Skip to content

erwinkramer/synology-nas-bootstrapper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

149 Commits
.vscode
.vscode
 
 
garden
garden
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Synology NAS Bootstrapper ✴

CC BY-NC-SA 4.0 GitHub commit activity

Bootstrap your Synology NAS setup with automatic provisioning for: filesystem structure, shares, users, groups, permissions, network, container orchestration and .env variables. Just configure the scheduled tasks and the Docker Compose .env file with your own dns and folder variables, that's it.

Makes use of the Synology CLI (pdf), Synology Task Scheduler and Synology Container Manager.

Network Design

Following is the partial network design. Refer to the code for full details.

flowchart TD

subgraph access[DNS Access layer]
privateservices[http://
code/whoami/qbittorrent/jellyfin/dozzle/based
.yourinternal.domain.wow
]
externalservices[https://
whoami/based
.yourexternal.domain.wow
]
end

subgraph router L3
6432[port 6432]
80[port 80]
443[port 443]
end

subgraph cr7[frontend Caddy L7]
extendspe[docker extends service/private]
extendspub[docker extends service/public]

extendscr7[docker extends service/base]
end

subgraph cr4[frontend Caddy L4]
extendscr4[docker extends service/base]
end

subgraph cm[backend containers]
postgres
int[watchtower/cloudflare-ddns]
ext[whoami]
prv[whoami/dozzle/jellyfin/qbittorrent/code]
end

privateservices -- A record '*.yourinternal' to local NAS ip  --> 80 --> extendspe

6432 --> extendscr4
externalservices -- A record '*.yourexternal' to public ip (DDNS) --> 443 -- port forwarding to local NAS ip --> extendspub
extendscr7 --> int
extendscr4 --> postgres

extendspub --> ext
extendspe -- private_ip_range check -->prv
Loading

Prerequisites

A Synology NAS, including:

  1. Container Manager 24.0.2-1525 or higher. Only this version supports Docker Compose include statements, introduced in Docker compose 2.20.3, which this project uses.

  2. A compatible DSM version, confirmed to work on 7.2.2-72806 (Update 2 and 3).

Synology configuration

Place the entire project (repo) structure inside of your NAS with path /volume1/docker/projects (replace volume1 with your own volume). You end up with /volume1/docker/projects/garden.

Change the filename of .env.example to .env and use your own values.

Remove the .example postfix of the files in the secrets folder and use your own values.

Tasks

The tasks folder provides boot-up and shutdown scripts.

For shutdown, configure garden/tasks/main-shutdown.sh as specified in the comment of that script.

For boot-up, configure garden/tasks/main.sh as specified in the comment of that script. The following scripts are part of main:

  1. filesystem.sh creates the filesystem structure, shares, users, groups and permissions (inspired by DrFrankenstein), also modifies .env file variables.

  2. configuredocker.sh fixes the iptables for docker (introduced by Pedro Lamas) and sets the group permissions for docker socket.

  3. freeports.sh frees port 443 and 80 for own use.

All scripts are idempotent and designed for repeated use without damaging an existing setup.

Containers

The docker-compose.yaml file configures all containers. Create a project called garden in Container Manager based on this file, and fill in the variables in the .env file. It does the following:

  1. Provisions watchtower, cloudflare-ddns-private and cloudflare-ddns-public as internal services without inbound traffic.

  2. Configures caddy as reverse proxy for all inbound traffic.

  3. Provisions postgres as a service via port 6432.

  4. Provisions qBittorrent as a service via port 50777.

  5. Provisions ibm-mq as a service via port 1414. With listener DEV.LISTENER.TCP, channel DEV.APP.SVRCONN, queue manager QM1, queue DEV.QUEUE.1 and cert authentication.

  6. Provisions coreDNS as a service via port 53 (udp and tcp).

  7. Provisions the following http/https services:

public Uri Authentication
yes https://auth.domain.wow tinyauth itself
yes https://whoami.yourexternal.domain.wow tinyauth
yes https://based.yourexternal.domain.wow DSM
no http://based.yourinternal.domain.wow DSM
no http://jellyfin.yourinternal.domain.wow jellyfin
no http://code.yourinternal.domain.wow tinyauth
no http://whoami.yourinternal.domain.wow tinyauth
no http://qbittorrent.yourinternal.domain.wow tinyauth
no http://dozzle.yourinternal.domain.wow tinyauth
no http://radarr.yourinternal.domain.wow tinyauth
no http://bazarr.yourinternal.domain.wow tinyauth
no http://prowlarr.yourinternal.domain.wow tinyauth
no http://ibmmq.yourinternal.domain.wow/ibmmq/console tinyauth

If not public, it's;

  • blocking any traffic that doesn't originate private_ip_range;
  • only resolvable locally.

Application configuration

Jellyfin

Transcoding settings in jellyfin admin dashboard, under http://jellyfin.yourinternal.domain.wow/web/#/dashboard/playback/transcoding. Specific for each CPU, assumes you're using a Gemini Lake Refresh model. Check for init_hw_device in logs to confirm it's working.

Hardware acceleration: Intel QuickSync

Enable hardware decoding for:

  • H264
  • HEVC
  • MPEG2
  • VC1
  • VP8
  • VP9
  • HEVC 10 bit
  • VP9 10 bit
  • Prefer OS native DXVA or VA-API hardware decoders

Hardware encoding options:

  • Enable hardware encoding
  • Allow encoding in HEVC format
  • Enable VPP Tone mapping
  • Enable Tone mapping

qBittorrent

  1. Default username: admin, password is printed in container log first time. Go to Options - WebUI - Authentication - check Bypass authentication for clients in the whitelisted IP subnets and add 0.0.0.0/0 as value since we use tinyauth instead.

  2. Change the listening port to 50777 for incoming connections.

Radarr

  1. Go to Settings - Connections and configure Jellyfin with:

    • Host - jellyfin
    • Port - 8096

  2. Go to Settings - General and set Authentication Required to Disabled for Local Addresses since we use tinyauth instead.

Prowlarr

  1. Go to Settings - Apps and configure Radarr with:

    • Prowlarr Server - http://prowlarr:9696
    • Radarr Server - http://radarr:7878

  2. Go to Settings - General and set Authentication Required to Disabled for Local Addresses since we use tinyauth instead.

Bazarr

  1. Go to Settings - Radarr and configure Radarr with:
    • Enabled - true
    • Host Address - radarr
    • API Key - add from Radarr - Settings - General - API Key
  2. Go to Settings - Languages and configure via bazarr languages guide.
  3. Go to settings - Providers and configure via bazarr providers guide for OpenSubtitles.com, Supersubtitles and Gestdown (Addic7ed proxy).
  4. Set the language profile for existing media, via bazarr - First Time Installation Configuration.

Postgres

  1. Make sure to create an init.sql file containing ALTER ROLE admin SUPERUSER;, or similar, and place it into ${host_data_config_path}/postgres/scripts, this folder is mounted in /docker-entrypoint-initdb.d/ so postgres picks this up.

License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

CC BY-NC-SA 4.0

About

Bootstrap your Synology NAS setup with automatic provisioning for everything related to the filesystem, DSM and Container Manager.

guanchen.nl

Topics

docker docker-compose architecture container caddy synology nas dsm duckdns jellyfin container-manager

Resources

Readme

License

View license
Activity

Stars

13 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages