3. Pro Path

Docs for IT professionals

Installation

Your basic prerequisites for Infinity Tools installation.

Installation

1: Getting Started

This guide is designed for IT professionals who are familiar with Linux, servers, networking, and modern DevOps practices. If you're comfortable with Docker, containerization, and command-line administration, you're in the right place.

Prerequisites

Before installing Infinity Tools, ensure you have:

Required

Technical Knowledge Assumed

This guide assumes you're familiar with:

Server Setup Options

Option 1: Self-Hosted Server

If you have physical hardware or are running a virtualization platform:

Requirements:

Considerations:

Option 2: Cloud/VPS Provider

Most IT professionals will use a cloud provider. Popular options include:

Hetzner Cloud (Recommended)

DigitalOcean

Other Options:

Server Configuration

Regardless of your hosting choice, configure your server with:

  1. Fresh Linux Installation
    • Clean install of your preferred distribution
    • All security updates applied (apt update && apt upgrade or equivalent)
  2. Non-Root User with Sudo
    • Create a user account with sudo privileges
    • SSH key authentication configured (password auth disabled recommended)
  3. Basic Firewall
    • At minimum, allow SSH (port 22) and HTTP/HTTPS (ports 80/443)
    • UFW or firewalld configured and enabled
  4. DNS Configuration (for SSL certificates)
    • Domain name pointing to your server's IP address
    • If using Traefik, ensure DNS A record is configured before installation

System Requirements

Minimum Specifications

Storage Considerations

Infinity Tools stores data in /opt/speedbits/ by default:

Ensure sufficient disk space and consider:

What You'll Need Before Installation

1. Domain Name (Optional but Recommended)

For automatic SSL certificates via Let's Encrypt:

Without a domain: You can still use Infinity Tools with self-signed certificates or IP-based access, but SSL won't be automatically trusted by browsers.

2. Email Address

For SSL certificate notifications and administrative purposes:

3. SSH Access

Ensure you can:

Next Steps

Once your server is ready:

  1. SSH into your server
  2. Download or transfer Infinity Tools installer
  3. Run the installer (covered in the next article)

The installation process will:

Quick Reference

Installation Path: /opt/InfinityTools/
Command: sudo infinity-tools
Data Directory: /opt/speedbits/
Configuration: /opt/speedbits/_configuration/

Common Considerations

Firewall Ports

Default ports used by Infinity Tools:

Docker Resources

Docker will be installed if not present. Consider:

Backup Strategy

Infinity Tools includes Borgmatic for backups, but you should also:

Troubleshooting

Common Issues

Port conflicts: Check for existing services using ports 80/443 or other expected ports.

Network issues: Ensure firewall allows necessary traffic and DNS is properly configured.

Ready to Install?

Once your server meets these prerequisites, proceed to the installation guide which will cover:

Next: Installation and Initial Setup Guide (Article 2)

Installation

2: Installing Infinity Tools

This chapter covers the complete installation process for Infinity Tools on your Linux server. We'll cover SSH connection, downloading the installer, and running the installation with technical details relevant to system administrators.

Prerequisites Recap

Ensure you have:

Obtaining the Infinity Tools Installer

You'll receive the Infinity Tools installer as a file (typically named infinity-tools-installer.run) through your preferred delivery method.

File Transfer Methods

Method 1: SCP (Secure Copy) - Recommended

# From your local machine
scp infinity-tools-installer.run root@YOUR_SERVER_IP:/tmp/

Method 2: SFTP (Secure File Transfer Protocol)

# Connect via SFTP
sftp root@YOUR_SERVER_IP

# Upload file
put infinity-tools-installer.run /tmp/

# Exit SFTP
quit

Verify File Integrity

# Check file size
ls -lh infinity-tools-installer.run

# Verify file type
file infinity-tools-installer.run

# Check for corruption (if checksum available)
# sha256sum infinity-tools-installer.run
# Compare with provided checksum

# Verify file permissions
ls -la infinity-tools-installer.run

Installation Process

Pre-Installation Setup

Make the installer executable and verify permissions:

chmod +x infinity-tools-installer.run
ls -la infinity-tools-installer.run

Run Installation

Execute the installer with root privileges:

sudo ./infinity-tools-installer.run

Installation Process Details

The installer performs the following operations:

  1. Archive Extraction:
    • Uses makeself to extract to temporary directory
    • Creates /tmp/selfgz[random]/InfinityTools/
    • Contains all scripts, configurations, and dependencies
  2. File Installation:
    • Copies files to /opt/InfinityTools/
    • Sets executable permissions on all *.sh files
    • Preserves directory structure and file ownership
  3. Dependency Installation:
    • Installs GUM (interactive menu tool) if not present
    • Detects package manager (apt, dnf, pacman, apk)
    • Adds repository and installs via appropriate package manager
  4. System Integration:
    • Creates symbolic link: /usr/local/bin/infinity-tools
    • Creates desktop entry (if GUI environment detected)
    • Sets up proper file permissions and ownership

Installation Output

Expected installation output:

╔════════════════════════════════════════════════════════════════════════════════╗
║                                                                                ║
║                    ♾️  Infinity Tools - Linux Server Suite                     ║
║                                                                                ║
╚════════════════════════════════════════════════════════════════════════════════╝

📦 Installing Infinity Tools...
   Source: /tmp/selfgz12345/InfinityTools
   Target: /opt/InfinityTools

📋 Copying files...
🔧 Setting permissions...
📦 Checking dependencies...
   Installing 'gum' (interactive menu tool)...
🔗 Creating command shortcut...
🖥️  Creating desktop shortcut...

╔════════════════════════════════════════════════════════════════════════════════╗
║                     ✅ INSTALLATION SUCCESSFUL!                                ║
╚════════════════════════════════════════════════════════════════════════════════╝

First Run

Launch Infinity Tools

sudo bash infinity-tools

Initial System Check

On first run, Infinity Tools will:

Menu Navigation

The main menu provides access to:

Installation Architecture

Directory Structure

/opt/InfinityTools/
├── start-tools.sh              # Main launcher script
├── install.sh                  # Installation script
├── Solutions/                  # Application installers
│   ├── setup-traefik.sh
│   ├── setup-wordpress.sh
│   └── ...
├── Infrastructure/             # Core system tools
│   ├── install-docker.sh
│   ├── increase-security.sh
│   └── ...
├── StartHelper/                # Helper modules
│   ├── menu-builder.sh
│   ├── service-metadata.sh
│   └── ...
├── Uninstallations/            # Removal scripts
├── Fallback/                   # Recovery tools
└── Repair/                     # Maintenance utilities

Data Directory

Application data is stored in:

/opt/speedbits/
├── _configuration/             # Global configuration
├── traefik/                    # Traefik data
├── wordpress/                  # WordPress instances
├── vaultwarden/                # Vaultwarden data
└── ...

Configuration Management

Global Configuration

Infinity Tools uses a centralized configuration system:

# Main configuration file
/opt/speedbits/_configuration/config

# Port configuration
Infrastructure/ports-config.yml

# Service metadata
StartHelper/service-metadata.sh

Environment Variables

Key environment variables for customization:

# Debug mode
export INFINITY_DEBUG=true

# Custom installation path (not recommended)
export INFINITY_INSTALL_DIR=/custom/path

# Disable tracking
export INFINITY_NO_TRACKING=true

Security Considerations

File Permissions

# Check script permissions
find /opt/InfinityTools -name "*.sh" -ls

# Verify ownership
ls -la /opt/InfinityTools/

# Check for world-writable files
find /opt/InfinityTools -perm -002 -type f

Network Security

Infinity Tools implements:

Troubleshooting

Common Issues

Installation fails with permission errors:

# Ensure running as root
sudo whoami

# Check file permissions
ls -la infinity-tools-installer.run

# Verify disk space
df -h /opt

GUM installation fails:

# Manual GUM installation
curl -sL https://github.com/charmbracelet/gum/releases/download/v0.13.0/gum_0.13.0_Linux_x86_64.tar.gz | tar -xz
sudo mv gum /usr/local/bin/

Command not found after installation:

# Check symbolic link
ls -la /usr/local/bin/infinity-tools

# Recreate if missing
sudo ln -sf /opt/InfinityTools/start-tools.sh /usr/local/bin/infinity-tools

# Update PATH if necessary
echo 'export PATH="/usr/local/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

Log Analysis

# Check installation logs
journalctl -u infinity-tools 2>/dev/null || echo "No systemd service"

# Check Docker logs
docker logs infinity-tools 2>/dev/null || echo "No Docker container"

# Check system logs
tail -f /var/log/syslog | grep -i infinity

Uninstallation

Complete Removal

# Remove Infinity Tools
sudo rm -rf /opt/InfinityTools/

# Remove symbolic link
sudo rm -f /usr/local/bin/infinity-tools

# Remove desktop entry
sudo rm -f /usr/share/applications/infinity-tools.desktop

# Remove data (WARNING: This deletes all application data)
sudo rm -rf /opt/speedbits/

Selective Cleanup

To remove only Infinity Tools while preserving data:

# Remove only the application
sudo rm -rf /opt/InfinityTools/

# Keep data directory
# /opt/speedbits/ remains intact

Next Steps

After successful installation:

  1. Install Docker: Navigate to Infrastructure → Install Docker
  2. Configure Traefik: Set up reverse proxy and SSL
  3. Deploy Applications: Install your required services
  4. Configure Backups: Set up Borgmatic for data protection
  5. Security Hardening: Apply security configurations

Quick Reference

# Start Infinity Tools
sudo infinity-tools

# Manual execution
cd /opt/InfinityTools && sudo bash start-tools.sh

# Check status
sudo infinity-tools --status 2>/dev/null || echo "Status check not available"

# View logs
sudo journalctl -f -u infinity-tools 2>/dev/null || echo "No systemd service"

# Update (if available)
cd /opt/InfinityTools && git pull 2>/dev/null || echo "Not a git repository"

Installation Complete: Infinity Tools is now installed and ready for configuration. Proceed to the next chapter to begin deploying your infrastructure stack.

Next: Infrastructure Setup and Application Deployment (Chapter 3)

Foundations

Foundational apps for almost any Infinity Tools installation.

Foundations

3: Infrastructure Prerequisites

This chapter covers the essential infrastructure components that must be in place before deploying applications with Infinity Tools. The system includes automated readiness checks, but understanding the underlying architecture is crucial for troubleshooting and optimization.

Prerequisites Overview

Infinity Tools requires the following infrastructure components, which it handles automatically:

Automated Readiness Check

Infinity Tools includes an automated readiness checker that validates and installs prerequisites:

sudo infinity-tools

The readiness check performs the following operations in sequence:

1. System Requirements Validation

# Check root privileges
[ "$EUID" -eq 0 ]

# Verify disk space (minimum 1GB)
df / | awk 'NR==2 {print $4}'

# Check for download tools
command -v curl || command -v wget

# WSL2 detection and configuration
grep -qi microsoft /proc/version

2. GUM Installation

GUM provides the modern terminal UI. Installation process:

# Architecture detection
arch=$(uname -m)
case $arch in
    x86_64) arch="x86_64" ;;
    aarch64|arm64) arch="arm64" ;;
    armv7l) arch="armv7" ;;
esac

# Download and install binary
gum_version="v0.13.0"
download_url="https://github.com/charmbracelet/gum/releases/download/${gum_version}/gum_${gum_version#v}_Linux_${arch}.tar.gz"

3. Docker Installation and Configuration

Docker installation is handled by the install-docker.sh script:

# Check existing installation
command -v docker

# Verify Docker service status
systemctl is-active docker

# Check Docker Compose availability
docker compose version || docker-compose --version

4. Docker Network Setup

Creates the default "proxy" network for service communication:

# Check existing networks
docker network ls --format '{{.Name}}' | grep -v -E '^(bridge|host|none)$'

# Create network if needed
docker network create proxy

# Store network configuration
echo "DOCKER_NETWORK=proxy" > /tmp/infinity-tools-network.conf

Docker Architecture

Container Runtime

Infinity Tools uses Docker Engine with the following configuration:

Docker Compose Integration

All services are defined using Docker Compose v2 (plugin) format:

version: '3.8'

services:
  service-name:
    image: image:tag
    container_name: service-name
    restart: unless-stopped
    networks:
      - proxy
    volumes:
      - /opt/speedbits/service:/data
    environment:
      - KEY=value

Network Architecture

Default Network Configuration

The "proxy" network provides:

Network Topology

Internet → Traefik (proxy network) → Application Containers
                              ↓
                    Database Containers (borgmatic-db network)

System Dependencies

Required Packages

The readiness check installs the following packages:

# Core utilities
curl wget git jq

# UI components
gum dialog

# Optional tools
rclone

Package Manager Support

Infinity Tools supports multiple package managers:

Resource Requirements

Minimum Specifications

Storage Considerations

Infinity Tools uses the following storage structure:

/opt/speedbits/
├── _configuration/          # Global configuration
├── traefik/                 # Traefik data and certificates
├── wordpress/               # WordPress instances
├── vaultwarden/             # Vaultwarden data
└── ...                      # Other service data

/var/lib/docker/             # Docker system data
├── volumes/                 # Named volumes
├── networks/                # Network configurations
└── containers/              # Container data

Security Considerations

Docker Security

File Permissions

# Check script permissions
find /opt/InfinityTools -name "*.sh" -exec ls -la {} \;

# Verify ownership
ls -la /opt/InfinityTools/

# Check for world-writable files
find /opt/InfinityTools -perm -002 -type f

Monitoring and Troubleshooting

System Status Commands

# Docker status
systemctl status docker
docker info

# Network status
docker network ls
docker network inspect proxy

# Container status
docker ps -a
docker stats

# Logs
journalctl -u docker
docker logs container-name

Common Issues

Docker service not starting:

sudo systemctl start docker
sudo systemctl enable docker
sudo systemctl status docker

Network creation fails:

# Check if network already exists
docker network ls | grep proxy

# Remove and recreate if needed
docker network rm proxy
docker network create proxy

Permission issues:

# Add user to docker group
sudo usermod -aG docker $USER
newgrp docker

# Check group membership
groups $USER

Performance Optimization

Docker Configuration

For production environments, consider these optimizations:

# /etc/docker/daemon.json
{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  },
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ]
}

Resource Limits

Set appropriate resource limits for containers:

services:
  service-name:
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '0.5'
        reservations:
          memory: 256M
          cpus: '0.25'

Backup Considerations

Docker Data Backup

Important data locations for backup:

Next Steps

With infrastructure prerequisites satisfied, you're ready to deploy Traefik - the reverse proxy that provides SSL termination and routing for all services.

Verification Checklist

Next: Installing Traefik - Reverse Proxy Configuration (Chapter 4)

Foundations

4. Traefik - Reverse Proxy Configuration

Traefik serves as the reverse proxy and SSL termination point for all Infinity Tools services. This chapter covers the installation, configuration, and management of Traefik within the Infinity Tools ecosystem. For advanced configuration and troubleshooting, refer to the official Traefik documentation.

Traefik Architecture Overview

Traefik provides the following core functionality:

Installation Process

Via Infinity Tools Menu

Navigate to the Infinity Tools menu and select:

🔐 SECURITY & NETWORKING → Install Traefik

Command Line Installation

# Direct script execution
sudo bash /opt/InfinityTools/Solutions/setup-traefik.sh --install

# With environment variables
export ACME_EMAIL="admin@domain.com"
export PROXY_NETWORK="proxy"
sudo -E bash /opt/InfinityTools/Solutions/setup-traefik.sh --install

Configuration Parameters

Required Configuration

During installation, you'll be prompted for:

Environment Variables

# Optional environment variables
export ACME_EMAIL="admin@domain.com"        # Let's Encrypt email
export PROXY_NETWORK="proxy"                # Docker network name
export TRAEFIK_DOMAIN="traefik.domain.com"  # Traefik dashboard domain
export TRAEFIK_PORT="8080"                  # Dashboard port (if enabled)

Generated Configuration

Traefik Configuration File

Location: /opt/speedbits/traefik/traefik.yml

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: ":443"

certificatesResolvers:
  myresolver:
    acme:
      email: admin@domain.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

providers:
  docker:
    exposedByDefault: false

serversTransport:
  insecureSkipVerify: true

global:
  checkNewVersion: false
  sendAnonymousUsage: false

Docker Compose Configuration

Location: /opt/speedbits/traefik/docker-compose.yml

version: '3.8'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    command:
      - "--configFile=/traefik.yml"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/speedbits/traefik/traefik.yml:/traefik.yml:ro
      - /opt/speedbits/traefik/letsencrypt:/letsencrypt
    restart: unless-stopped
    networks:
      - proxy

networks:
  proxy:
    external: true

SSL Certificate Management

Let's Encrypt Integration

Traefik automatically manages SSL certificates using Let's Encrypt:

Certificate Monitoring

# Check certificate status
docker logs traefik | grep -i acme

# View certificate files
ls -la /opt/speedbits/traefik/letsencrypt/

# Check certificate expiration
openssl x509 -in /opt/speedbits/traefik/letsencrypt/acme.json -text -noout

Service Integration

Automatic Service Discovery

Traefik automatically discovers services with the following labels:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.service-name.rule=Host(`service.domain.com`)"
  - "traefik.http.routers.service-name.entrypoints=websecure"
  - "traefik.http.routers.service-name.tls.certresolver=myresolver"
  - "traefik.http.services.service-name.loadbalancer.server.port=8080"

Network Requirements

Services must be connected to the same Docker network as Traefik:

networks:
  - proxy

# Ensure network exists
docker network create proxy

Security Configuration

Security Headers

Traefik can be configured with security middleware:

labels:
  - "traefik.http.middlewares.security-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
  - "traefik.http.middlewares.security-headers.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"
  - "traefik.http.middlewares.security-headers.headers.customResponseHeaders.X-XSS-Protection=1; mode=block"
  - "traefik.http.routers.service-name.middlewares=security-headers"

Access Control

Basic authentication can be configured for services:

# Generate password hash
echo $(htpasswd -nb admin password) | sed -e s/\\$/\\$\\$/g

# Apply to service
labels:
  - "traefik.http.middlewares.auth.basicauth.users=admin:$$2y$$10$$..."
  - "traefik.http.routers.service-name.middlewares=auth"

Monitoring and Logging

Traefik Dashboard

The Traefik dashboard can be enabled for monitoring:

# Add to docker-compose.yml
labels:
  - "traefik.enable=true"
  - "traefik.http.routers.dashboard.rule=Host(`traefik.domain.com`)"
  - "traefik.http.routers.dashboard.tls.certresolver=myresolver"
  - "traefik.http.routers.dashboard.service=api@internal"

Logging Configuration

# Add to traefik.yml
log:
  level: INFO
  filePath: /var/log/traefik.log

accessLog:
  filePath: /var/log/access.log
  format: json

Performance Optimization

Resource Limits

services:
  traefik:
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '0.5'
        reservations:
          memory: 256M
          cpus: '0.25'

Caching Configuration

# Add to traefik.yml
http:
  middlewares:
    cache:
      headers:
        customRequestHeaders:
          Cache-Control: "max-age=3600"

Troubleshooting

Common Issues

Certificate Generation Fails:

# Check domain DNS resolution
dig domain.com
nslookup domain.com

# Verify port 80 accessibility
telnet domain.com 80

# Check Traefik logs
docker logs traefik | grep -i acme

Service Not Accessible:

# Check service labels
docker inspect service-name | grep -A 10 Labels

# Verify network connectivity
docker network inspect proxy

# Check Traefik routing
curl -H "Host: service.domain.com" http://localhost

Performance Issues:

# Monitor resource usage
docker stats traefik

# Check connection limits
ss -tulnp | grep :443

# Review access logs
tail -f /opt/speedbits/traefik/logs/access.log

Debugging Commands

# Check Traefik configuration
docker exec traefik traefik version

# Test configuration
docker exec traefik traefik --configFile=/traefik.yml --logLevel=DEBUG

# View active routes
curl -s http://localhost:8080/api/http/routers | jq

# Check certificate status
docker exec traefik cat /letsencrypt/acme.json | jq

Backup and Recovery

Configuration Backup

# Backup Traefik configuration
tar -czf traefik-backup.tar.gz -C /opt/speedbits/traefik .

# Backup SSL certificates
cp -r /opt/speedbits/traefik/letsencrypt/ /backup/traefik-certs/

Disaster Recovery

# Restore configuration
tar -xzf traefik-backup.tar.gz -C /opt/speedbits/traefik/

# Restart Traefik
cd /opt/speedbits/traefik
docker compose down
docker compose up -d

Integration with Other Services

Service Dependencies

Most Infinity Tools services check for Traefik availability:

# Service installation checks
if ! docker ps --format '{{.Names}}' | grep -q "^traefik$"; then
    echo "Traefik is not running!"
    echo "Please install Traefik first"
    exit 1
fi

Network Integration

Services automatically join the proxy network:

networks:
  proxy:
    external: true
    name: proxy

Advanced Configuration

Custom Middleware

# Rate limiting
labels:
  - "traefik.http.middlewares.ratelimit.ratelimit.burst=100"
  - "traefik.http.middlewares.ratelimit.ratelimit.average=50"

# IP whitelisting
labels:
  - "traefik.http.middlewares.ipwhitelist.ipwhitelist.sourcerange=192.168.1.0/24"

Load Balancing

labels:
  - "traefik.http.services.service-name.loadbalancer.server.port=8080"
  - "traefik.http.services.service-name.loadbalancer.healthcheck.path=/health"
  - "traefik.http.services.service-name.loadbalancer.healthcheck.interval=30s"

Next Steps

With Traefik installed and configured, you can now deploy applications that will automatically integrate with the reverse proxy system.

Verification Checklist

Next: Application Deployment and Management (Coming Soon)

Foundations

5: Apprise - Notifications Hub

Apprise provides a unified notification gateway (HTTP API) for 90+ providers (email, Slack, Discord, Telegram, etc.). Infinity Tools integrates Apprise for infrastructure alerts (e.g., Borgmatic). For provider matrices and syntax, see the official Apprise documentation.

We included it here since Borgmatic, the backup solution provided by Infinity Tools, requires it (and we assume you like to create backups).

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Apprise → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-apprise.sh --install
# With domain (Traefik mode)
export APPRISE_DOMAIN="alerts.example.com"
sudo -E bash /opt/InfinityTools/Solutions/setup-apprise.sh --install

Service Endpoints

Provider URLs

Apprise uses provider URLs to define targets:

# SMTP (STARTTLS)
mailtos://USERNAME:PASSWORD@SMTP_HOST:587/?from=from@example.com&to=ops@example.com

# Slack (Webhook)
slack://TOKENA/TOKENB/TOKENC

# Telegram
tgram://BOT_TOKEN/CHAT_ID

Sending Notifications

cURL

curl -X POST "http://apprise:8000/notify" \
  -d "title=Backup" \
  -d "body=Borgmatic completed successfully" \
  -d "url=PROVIDER_URL"

JSON

curl -X POST "http://apprise:8000/notify" \
  -H 'Content-Type: application/json' \
  -d '{
    "title": "Backup",
    "body": "Borgmatic completed successfully",
    "url": ["PROVIDER_URL1", "PROVIDER_URL2"]
  }'

Integration Notes

Troubleshooting

Next

Proceed to Borgmatic (Chapter 6) to configure automated backups with notifications.

Foundations

6: Borgmatic - Enterprise Backup Solution

Borgmatic is a configuration-driven wrapper for BorgBackup that provides enterprise-grade backup capabilities with deduplication, encryption, and automated scheduling. It implements a dual-backup strategy separating file and database backups with different retention policies. For comprehensive configuration options, advanced features, and API documentation, please refer to the official Borgmatic documentation.

Interdependencies

Required dependency: Apprise must be installed and running for notification delivery (success/failure/security alerts). Install via 📱 APPLICATIONS → Apprise → Install before enabling Borgmatic.

Prerequisites

Architecture Overview

Borgmatic in Infinity Tools implements a sophisticated backup architecture:

Installation Methods

Via Infinity Tools Menu

Navigate to the Infinity Tools menu and select:

💾 BACKUP MANAGEMENT → Install Borgmatic

Command Line Installation

# Direct script execution
sudo bash /opt/InfinityTools/Solutions/setup-borgmatic.sh --install

# With environment variables
export BORGMATIC_SCHEDULE="daily"
export BORGMATIC_RETENTION="7,4,6"
export BORGMATIC_COMPRESSION="zstd"
export BORGMATIC_ENCRYPTION="repokey"
sudo -E bash /opt/InfinityTools/Solutions/setup-borgmatic.sh --install

Configuration Parameters

Schedule Configuration

Borgmatic supports multiple schedule options:

# Environment Variables
export BORGMATIC_SCHEDULE="daily"        # daily, twice-daily, weekly
export BORGMATIC_RETENTION="7,4,6"       # daily,weekly,monthly
export BORGMATIC_COMPRESSION="zstd"      # lz4, zlib, lzma, zstd
export BORGMATIC_ENCRYPTION="repokey"    # none, keyfile, repokey

Dual Backup Strategy

The system implements two separate backup configurations:

Generated Configuration

File Backup Configuration

Location: /opt/speedbits/borgmatic/borgmatic-files.yml

# Borgmatic Files Configuration
source_directories:
    - /opt/speedbits

repositories:
    - path: /backups/borgmatic-repo
      label: speedbits-repo

exclude_patterns:
    - '*.tmp'
    - '*.log'
    - '*/logs/*'
    - '*/cache/*'
    - '*/tmp/*'
    - '*/.git/*'
    - '*/node_modules/*'
    - '*/venv/*'
    - '*/__pycache__/*'
    - '*/database-dumps/*'
    - '*/netdata/lib/*'
    - '*/netdata/cache/*'

compression: zstd
archive_name_format: 'speedbits-files-{hostname}-{now:%Y-%m-%d-%H%M%S}'

keep_daily: 7
keep_weekly: 4
keep_monthly: 6

checks:
    - name: repository
      frequency: 2 weeks
    - name: archives
      frequency: 2 weeks

Database Backup Configuration

Location: /opt/speedbits/borgmatic/borgmatic-databases.yml

# Borgmatic Database Configuration
source_directories:
    - /backups/database-dumps

repositories:
    - path: /backups/borgmatic-repo
      label: speedbits-repo

compression: zstd,9
archive_name_format: 'speedbits-databases-{hostname}-{now:%Y-%m-%d-%H%M%S}'

keep_hourly: 48
keep_daily: 7

# Database preparation hooks
hooks:
    before_backup:
        - /usr/local/bin/backup-databases.sh
    after_backup:
        - /usr/local/bin/cleanup-database-dumps.sh

