Starter project for your Synology NAS.
- playnology
- Introduction
- System Overview
- User Personas
- Requirements
- Installation and Configuration
- Execution
- Creating a basic inventory file
- Running your first Ad-Hoc Ansible command
- Your first Ansible playbook
- Docker-compose Deployment with SSH
- Docker-compose Deployment with Portainer Stack
- Docker-compose Deployment with Portainer Containers
- Adding a new route from Public Domain to your server
- Access and bookmark container apps from NAS on iPhone
- Logging
- Monitoring
- Updating
- Troubleshooting
- References
This document describes the Synology NAS automation and manual services that is provided for DevSecOps engineers.
The audience for this document includes:
-
Mobile User who will install, configure and enable ZeroTier One app on their iPhone to access the container applications hosted on Synology NAS.
-
DevSecOps Engineer who will install, configure and update the Synology NAS services to ensure continuous uptime and backup redundancy.
Term | Definition |
---|---|
DSM | Disk Station Manager |
- DSM 7.2 has stopped support for Docker.
Category | Activity | Mobile User | DSO Engineer |
---|---|---|---|
Installation & Configuration | Installing Ansible | R,A | |
Installation & Configuration | Setting up LDAP on your Synology NAS | R,A | |
Installation & Configuration | Setting up configuration.yml for Authelia stack |
R,A | |
Installation & Configuration | Setting up a cloudflared agent on your Synology NAS |
R,A | |
Installation & Configuration | Protecting the route from Public Domain to your server | R,A | |
Execution | Creating a basic inventory file | R,A | |
Execution | Running your first Ad-Hoc Ansible command | R,A | |
Execution | Your first Ansible playbook | R,A | |
Execution | Docker-compose Deployment with SSH | R,A | |
Execution | Docker-compose Deployment with Portainer Stack | R,A | |
Execution | Docker-compose Deployment with Portainer Containers | R,A | |
Execution | Adding a new route from Public Domain to your server | R,A | |
Updating | Manually updating DSM | R,A | |
Installation & Configuration | Install and configure ZeroTier One on iPhone | R,A | C |
Execution | Access and bookmark container apps from NAS on iPhone | R,A | |
Troubleshooting | Error Start container zt failed | I | R,A |
You can enable SSH service from the Control Panel
. Go to Terminal & SNMP
and check the box Enable SSH service
and click Apply
.
After enabling SSH service, you will find out that you are unable to login with the admin password on the Synology web interface. We will need to temporarily enable Telnet service to fix this problem.
Under the previous Terminal & SNMP
, check the box Enable Telnet service
and click Apply
. You have to connect to both Telnet and SSH on the LAN because it doesn't work with Quickconnect.
On your iPhone, download the app iTerminal. Open the app and create a Telnet connection specifying your [PRIVATE_IP]
address on port 23
.
Login using admin
and same password as your Synology web interface. Type the following command to change the SSH password:
$ sudo synouser --setpw admin [PASSWORD]
If it doesn't work the first time, try again. After changing the password, you should be able to SSH to your Synology.
Return to your Synology Control Panel
, and disable the Telnet service.
Warning: Changing the admin
password using Task Scheduler did not work.
Using the app iTerminal, create an SSH connection specifying your IP address on port 22. Login using admin and your password, and type EXACT:
$ sudo ln -s /var/run/docker.sock /volume1/docker/docker.sock
Warning: Even after creating the symlink you cannot create the container from the Docker UI. This is because symlinks are not listed when trying to create a volume/file link.
The Synology Docker UI is nice but lacks some functionality such as Stacks, Templates, etc. Portainer will run seamlessly along side the Synology Docker UI.
First make a folder on your Synology Web Interface to hold the portainer data, using File Station, i.e. /DBDock/docker/portainer
.
However before we can install Portainer, we need to login via SSH as admin
(password is same as your Synology Web Interface).
ssh admin:[PASSWORD]@[PRIVATE_IP]
Now run the following command to grab the Portainer image.
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /volume1/docker/portainer:/data portainer/portainer
Warning: Do not change volume1
as it is the EXACT name of DBDock.
Now check to see if it worked, you need to access the Portainer container from your LAN, i.e. [PRIVATE_IP], on port 9000. Create the admin user and password.
Once logged in, select the Local environment and press the Connect button. You should be able to see a Dashboard of all your Docker files.
