh script is not usable yet, these other steps are always going to be manual!

It is advised to use VSCode or similar that does syntax highlighting (ie, colors) for the files you edit!

Duplicate the .env.example file as .env, all configuration needs to go in here.

Create an empty compose.override.yaml file, and copy the commented block of include: services into it, then to enable a service you can simply uncomment that line. For some services have a look for included template files that want copying into theit config/ folders and renaming.

Google

1. Add your email address as the EMAIL and WHITELIST in .env
2. Follow these instructions: https://developers.google.com/identity/protocols/oauth2
3. Add the GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET in .env
4. Place a long random hexadecimal value in OAUTH_SECRET in .env`
   • The best way is to use the output of openssl rand -hex 16

Cloudflare

Domain name

1. Make an account if you haven't already.
2. Buy a domain, or if you already have one you can transfer the domain servers accross.
   • Set this as the DOMAIN in .env
   • Replace the $DOMAIN in PLEX_URL with this.

Tunnel (incoming security)

1. Sign up for Zero Trust - you can choose the personal 0-cost.
2. Go to Networks -> Tunnels
   1. Create a Tunnel, name it for your domain
   2. Copy the "Run the following command" suggestion, paste it as CLOUDFLARED_TOKEN in .env then remove the cloudflared.exe service install prefix (including space).
   3. Create 2 public hostnames, one to your domain, and one to * at your domain
      • Both have a service of https://traefik.internal
      • Both have Advanced -> TLS -> Origin Server Name as your domain
      • Both have Advanced -> TLS -> HTTP2 connection turned on

Make subdomains accessible

1. Go back to Account Home, then click on your domain name.
2. Under the Domain (Zone) settings go to SSL/TLS -> Overview, and enable Full encryption.
3. Under DNS -> Records, create a CNAME entry for * pointing at your domain.
4. Under DNS -> Settings, enable DNSSEC.

Allow ssl certificates to be created

1. Click on your Profile in the top right, go to your profile, then click on API Tokens on the left.
2. Create a Token using the Edit zone DNS template
3. Allow it access to your domain under Zone Resources
4. Copy the token to CLOUDFLARE_API in .env

NordVPN

1. Make an account, click on NordVPN on the left, scroll down to API Key, create one and copy to VPN_PRIVATE_KEY in .env

Media Paths

1. Make sure you set PATH_DOWNLOADS to a good download folder, this will be used by multiple services as a consistent location.
2. Place all of your media paths in the PATH_XYZ variables in .env - add more as needed.

Plex

1. Use these instructions to get PLEX_TOKEN in .env - https://support.plex.tv/articles/204059436-finding-an-authentication-token-x-plex-token/
2. Ensure you have all the correct paths for Plex from the Media Paths section above. Internally we're going to map them all under the /data/ folder.
3. In your current Plex server go to Settings -> Library, and disable (and save) the "Empty trash automatically after every scan" option!
4. Stop Plex Media Server!
5. Copy (move is risky, but it's your library) the Plex Config folder starting at Library into plex/config/ - so there is a folder in there called Library.

Services

This is a list of all services, and the profiles they are started with. Note that only the core profiles are included in the compose.yaml file, everything else needs to be manually added.

Where "SUBDOMAIN" is a tick it uses the same as the service name.