Security Features

Ransomware Protection

Borgmatic implements canary file monitoring:

# Canary file system
mkdir -p /opt/speedbits/dont-touch-this-folder
echo "This is a test" > /opt/speedbits/dont-touch-this-folder/dont-change-this-file-critical-data.txt
chmod 644 /opt/speedbits/dont-touch-this-folder/dont-change-this-file-critical-data.txt

# Security monitoring in borgmatic-files.yml
commands:
    - before: action
      when: [create]
      run:
          - if [ ! -f /opt/speedbits/dont-touch-this-folder/dont-change-this-file-critical-data.txt ]; then echo "CANARY FILE MISSING!" && curl -X POST http://apprise:8000/notify -d "body=SECURITY ALERT Canary file is MISSING." -d "title=CANARY FILE MISSING" -d "tag=security" 2>/dev/null || true && exit 1; fi

Encryption Configuration

Borgmatic uses repokey encryption mode:

# Repository initialization
borg init --encryption=repokey --make-parent-dirs /backups/borgmatic-repo

# Passphrase management
BORG_PASSCOMMAND="cat /etc/borgmatic/repo-passphrase.txt"
export BORG_PASSCOMMAND

Database Integration

Multi-Database Support

Borgmatic automatically discovers and backs up multiple database types:

# Database discovery script
#!/bin/bash
# /usr/local/bin/backup-databases.sh

# MariaDB/MySQL
if docker ps --format '{{.Names}}' | grep -q "mariadb\|mysql"; then
    docker exec mariadb mysqldump --all-databases > /backups/database-dumps/mariadb-$(date +%Y%m%d-%H%M%S).sql
fi

# PostgreSQL
if docker ps --format '{{.Names}}' | grep -q "postgres"; then
    docker exec postgres pg_dumpall > /backups/database-dumps/postgres-$(date +%Y%m%d-%H%M%S).sql
fi

# SQLite
find /opt/speedbits -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" | while read db; do
    cp "$db" "/backups/database-dumps/sqlite-$(basename "$db")-$(date +%Y%m%d-%H%M%S)"
done

Docker Compose Configuration

Container Setup

Location: /opt/speedbits/borgmatic/docker-compose.yml

version: '3.8'

services:
  borgmatic:
    image: borgmatic/borgmatic:latest
    container_name: borgmatic
    restart: unless-stopped
    environment:
      BORG_PASSCOMMAND: "cat /etc/borgmatic/repo-passphrase.txt"
    volumes:
      - /opt/speedbits:/opt/speedbits:ro
      - /opt/speedbits-backup:/backups
      - /opt/speedbits/borgmatic:/etc/borgmatic:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - borgmatic-network
      - borgmatic-db
    command: |
      /bin/sh -c "
        echo 'Initializing Borgmatic...'
        
        # Install rclone for cloud storage support
        if ! command -v rclone >/dev/null 2>&1; then
          echo 'Installing rclone for cloud storage support...'
          apk add --no-cache rclone || echo 'rclone installation failed, continuing...'
        fi
        
        # Initialize repository if needed
        if ! borg info /backups/borgmatic-repo >/dev/null 2>&1; then
          echo 'Creating new Borg repository...'
          borg init --encryption=repokey --make-parent-dirs /backups/borgmatic-repo
        fi
        
        # Set up cron jobs
        {
          echo 'BORG_PASSCOMMAND=\"cat /etc/borgmatic/repo-passphrase.txt\"'
          echo '0 2 * * * borgmatic --config /etc/borgmatic/borgmatic-files.yml create --verbosity 1'
          echo '0 */6 * * * borgmatic --config /etc/borgmatic/borgmatic-databases.yml create --verbosity 1'
        } | crontab -
        
        # Start cron daemon
        crond -f
      "

networks:
  borgmatic-network:
    driver: bridge
  borgmatic-db:
    external: true

Monitoring and Notifications

Apprise Integration

Borgmatic integrates with Apprise for notifications:

# Notification configuration in borgmatic-files.yml
commands:
    - before: action
      when: [create]
      run:
          - curl -X POST http://apprise:8000/notify -d "body=Starting scheduled file backup" -d "title=File Backup Started" -d "tag=backup" 2>/dev/null || true
    
    - after: action
      when: [create]
      states: [finish]
      run:
          - curl -X POST http://apprise:8000/notify -d "body=File backup completed successfully" -d "title=File Backup Complete" -d "tag=backup" 2>/dev/null || true
    
    - after: action
      when: [create]
      states: [fail]
      run:
          - curl -X POST http://apprise:8000/notify -d "body=File backup FAILED" -d "title=File Backup FAILED" -d "tag=backup,error" 2>/dev/null || true

Health Monitoring

# Check backup status
docker exec borgmatic borg list /backups/borgmatic-repo

# Check repository integrity
docker exec borgmatic borg check /backups/borgmatic-repo

# View backup logs
docker logs borgmatic

# Check cron jobs
docker exec borgmatic crontab -l

Advanced Configuration

Cloud Storage Integration

Borgmatic supports cloud storage via rclone:

# rclone configuration
rclone config create remote s3 \
  provider=AWS \
  access_key_id=your_access_key \
  secret_access_key=your_secret_key \
  region=us-east-1

# Cloud backup command
rclone sync /opt/speedbits-backup/borgmatic-repo remote:backups/borgmatic-repo

Custom Hooks

Implement custom backup hooks:

# Custom pre-backup hook
hooks:
  before_backup:
    - /usr/local/bin/pre-backup.sh
    - /usr/local/bin/backup-databases.sh
  after_backup:
    - /usr/local/bin/post-backup.sh
    - /usr/local/bin/cleanup-temp-files.sh
  on_error:
    - /usr/local/bin/backup-error-handler.sh

Performance Optimization

Compression Settings

Choose compression based on your needs:

Resource Management

# Resource limits in docker-compose.yml
services:
  borgmatic:
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: '1.0'
        reservations:
          memory: 512M
          cpus: '0.5'

Disaster Recovery

Backup Restoration

# List available archives
docker exec borgmatic borg list /backups/borgmatic-repo

# Extract specific archive
docker exec borgmatic borg extract /backups/borgmatic-repo::speedbits-files-server-2024-01-15-020000

# Extract to specific location
docker exec borgmatic borg extract /backups/borgmatic-repo::speedbits-files-server-2024-01-15-020000 /restore/path