There are two methods to pull a new Docker image and add a running container:
- Using Docker Compose
- Using Portainer
First, login to your Synology via SSH as admin
(password is same as your Synology Web Interface). Your $HOME
directory should be /var/services/homes/admin
.
Create a folder to store your docker-compose files and navigate into it.
mkdir -p docker-compose/nginxpm
cd docker-compose/nginxpm
Create a docker-compose.yml
file and copy & paste the following code and save it.
version: "3"
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: always
ports:
# Public HTTP Port:
- '80:80'
# Public HTTPS Port:
- '443:443'
# Admin Web Port:
- '81:81'
# Default Administrator User
# URL: http://localhost:81
# Email: admin@example.com
# Password: changeme
environment:
# These are the settings to access your db
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "npm"
DB_MYSQL_PASSWORD: "npm"
DB_MYSQL_NAME: "npm"
# If you would rather use Sqlite uncomment this
# and remove all DB_MYSQL_* lines above
# DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- vol_data:/data
- vol_letsencrypt:/etc/letsencrypt
depends_on:
- db
networks:
- net_public
- net_private
db:
image: 'jc21/mariadb-aria:latest'
restart: always
environment:
MYSQL_ROOT_PASSWORD: 'npm'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'npm'
MYSQL_PASSWORD: 'npm'
volumes:
- vol_mysql:/var/lib/mysql
networks:
- net_private
volumes:
vol_data:
vol_letsencrypt:
vol_mysql:
# Named volumes are stored in a part of the host filesystem
# which is managed by Docker (/volume1/@docker/volumes/ on Synology)
# Docker appends [FOLDER] name to named volumes.
# nginxpm_vol_data
# nginxpm_vol_letsencrypt
# nginxpm_vol_mysql
networks:
net_public:
net_private:
# Docker appends [FOLDER] name to named networks.
# nginxpm_net_public
# nginxpm_net_private
Run the docker-compose
command within the same folder.
sudo docker-compose up -d
Synology DSM is configured to run on both default ports 5000 and 5001. However, it's listening on ports 80 and 443 for redirection.
In order to free ports 80 and 443, we will replace these ports with 82 and 444, respectively.
sudo sed -i -e 's/80/82/' -e 's/443/444/' /usr/syno/share/nginx/server.mustache /usr/syno/share/nginx/DSM.mustache /usr/syno/share/nginx/WWWService.mustache
sudo synoservicecfg --restart nginx
Alternatively, if we want to stop NGINX server we won't need to replace ports 80 and 443.
Stop the NGINX server.
sudo synoservicecfg --disable nginx
sudo synoservicecfg --hard-stop nginx
Restart both the NGINX and DSM servers.
sudo synoservicecfg --enable nginx
sudo synoservicecfg --restart nginx
sudo synoservice --enable DSM
sudo synoservice --restart DSM
Warning: Synology DSM depends on NGINX server.
Access the Portainer container from your LAN, i.e. [PRIVATE_IP], on port 9000, and login as admin
.
Click on the side menu Containers
, then click on + Add Container
.
Enter both the container and image names. For example, objTeedy
and jdreinhardt/teedy:latest
.
Click on + publish a new network port
and enter host port 8080
and container port 8080
. Ensure TCP
is selected.
Click on Volumes
and then + map additional volume
button.
Map container path /data
to host volume teedy_vol_data
.
Click on Network
and then select nginxpm_net_public
.
Click on Deploy the container
.
You may need to enable port forwarding on both your Google Home WiFi and router.
Ansible's only real dependency is Python. Once Python is installed, the simplest way to get Ansible running is to use pip
.
pip install ansible
You must enable SSH remote connection on your Synology NAS before running Ansible commands. You can follow the steps in this article:
This runbook should be performed by the DevSecOps.
The benefit of running LDAP on your server is single sign-on (SSO). For services that do not have any login, your LDAP service will protect those services, while for services that have their own login feature, your LDAP service will provide one login for all of them.
-
Navigate to your Synology NAS Console > Package Center.
-
Find and install LDAP Server.
-
Open LDAP Server > Settings > click Enable LDAP server checkbox to enable it.
-
Enter the following details:
- For FQDN, enter your LDAP server name, e.g.
dbdock.watertown
. - For Password, enter your LDAP password, this is NOT the same as your DSM account.
-
Click Apply.
-
Under Authentication Information, you should see that your Base DN and Bind DN are now configured.