NAME	PROFILE	DESCRIPTION	INTERNAL PORT	SUBDOMAIN
cloudflared	core	Cloudflare tunnel	n/a	❌
deunhealth	core	Bring unhealthy containers back up	n/a	❌
error-pages	core	Error pages	8080	✔️
socket-proxy	core	Secure access to the docker socket	2375	❌
tinyauth	core	OAuth via Google	3000	✔️
traefik	core	HTTP routing	8080	✔️
vpn	core	VPN + HTTP Proxy + Socks5 Proxy	8000	❌
watchtower	core	Auto-update containers	8080	✔️
adguardhome	network	Ads & trackers blocking DNS server	80	✔️
audiobookshelf	library	Audiobooks library	80	✔️
bazarr	media	Subtitles	6767	✔️
beszel	information	System information	8090	✔️
chaptarr	media	Books / Audiobooks	8789	✔️
cleanuparr	download	Bad download handling	11011	✔️
docker-discord-alerts	tools	Notify Discord when docker containers change	n/a	❌
dozzle	information	Docker status	8080	✔️
duc	tools	Disk usage	80	✔️
emby	library	Media library	8096	✔️
flaresolverr	network	Cloudflare captcha bypasss	8191	❌
foundryvtt	games	Foundry Virtual Tabletop for RPGs	30000	rpg
glances	information	Operating system status	61208	✔️
homepage	information	Dashboard	3000	(root)
i2p	network	I2P Client	7657	✔️
imagemaid	quality	Cleanup Plex image cache	n/a	❌
jellyfin	library	Open source media library	8096	✔️
kapowarr	library	Comics	5656	✔️
kometa	quality	Poster overlays, collections, playlists for Plex	n/a	❌
komga	library	Comic library	25600	✔️
libretranslate	tools	Translation	5000	translate
lidarr	media	Music	8686	✔️
lingarr	quality	Subtitle translation	8080	✔️
manyfold	library	3d models library	3214	✔️
minecraft	games	Minecraft	8080	✔️
mylar	media	Comics	8090	✔️
neutarr	download	Missing media search	9705	✔️
notifiarr	tools	System notifications	5454	✔️
onlyfans	download	Download all subscriptions	n/a	❌
openspeedtest	network	Bandwidth test to server	3000	✔️
pgadmin	tools	Database admin	80	✔️
plex	library	Media library	32400	✔️
plex-find-mismatch	quality	Finds mismatches between tvdb/tmdb/imdb and Plex	n/a	❌
pocket-id	tools	Passkey authentication server	1411	auth
portainer	information	Container management	9000	✔️
postgres	tools	Database	n/a	❌
prowlarr	download	Torrent / NNTP search proxy	9696	✔️
qbittorrent	download	Torrent downloader	8080	✔️
radarr	media	Movies	7878	✔️
sabnzbd	download	NNTP downloader	8085	✔️
scrutiny	information	S.M.A.R.T. information	8080	✔️
seerr	information	Media requests and issue tracking	5055	ask
sonarr	media	TV Shows	8989	✔️
sonarr_youtubedl	disabled	Download from Youtube	n/a	❌
speedtest-tracker	information	Speedtest with history	80	✔️
stash	tools	Porn database	9999	✔️
subgen	quality	Audio transription	n/a	❌
syncthing	download	Remote data synchronisation	8384	✔️
tautulli	information	Plex stats	8181	✔️
tdarr	quality	Transcoding / format shifting / audio normalisation	8265	✔️
tdarr_inform	quality	Notifications from sonarr / radarr / etc to tdarr	5004	✔️
tdarr-node	quality	Transcoding node for tdarr	n/a	❌
titlecardmaker	quality	Episode thumbnails for Plex	4242	✔️
tracearr	library	Plex & Emby monitoring	3000	✔️
ubooquity	media	Comics	2202	✔️
uptime-kuma	information	Status and uptime monitoring	3001	status
watchstate	tools	Sync media library watch state	8080	✔️
webtop	desktop	Linux desktop	3000	✔️
whisparr	media	Porn	6969	✔️
whoami	network	Who... Am... I...?	80	✔️
windows	desktop	Windows desktop	8006	✔️
zfdash	information	ZFS administration	5001	✔️
zfs-discord-alerts	tools	Notify Discord when there are zfs problems	8080	❌

Note

The core PROFILE services are enabled in the compose.yaml file, you must add any others you wish to a compose.override.yaml file instead:

include:
  - whoami/compose.yaml # Use the name of the service above followed by "/compose.yaml"

Bootstrap

Important

The Plex library must have finished copying before you do this, and you must not run the old one again (unless you decide not to go ahead with this).

1. Run docker compose pull - disable any services that you don't have permission for.
2. Just before running go to https://account.plex.tv/claim and copy the token to PLEX_CLAIM in .env
3. Run docker compose up -d and wait for everything to come up.
4. Go to https://dozzle.<domain> and wait for all the red dots to turn green.
5. Optional: Run docker compose down followed by docker compose up -d dozzle plex - this reduces load and lets you setup things one at a time.
6. Go to Plex and tell it to rescan everything - every entry should get re-found as Plex uses file hashes for identification.