This runbook should be performed by the DevSecOps.
Before we can fire up an Authelia stack on Portainer, we need to have its configuration.yml
file ready and configured towards your Synology NAS environment.
-
Choose a custom location on your Synology NAS where your Authelia config file will be stored, we can store it under the Synology Docker root folder
/volume1/docker
. -
Copy the
config.template.yml
file to your custom location, e.g./volume1/docker/authelia/configuration.yml
. -
Edit the
configuration.yml
to your Synology NAS environment:
- For
jwt_secret
: set the environment variableAUTHELIA_JWT_SECRET_FILE
to/secrets/JWT_SECRET
file with a long random value. - For
totp.issuer
: enter your FQDN, e.g.dbdock.watertown
. - Under
authentication_backend.ldap
,- For
url
: enter your NAS IP e.g.ldap://192.xx.xx.xx
. - For
base_dn
: enter your LDAP Base DN configuration. - For
user
: enter your LDAP Bind DN configuration. - For
password
: set the environment variableAUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
to/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
file with your LDAP admin password. - For
users_filter
: enter(&({username_attribute}={input})(objectClass=person))
.
- For
- Under
access_control.rules[*]
,- For
domain
: enter your domain wildcard, e.g.*.dbdock.watertown
. - For
subject
: enter which users to apply rules to, e.g.user:root
.
- For
- Under **
session
,- For
domain
, enter your FQDN, e.g.dbdock.watertown
. - For
secret
, set the environment variableAUTHELIA_SESSION_SECRET_FILE
to/secrets/SESSION_SECRET
file with a long random value. - For
redis.host
, enter your NAS IP e.g.192.xx.xx.xx
. - For
redis.database_index
, enter an index for your Redis database, e.g. use any integer [0..], where default is 0.
- For
- Under
storage.mysql
,- For
encryption_key
: set the environment variableAUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
to/secrets/STORAGE_ENCRYPTION_KEY
file with a long random value of at least 20 chars. - For
host
, enter your NAS IP e.g.192.xx.xx.xx
. - For
port
, enter3306
. - For
database
, enter your custom database name that you have created, e.g.authelia
. - For
username
, enter your custom database user that you have created, e.g.authelia
. - For
password
, set the environment variableAUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
to/secrets/STORAGE_MYSQL_PASSWORD
file with your custom database password that you have configured.
- For
- Under
notifier.smtp
,- For
host
, entersmtp.gmail.com
. - For
port
, enter587
- For
username
, enter your Gmail user that you have created. - For
password
, set the environment variableAUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
to/secrets/NOTIFIER_SMTP_PASSWORD
file with your Gmail application password that you have configured. - For
sender
, enter your custom sender, e.g.Authelia <authelia@dbdock.watertown>
.
- For
.
.
.
host: 0.0.0.0 # do not change this!
port: 9091 # do not change this, this is Authelia internal port
.
.
theme: light # there are 3 themes so choose one you like
.
.
.
jwt_secret: xxxxxxxxxxxx # generate a long random key value
.
.
.
totp:
issuer: yourdomain.com # enter what you want to see when using 2FA
period: 30
skew: 1
.
.
.
authentication_backend:
ldap:
implementation: custom
url: ldap://yourNASIP
start_tls: false
base_dn: dc=blackvoid,dc=home # enter the values from the LDAP config
additional_users_dn: cn=users
additional_groups_dn: cn=groups
groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
user: uid=admin,cn=users,dc=blackvoid,dc=home # your LDAP parameters
password: xxxxxxxxxxx # LDAP Admin password
.
.
.
access_control:
default_policy: deny
networks:
- name: 'internal'
networks:
- '192.168.86.0/24'
rules:
## Rules applied to user 'admin'
- domain: app1.yourdomain.com
subject: "user:admin"
policy: two_factor
- domain: app1.yourdomain.com
subject: "user:admin"
policy: one_factor
networks:
- 'internal'
.
.
.
session:
name: authelia_session
domain: yourdomain.com
same_site: lax
secret: xxxxxxxx # generate a long random key value
.
.
.
redis:
host: NASIPAddres # something like 10.20.30.35
port: 6379 # port for REDIS docker contianer
database_index: 0 # change this if you already use REDIS for something
.
.
.
storage:
mysql:
host: yourNASIP
port: 3306 # mysql docker container port
database: authelia # change to the name you have configured
username: authelia_user # change to the user you have configured
password: xxxxxxxxxxxx # change to the password you have configured
.
.
.
notifier:
smtp:
username: usernameOfYourMail
password: xxxxxx
host: smtp.gmail.com # this is just an example
port: 587
sender: sender@domain.com
This runbook should be performed by the DevSecOps.
Warning: You should perform this runbook for client-facing applications that do not contain sensitive data. For internal-facing applications or services, follow the runbook that uses a ZeroTier client.
-
Navigate to your Synology DSM Console > Package Center > Settings > Package Sources.
-
Click Add to add a new package source.
- For Name, enter
SynoCommunity
. - For Location, enter
https://packages.synocommunity.com
.
-
Click OK, then click Community in the left hand menu.
-
Search for
cloudflared
package, then click Install. -
Before you can complete the installation, you will require a
cloudflared
registration token. -
Open a new browser tab, and navigate to your Cloudflare Console > Zero Trust > Access > Tunnels.
-
Click Create a tunnel, then enter a Tunnel name, e.g.
dbdock-synocommunity-package-cloudflared
. -
Click Save tunnel to generate a registration token, then copy this token.
-
Return to your browser tab Synology Console, then paste this token to complete the
cloudflared
package installation. -
If successful, you should see
cloudflared
package Running on your Synology NAS. -
Return to your browser tab Cloudflare Console, and you should see the status
HEALTHY
for your new tunnel.
Note: For the next step, you may expose multiple applications or services within your new tunnel by Adding a new route from Public Domain to your server.
This runbook should be performed by the DevSecOps.
Cloudflare Zero Trust enables you to protect your routes from Public Domain to your applications and services hosted on internal server, by setting up an Application Policy, which is similar to a web application firewall (WAF).
-
Navigate to your Cloudflare Console > Zero Trust > Access > Applications.
-
Click Add an application, and then select Self-hosted type.
-
Enter the following values:
- For Application name, enter a name for the application policy, e.g.
dbdock-synocommunity-package-cloudflared
. - For Session Duration, enter the length of each session, e.g.
24 hours
.
- Under the Application domain, enter one or more Public domains that you want to protect.
- For Subdomain, enter your Public subdomain, e.g.
localstack
. - For Domain, select your Public domain from the drop-down list, e.g.
markit.work
.
- Click Next, for Policy name, enter a new policy, e.g.
default
.
- For Action, leave as Allow.
- Under Configure rules, add one or more Include rules to whitelist your users.
- For Selector, choose
Country
, and for Value, choose one or more countries from the drop-down list, e.g.Singapore
. - Click Add include, then for Selector, choose
Emails
, and for Value, enter one or more emails to whitelist.
- Click Next, leave all values as default, and click Add application.
This runbook should be performed by the Mobile User.
-
Download and install the ZeroTier One app.
-
Open the app and click
+
. -
Enter the Network ID from your ZeroTier account.
- Enable Default Route.
- Enable On Demand (beta).
- Click on Add Network.
- Check that the Status is
OK
.
Ansible uses an inventory file (basically, a list of servers) to communicate with your servers. Create a file hosts
in your project root folder and add one server to it:
[wifi]
192.0.2.5
The wifi
is an arbitrary name for the group of servers you're managing, followed by the IP addresses of your servers, one per line. If you're not using port 22 for SSH, you will need to append it to the address.
Now that you've installed Ansible and created an inventory file, it's time to run a command:
ansible <group> -i ./hosts -m ping -u <user>
Ansible assumes you're using a passwordless login for SSH (e.g. you login by entering ssh <user>@<serverip>
). If you're using a password, add the -k
flag to Ansible commands (you may need to install the sshpass
package for this to work).
You can associate a <user>
with each IP address, thus making your Ansible commands shorter.
[wifi]
192.0.2.5 ansible_user=admin
Alternatively, you can place the ansible_user
variable under a group <group>:vars
, which then applies the variables to all servers in that group.
[wifi]
192.0.2.5
[wifi:vars]
ansible_user=admin
The previous command would now be:
ansible <group> -i ./hosts -m ping
Create a folder plays/
and add a file check-linux-system-playbook.yml
in that folder. Copy and paste the following code:
---
- hosts: all
become: yes
tasks:
- name: Ensure NTP is running
service: name=ntpd state=started
Now that you've created your first Ansible playbook, it is time to run it.
ansible-playbook -i ./hosts plays/check-linux-system-playbook.yml
- Open a local terminal and remote SSH to your Synology NAS.
ssh admin@IP_ADDRESS
-
Navigate to the path
~/docker-compose/paperless
, where HOME folder is/var/services/homes/admin/
. -
Run docker-compose with
sudo
privileges.
sudo docker-compose.yml
- Ensure that the
USERMAP_UID
andUSERMAP_GID
is unused.
cat /etc/passwd | grep 1000
- Create a paperless admin user.
docker exec -it paperlessng_webserver_1 python3 /usr/src/paperless/src/manage.py createsuperuser --username=admin --
-
Navigate and login to Portainer UI, e.g. http://localhost:9000, then click on Local.
-
Click on Stacks -> + Add stack.
- Name: paperlessng
Navigate to the section Build method, and click on Upload, then Select file. Select your docker-compose.yml
file.
# docker-compose file for running paperless from the Docker Hub.
# This file contains everything paperless needs to run.
# Paperless supports amd64, arm and arm64 hardware.
#
# All compose files of paperless configure paperless in the following way:
#
# - Paperless is (re)started on system boot, if it was running before shutdown.
# - Docker volumes for storing data are managed by Docker.
# - Folders for importing and exporting files are created in the same directory
# as this file and mounted to the correct folders inside the container.
# - Paperless listens on port 8010.
#
# In addition to that, this docker-compose file adds the following optional
# configurations:
#
# - Instead of SQLite (default), PostgreSQL is used as the database server.
#
# To install and update paperless with this file, do the following:
#
# - Open portainer Stacks list and click 'Add stack'
# - Paste the contents of this file and assign a name, e.g. 'Paperless'
# - Click 'Deploy the stack' and wait for it to be deployed
# - Open the list of containers, select paperless_webserver_1
# - Click 'Console' and then 'Connect' to open the command line inside the container
# - Run 'python3 manage.py createsuperuser' to create a user
# - Exit the console
#
# For more extensive installation and update instructions, refer to the
# documentation.
version: "2"
services:
broker:
image: redis:6.0
restart: unless-stopped
volumes:
- vol_redis:/data
networks:
- net_private
db:
image: postgres:13
restart: unless-stopped
volumes:
- vol_postgres:/var/lib/postgresql/data
environment:
POSTGRES_DB: paperless
POSTGRES_USER: paperless
POSTGRES_PASSWORD: paperless
networks:
- net_private
webserver:
image: jonaswinkler/paperless-ng:latest
restart: unless-stopped
depends_on:
- db
- broker
ports:
- 8080:8000
# URL: http://localhost:8080/
volumes:
- vol_data:/usr/src/paperless/data
- vol_media:/usr/src/paperless/media
- /var/services/homes/admin/docker-compose/paperless/export:/usr/src/paperless/export
- /var/services/homes/admin/docker-compose/paperless/consume:/usr/src/paperless/consume
environment:
PAPERLESS_REDIS: redis://broker:6379
PAPERLESS_DBHOST: db
# The UID and GID of the user used to run paperless in the container. Set this
# to your UID and GID on the host so that you have write access to the
# consumption directory.
USERMAP_UID: 1000
USERMAP_GID: 1000
# Additional languages to install for text recognition, separated by a
# whitespace. Note that this is
# different from PAPERLESS_OCR_LANGUAGE (default=eng), which defines the
# language used for OCR.
# The container installs English, German, Italian, Spanish and French by
# default.
# See https://packages.debian.org/search?keywords=tesseract-ocr-&searchon=names&suite=buster
# for available languages.
#PAPERLESS_OCR_LANGUAGES: tur ces
# Adjust this key if you plan to make paperless available publicly. It should
# be a very long sequence of random characters. You don't need to remember it.
#PAPERLESS_SECRET_KEY: change-me
# Use this variable to set a timezone for the Paperless Docker containers. If not specified, defaults to UTC.
PAPERLESS_TIME_ZONE: Asia/Singapore
# The default language to use for OCR. Set this to the language most of your
# documents are written in.
#PAPERLESS_OCR_LANGUAGE: eng
networks:
- net_public
- net_private
volumes:
vol_redis:
vol_postgres:
vol_data:
vol_media:
# Named volumes are stored in a part of the host filesystem
# which is managed by Docker (/volume1/@docker/volumes/ on Synology)
# Docker appends [FOLDER] name to named volumes.
# paperlessng_vol_data
networks:
net_public:
net_private:
# Docker appends [FOLDER] name to named networks.
# paperlessng_net_public
# paperlessng_net_private
-
Open the container
paperless_webserver_1
. Navigate to Connected networks, and select a networkbridge
. Then, click Join network. -
Navigate to the Container status, and click on >_ Console. Then, click Connect and type the following command:
python3 /usr/src/paperless/src/manage.py createsuperuser --username=admin
This command will create a superuser admin
. Enter your email and password when prompted. Type exit
when done.
- Navigate to the Container status, and click on Logs. Check if there are any errors in the log.
-
Navigate and login to Portainer UI, e.g. http://localhost:9000, then click on Local.
-
Add volumes for all containers. Click on Volumes -> + Add volume.
- Name: paperless_vol_redis
Click Create the volume. Do this for all the volumes.
- Add the database container. Click on + Add container button and enter the database info.
- Name: paperless_redis
- Image: redis:6.0
Navigate to the section Advanced container settings, click on Volumes -> + map additional volume.
- container: /data
- volume: paperless_vol_redis
Navigate to Network, and select nginxpm_net_private
.
Navigate to Restart policy, and select Unless stopped.
Click Deploy the container and your database container should start. Do this for all the databases.
- Add the web server container. Click on + Add container button and enter the application info.
- Name: paperless_app
- Image jonaswinkler/paperless-ng:latest
Navigate to the section Network ports configuration, click on + publish a new network port.
- host: 8080
- container: 8000
Navigate to the section Advanced container settings, click on Volumes -> + map additional volume.
-
container: /usr/src/paperless/data
-
volume: paperless_vol_data
-
container: /usr/src/paperless/media
-
volume: paperless_vol_media
-
container: /usr/src/paperless/export
-
volume: /var/services/homes/admin/docker-compose/paperless/export
-
container: /usr/src/paperless/consume
-
volume: /var/services/homes/admin/docker-compose/paperless/consume
Navigate to Network, and select bridge
. Also, add nginxpm_net_private
.
Navigate to Env, and click on + add environment variable.
-
name: PAPERLESS_REDIS
-
value: redis://paperless_redis:6379
-
name: PAPERLESS_DBHOST
-
value: paperless_db
-
name: USERMAP_UID
-
value: 1000
-
name: USERMAP_GID
-
value: 1000
Navigate to Restart policy, and select Unless stopped.
This runbook should be performed by the DevSecOps.
-
Navigate to your Cloudflare Console > Zero Trust > Access > Tunnels > select an existing tunnel.
-
Click Configure > Public Hostname > click Add a public hostname.
-
Enter the following values, under Public hostname:
- For Subdomain, enter your application name, e.g.
localstack
. - For Domain, select an existing domain from the drop-down list, e.g.
markit.work
.
- Enter the following values, under Service:
- For Type, select
HTTP
. - For URL, enter the LAN IP address and port of your application, e.g.
192.x.x.1:8080
.
Warning: You can only add a LAN IP address of an application that is hosted on the same server as your
cloudflared
agent.
-
Leave the other fields as default values, and click Save hostname.
-
Navigate to Cloudflare Console > Zero Trust > Access > select an existing application policy name.
-
Click Configure > Policies, select a policy name, e.g.
default
> click Overview. -
Under Application domain, click Add domain.
- For Subdomain, enter your application name, e.g.
localstack
. - For Domain, select an existing domain from the drop-down list, e.g.
markit.work
.
- Test the domain by navigating to the your new URL, e.g.
https://localstack.markit.work
.
This runbook should be performed by the Mobile User.
- On your iPhone, open a browser and type the URL as follows:
ZEROTIER_MANAGED_IP:NAS_PORT
, e.g.172.29.xxx.xxx:8100
| Note: Accessing the container app requires both ZeroTier One running on your iPhone and NAS.
-
You should see the home page of your container app.
-
Bookmark the page on your browser.
This runbook should be performed by the DevSecOps Engineer.
-
Navigate to your Synology NAS Console > Control Panel > Update & Restore
-
Click on Download to download the latest DSM.
-
After download has completed successfully, click on Update Now.
-
The update may restart the device including all services and packages once the update is complete.
This runbook should be performed by the DevSecOps Engineer.
- Before installing the RAM, perform any updates to the DSM first.
| The RAM used is the official Synology Memory Module, D4NESO-2666-4G, DDR4-2666 260pin, Non-ECC Unbuffered SO-DIMM 4GB RAM.
-
Check your existing memory size before shutting down your Synology NAS.
-
Remove all the HDD trays from your NAS while taking note of the order.
-
Earth yourself by touching a heavy metal object first.
-
Insert the additional RAM on the right inner wall of the NAS until you hear a click sound.
-
Insert all the HDD trays in the same order as before.
-
Start your Synology NAS and check your new memory size.
If you get this error when using option -k
to ask for connection password, you must install the sshpass program.
<SERVER_IP> | FAILED! => {
"msg": "to use the 'ssh' connection type with passwords, you must install the sshpass program"
}
There are instructions on how to install sshpass here:
For macOS, you will need to install Xcode and command line tools then use the unofficial Homebrew command:
brew install hudochenkov/sshpass/sshpass
If you get the following SSH Error:
$ Received disconnect from host: 2: Too many authentication failures
This could happen if you have five or more DSA/RSA identity files stored in your .ssh directory. In this case if the -i option isn't specified at the command line the ssh client will first attempt to login using each identity (private key) and next prompt for password authentication. However, sshd drops the connection after five bad login attempts (again default may vary).
So if you have a number of private keys in your .ssh directory you could disable Public Key Authentication at the command line using the -o optional argument.
ssh -o PubkeyAuthentication=no <user>@<serverip>
SSH to your server and change the following permissions:
chmod 755 $HOME
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
If you get the following error:
fatal: [192.168.86.32]: FAILED! => {"msg": "Missing sudo password"}
Connect to your Synology NAS via SSH and then become a superuser sudo su -
. Enter your root
password which should be the same as your admin
password.
Create a file /etc/sudoers.d/admin
and add the following line:
admin ALL=(ALL) NOPASSWD:ALL
You have enabled superuser for your Ansible commands.
Note: Synology DSM 6
root
account has been hardened. You can no longer SSH usingroot
, however you can stillsudo -i
after logging in as any member account of the administrators group.
If you get the following error log in your Synology Docker:
{"message":"error gathering device information while adding custom device \"/dev/net/tun\": no such file or directory"}
- Create a file
/tun.sh
and type the following code:
#!/bin/sh
# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
if ( [ ! -d /dev/net ] ); then
mkdir -m 755 /dev/net
fi
mknod /dev/net/tun c 10 200
chmod 0755 /dev/net/tun
fi
# Load the tun module if not already loaded
if ( !(lsmod | grep -q "^tun\s") ); then
insmod /lib/modules/tun.ko
fi
-
Make the script executable with
chmod a+x /tun.sh
. -
Make the script run on every restart.
- Navigate to Synology Control Panel > Task Scheduler.
- Click Create > Triggered Task > User-defined script.
- Click on General tab.
- For User select
admin
. - For Event select
Boot-up
. - Click on Enabled task.
- For User select
- Click on Task Settings tab.
- For Run command > User-defined script, type:
sudo bash /tun.sh echo $?
- For Run command > User-defined script, type:
- Click OK.
- After restarting the
zt
container, check the node status:
$ sudo docker exec -it zt zerotier-cli status
200 info xxxxxx9857 1.8.10 ONLINE
The following resources were used as a single-use reference.
Title | Author | Publisher Date [Short Code] |
---|---|---|
Discussion: Authelia - SSO & 2FA portal | Rusty | May 2021 |
Authelia - SSO and 2FA portal | Luke Manestar | May 2021 |
NGINX proxy manager | Luke Manestar | Apr 2021 |
GitHub repo: CLI client for Portainer | Juan Carlos Mejías Rodríguez | Oct 2019 |
Ansible for DevOps | ||
How to build your inventory | Ansible Documentation | 2022 |
Synology Docker Media Server with Traefik, Docker Compose, and Cloudflare | Anand | Jul 2020 |
Prevent DSM Listening on Port 80/443 | ||
DSM broken after latest Update | ||
Prevent DSM Listening on Port 80/443 | ||
[Synology NAS | ZeroTier Documentation](https://docs.zerotier.com/devices/synology/) | |
Solved - --device /dev/net/tun not working anymore after Docker update 18.09.0-0513 | ||
Fix TUN/TAP not available on a Synology NAS |