Repository Recovery

# Check repository integrity
docker exec borgmatic borg check /backups/borgmatic-repo

# Repair repository if needed
docker exec borgmatic borg check --repair /backups/borgmatic-repo

# Recover from cloud storage
rclone sync remote:backups/borgmatic-repo /opt/speedbits-backup/borgmatic-repo

Troubleshooting

Common Issues

Backup Failures:

# Check container logs
docker logs borgmatic

# Check cron jobs
docker exec borgmatic crontab -l

# Test manual backup
docker exec borgmatic borgmatic --config /etc/borgmatic/borgmatic-files.yml create --verbosity 2

Repository Issues:

# Check repository status
docker exec borgmatic borg info /backups/borgmatic-repo

# Verify passphrase
docker exec borgmatic cat /etc/borgmatic/repo-passphrase.txt

# Check disk space
df -h /opt/speedbits-backup

Debug Commands

# Container status
docker ps | grep borgmatic

# Container exec
docker exec -it borgmatic /bin/sh

# Check mounted volumes
docker inspect borgmatic | grep -A 10 Mounts

# View configuration
docker exec borgmatic cat /etc/borgmatic/borgmatic-files.yml

Best Practices

Security

Operational

Next Steps

With Borgmatic installed and configured, you have enterprise-grade backup protection ready for all your services. This infrastructure will automatically protect any applications you install going forward.

Verification Checklist

Next: Installing Vaultwarden - Password Management Solution (Chapter 6)

Foundations

7: Portainer - Docker Management Platform

Portainer CE (Community Edition) provides a web-based management interface for Docker environments. It offers container lifecycle management, stack deployment, image/volume/network management, resource monitoring, and role-based access control. For advanced features, API documentation, and enterprise features, see the official Portainer documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Portainer → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-portainer.sh --install

# With domain (Traefik mode)
export PORTAINER_DOMAIN="portainer.example.com"
sudo -E bash /opt/InfinityTools/Solutions/setup-portainer.sh --install

Deployment Modes

Traefik Mode (Recommended)

Uses Traefik for SSL termination and domain routing:

Standalone Mode

Direct HTTPS access with self-signed certificate:

Installation Process

Configuration Steps

  1. SSL Mode Selection: Choose Traefik or Standalone
  2. If Traefik: Provide domain name (e.g., portainer.example.com)
  3. If Standalone: Specify HTTPS port (default: 9443)
  4. Network Detection: Automatically detects Traefik network if available

What Gets Created

First-Time Setup

Admin Account Creation

⚠️ CRITICAL: Portainer requires admin credential creation on first access. No default credentials exist.

  1. Access Portainer via the provided URL
  2. Create administrator account:
    • Username: Any (typically "admin")
    • Password: Minimum 12 characters (enforced)
  3. Select Docker environment
  4. Connect to local Docker socket

Password Recovery

If admin password is lost, reset requires:

cd /opt/speedbits/portainer
docker compose down
rm -rf data/
docker compose up -d

Note: This resets all Portainer configuration (users, settings, RBAC). Docker containers are unaffected.

Service Endpoints

Key Features

Container Management

Stack Deployment

Image Management

Volume and Network Management

Monitoring and Statistics

Security Configuration

Initial Security

Role-Based Access Control (RBAC)

Backup Configuration

Integration with Infinity Tools

Portainer complements Infinity Tools by providing:

Note: Infinity Tools applications are managed via their respective setup scripts. Portainer provides visibility and operational control, but configuration changes should be made through Infinity Tools scripts to maintain consistency.

Troubleshooting

Container Not Starting

docker logs portainer
docker ps -a | grep portainer

Traefik Routing Issues

Docker Socket Access

Portainer requires read-only access to /var/run/docker.sock. The setup script configures this automatically. If issues occur:

ls -l /var/run/docker.sock
docker ps  # Verify Docker is accessible

Production Considerations

Next Steps

Portainer is now operational. Use it to:

For advanced Portainer features, team management, and enterprise capabilities, refer to the official Portainer documentation.

Apps

Productivity apps in no particular order.

Apps

8: Vaultwarden - Password Management Solution

Vaultwarden is a lightweight, self-hosted password management solution that provides full Bitwarden API compatibility while using significantly fewer resources than the official Bitwarden server. It supports all Bitwarden clients and offers enterprise-grade security features. For comprehensive configuration options, API documentation, and advanced features, please refer to the official Vaultwarden documentation.

Architecture Overview

Vaultwarden provides the following core functionality:

Prerequisites

Before installing Vaultwarden, ensure the following infrastructure is in place:

Installation Methods

Via Infinity Tools Menu

Navigate to the Infinity Tools menu and select:

📱 APPLICATIONS → Vaultwarden → Install

Command Line Installation

# Direct script execution
sudo bash /opt/InfinityTools/Solutions/setup-vaultwarden.sh --install

# With environment variables
export VW_DOMAIN="vault.domain.com"
export VW_USE_TRAEFIK="true"
export VW_SIGNUPS="false"
export PROXY_NETWORK="proxy"
sudo -E bash /opt/InfinityTools/Solutions/setup-vaultwarden.sh --install

Configuration Parameters

Required Configuration

During installation, you'll configure:

Environment Variables

# SSL and Domain Configuration
export VW_USE_TRAEFIK="true"              # Use Traefik for SSL termination
export VW_DOMAIN="vault.domain.com"       # FQDN for web vault
export VW_PORT="8443"                     # Port for standalone mode

# User Management
export VW_SIGNUPS="false"                 # Disable open registration
export VW_SIGNUPS_VERIFY="true"           # Require email verification

# Network Configuration
export PROXY_NETWORK="proxy"              # Docker network name

Generated Configuration

Docker Compose Configuration (Traefik Mode)

Location: /opt/speedbits/vaultwarden/docker-compose.yml

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:1.34.3
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: https://vault.domain.com
      ADMIN_TOKEN_FILE: /run/secrets/admin_token.txt
      SIGNUPS_ALLOWED: "false"
      SIGNUPS_VERIFY: "true"
      DATABASE_URL: /data/db.sqlite3
      WEBSOCKET_ENABLED: "true"
      WEBSOCKET_ADDRESS: 0.0.0.0
      WEBSOCKET_PORT: 3012
    volumes:
      - /opt/speedbits/vaultwarden/data:/data
      - /opt/speedbits/vaultwarden/admin_token.txt:/run/secrets/admin_token.txt:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`vault.domain.com`)"
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
      - "traefik.http.routers.vaultwarden-websocket.rule=Host(`vault.domain.com`) && Path(`/notifications/hub`)"
      - "traefik.http.routers.vaultwarden-websocket.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden-websocket.tls.certresolver=myresolver"
      - "traefik.http.services.vaultwarden-websocket.loadbalancer.server.port=3012"
    networks:
      - proxy

networks:
  proxy:
    external: true

Standalone Configuration

For environments without Traefik:

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:1.34.3
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: https://localhost:8443
      ADMIN_TOKEN_FILE: /run/secrets/admin_token.txt
      SIGNUPS_ALLOWED: "false"
      DATABASE_URL: /data/db.sqlite3
      WEBSOCKET_ENABLED: "true"
      WEBSOCKET_ADDRESS: 0.0.0.0
      WEBSOCKET_PORT: 3012
      ROCKET_TLS: '{certs="/ssl/vaultwarden.crt",key="/ssl/vaultwarden.key"}'
      ROCKET_PORT: 443
    volumes:
      - /opt/speedbits/vaultwarden/data:/data
      - /opt/speedbits/vaultwarden/admin_token.txt:/run/secrets/admin_token.txt:ro
      - /opt/speedbits/vaultwarden/ssl:/ssl:ro
    ports:
      - "8443:443"
    networks:
      - proxy

Security Configuration

Admin Token Management

Admin tokens are stored securely and provide access to the admin panel:

# Generate new admin token
openssl rand -base64 48

# Store in secure location
echo "generated_token" > /opt/speedbits/vaultwarden/admin_token.txt
chmod 600 /opt/speedbits/vaultwarden/admin_token.txt

Security Headers

Traefik middleware provides comprehensive security headers:

labels:
  - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
  - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"
  - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.X-XSS-Protection=1; mode=block"
  - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains"
  - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.Referrer-Policy=strict-origin-when-cross-origin"
  - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.Content-Security-Policy=default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' wss://vault.domain.com https://vault.domain.com; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';"

Database Configuration

SQLite (Default)

Vaultwarden uses SQLite by default for simplicity:

environment:
  DATABASE_URL: /data/db.sqlite3

PostgreSQL Configuration

For production environments, PostgreSQL is recommended:

environment:
  DATABASE_URL: postgresql://vaultwarden:password@postgres:5432/vaultwarden

# Add PostgreSQL service
services:
  postgres:
    image: postgres:15-alpine
    container_name: vaultwarden-postgres
    restart: unless-stopped
    environment:
      POSTGRES_DB: vaultwarden
      POSTGRES_USER: vaultwarden
      POSTGRES_PASSWORD: secure_password
    volumes:
      - /opt/speedbits/vaultwarden/postgres:/var/lib/postgresql/data
    networks:
      - proxy

Advanced Configuration

Environment Variables

Vaultwarden supports extensive configuration via environment variables:

environment:
  # Domain and SSL
  DOMAIN: https://vault.domain.com
  ROCKET_TLS: '{certs="/ssl/vaultwarden.crt",key="/ssl/vaultwarden.key"}'
  
  # Database
  DATABASE_URL: /data/db.sqlite3
  
  # User Management
  SIGNUPS_ALLOWED: "false"
  SIGNUPS_VERIFY: "true"
  SIGNUPS_VERIFY_RESEND_TIME: "3600"
  SIGNUPS_VERIFY_RESEND_LIMIT: "6"
  
  # Security
  ADMIN_TOKEN_FILE: /run/secrets/admin_token.txt
  INVITATIONS_ALLOWED: "true"
  INVITATION_ORG_NAME: "Organization Name"
  
  # WebSocket
  WEBSOCKET_ENABLED: "true"
  WEBSOCKET_ADDRESS: 0.0.0.0
  WEBSOCKET_PORT: 3012
  
  # SMTP (for email verification)
  SMTP_HOST: smtp.example.com
  SMTP_FROM: vaultwarden@example.com
  SMTP_PORT: 587
  SMTP_SECURITY: starttls
  SMTP_USERNAME: smtp_user
  SMTP_PASSWORD: smtp_password

Organization Management

Configure organization settings for team password sharing:

environment:
  ORG_CREATION_USERS: "admin@domain.com"
  ORG_NAME: "Company Name"
  ORG_OWNER_EMAIL: "admin@domain.com"

Monitoring and Logging

Health Checks

# Add health check to docker-compose.yml
healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:80/alive"]
  interval: 30s
  timeout: 10s
  retries: 3
  start_period: 30s

Logging Configuration

environment:
  LOG_LEVEL: info
  LOG_FILE: /data/vaultwarden.log
  EXTENDED_LOGGING: "true"
  LOG_TIMESTAMP: "true"

Backup and Recovery

Data Backup

Vaultwarden data is stored in the mounted volume:

# Backup Vaultwarden data
tar -czf vaultwarden-backup-$(date +%Y%m%d).tar.gz -C /opt/speedbits/vaultwarden/data .

# Backup configuration
cp /opt/speedbits/vaultwarden/docker-compose.yml /backup/vaultwarden-compose.yml
cp /opt/speedbits/vaultwarden/admin_token.txt /backup/vaultwarden-admin-token.txt

Disaster Recovery

# Restore from backup
tar -xzf vaultwarden-backup-20241201.tar.gz -C /opt/speedbits/vaultwarden/data/

# Restart service
cd /opt/speedbits/vaultwarden
docker compose down
docker compose up -d

Performance Optimization

Resource Limits

services:
  vaultwarden:
    deploy:
      resources:
        limits:
          memory: 512M
          cpus: '0.5'
        reservations:
          memory: 256M
          cpus: '0.25'

Database Optimization

For PostgreSQL, configure connection pooling:

environment:
  DATABASE_URL: postgresql://vaultwarden:password@postgres:5432/vaultwarden?sslmode=require&max_connections=20

Troubleshooting

Common Issues

WebSocket Connection Failures:

# Check WebSocket configuration
docker logs vaultwarden | grep -i websocket

# Verify Traefik routing
curl -H "Host: vault.domain.com" http://localhost/notifications/hub

Database Connection Issues:

# Check database file permissions
ls -la /opt/speedbits/vaultwarden/data/db.sqlite3

# Verify database integrity
sqlite3 /opt/speedbits/vaultwarden/data/db.sqlite3 "PRAGMA integrity_check;"

SSL Certificate Problems:

# Check Traefik certificate status
docker logs traefik | grep -i acme

# Verify domain resolution
dig vault.domain.com
nslookup vault.domain.com

Debug Commands

# Container status
docker ps | grep vaultwarden

# Container logs
docker logs vaultwarden

# Container exec
docker exec -it vaultwarden /bin/sh

# Network connectivity
docker network inspect proxy

# Port binding
ss -tulnp | grep :443

Integration with Other Services

Borgmatic Backup Integration

Include Vaultwarden in automated backups:

# Add to borgmatic configuration
locations:
  directories:
    - /opt/speedbits/vaultwarden/data

# Exclude temporary files
exclude_patterns:
  - "*.tmp"
  - "*.log"

Monitoring Integration

Add Vaultwarden to monitoring systems:

# Health check endpoint
curl -f https://vault.domain.com/alive

# Metrics endpoint (if enabled)
curl https://vault.domain.com/metrics

Security Best Practices

Access Control

Network Security

Next Steps

With Vaultwarden installed and configured, you can now:

Verification Checklist

Next: Application Deployment and Management (Coming Soon)

Apps

9: Passbolt - Team Password Management

Passbolt is an OpenPGP-based, self-hosted team password manager with strong security properties and a browser-extension-centric UX. For comprehensive configuration, hardening guidance, and usage documentation, see the official Passbolt documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Passbolt → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-passbolt.sh --install
# or with environment variables
export PB_DOMAIN="pass.example.com"
sudo -E bash /opt/InfinityTools/Solutions/setup-passbolt.sh --install

Configuration Overview

Environment Parameters (examples)

# SSL + domain
export PB_DOMAIN="pass.example.com"        # FQDN for Passbolt
# Networking
export PROXY_NETWORK="proxy"               # Traefik network name

What the Installer Sets Up

Post-Install Steps

  1. Open the web UI: https://pass.example.com
  2. Follow the onboarding to create the first admin user
  3. Install the Passbolt browser extension (Chrome/Firefox) when prompted
  4. Configure SMTP in the Passbolt UI for email notifications

Backup & Restore

Operational Checks

# Check container states
sudo docker ps | egrep 'passbolt|passbolt-db'

# View logs
sudo docker logs passbolt --since 10m
sudo docker logs passbolt-db --since 10m

# Show current config hints (paths)
ls -la /opt/speedbits/passbolt/

Troubleshooting

SSL / Routing

# Verify Traefik is running
sudo docker ps | grep traefik

# Check ACME events
sudo docker logs traefik | grep -i acme

# Confirm DNS
dig +short pass.example.com

Database Connectivity

# Check DB container
sudo docker logs passbolt-db --since 10m

# Exec into DB and test
sudo docker exec -it passbolt-db mysql -u passbolt -p

Passbolt Health

# Application logs
sudo docker logs passbolt --since 10m

# Restart services
cd /opt/speedbits/passbolt && sudo docker compose down && sudo docker compose up -d

Security Notes

Verification

For advanced configuration (SMTP, LDAP/SSO, security hardening), consult the official Passbolt documentation.

Apps

10: Syncthing - File Synchronization

Syncthing provides continuous, peer‑to‑peer file synchronization across devices. For configuration reference and advanced topics (relays, discovery, ignore patterns), see the official Syncthing documentation.

Dependency check

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Syncthing → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-syncthing.sh --install

Traefik Integration

Select Traefik mode to expose the web UI via HTTPS and a domain:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.syncthing.rule=Host(`sync.example.com`)"
  - "traefik.http.routers.syncthing.entrypoints=websecure"
  - "traefik.http.routers.syncthing.tls.certresolver=myresolver"
  - "traefik.http.services.syncthing.loadbalancer.server.port=8384"  # Syncthing GUI

networks:
  - proxy

Standalone Access

Without Traefik, map the GUI port directly and use self‑signed HTTPS:

ports:
  - "8384:8384"   # Web GUI (HTTPS)
  # Syncthing protocol ports are internal to the container; peers connect via relay/UPnP/NAT traversal

Data & Configuration

volumes:
  - /opt/speedbits/syncthing/config:/var/syncthing
  - /opt/speedbits/syncthing/Documents:/sync/Documents
  - /opt/speedbits/syncthing/Photos:/sync/Photos

Security & Hardening

Device Pairing

  1. Retrieve Device ID from each peer (web UI → Actions → Show ID)
  2. Add remote devices by ID; accept on the peer
  3. Share specific folders with your peer device

Ignore Patterns

Use .stignore to exclude files:

# /opt/speedbits/syncthing/Documents/.stignore
*.tmp
.cache/
node_modules/

Operational Checks

# Containers
sudo docker ps | grep syncthing

# Logs
sudo docker logs syncthing --since 10m

Troubleshooting

For advanced networking (relay servers, global discovery, NAT traversal), consult the Syncthing docs.

Apps

11: Nextcloud - Cloud Storage Platform

Nextcloud is a full-featured, self-hosted collaboration and file storage platform. It provides file sync and share, WebDAV, CalDAV/CardDAV, and a rich app ecosystem. For full configuration details and the admin manual, see the official Nextcloud documentation.

Architecture Overview

Resource Requirements

Prerequisites

Interdependencies: The PostgreSQL service is attached to a borgmatic-db network for backup discovery. Borgmatic relies on Apprise for notifications.

Installation Methods

Via Infinity Tools Menu

📱 APPLICATIONS → Nextcloud → Install

Command Line

# Show current status (no changes)
sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh

# Run interactive installation
sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh --install

Configuration Parameters

Generated Files & Directories

Compose (Traefik Mode - Highlights)

services:
  db:
    image: postgres:${DB_VERSION}
    networks: [ ${NETWORK}, borgmatic-db ]

  nextcloud:
    image: nextcloud:${NEXTCLOUD_VERSION}
    environment:
      POSTGRES_HOST: nextcloud-db
      NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USER}
      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
      NEXTCLOUD_TRUSTED_DOMAINS: ${DOMAIN}
      OVERWRITEPROTOCOL: https
      OVERWRITEHOST: ${DOMAIN}
      PHP_UPLOAD_LIMIT: 16G
      PHP_MEMORY_LIMIT: 512M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement=https://$${1}/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-XSS-Protection=1; mode=block"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex,nextcloud-security"

Post-Install Hardening & Tasks

Cron Setup

*/5 * * * * docker exec -u www-data nextcloud php -f /var/www/html/cron.php

Backup Integration (Borgmatic)

Operations

# Logs
docker logs nextcloud

# Restart
cd /opt/speedbits/nextcloud && docker compose restart

# Update
cd /opt/speedbits/nextcloud && docker compose pull && docker compose up -d

# OCC (run as www-data)
docker exec -u www-data nextcloud php occ status
docker exec -u www-data nextcloud php occ app:list

Troubleshooting

Security Best Practices

Verification Checklist

References

Apps

12: WordPress - Production-Ready Setup

WordPress is a widely used CMS for websites and blogs. This guide covers installation and runtime specifics when deploying via Infinity Tools. For platform usage, administration, and theme/plugin development, refer to the official WordPress documentation.

Architecture Overview

Prerequisites

Interdependencies: MariaDB is joined to borgmatic-db for backup discovery. Borgmatic depends on Apprise for notifications.

Installation Methods

Via Infinity Tools Menu

📱 APPLICATIONS → WordPress → Install

Command Line

# Status (no changes)
sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --status

# Default instance (interactive)
sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --install

# Named instance
sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --install --instance=blog2

Key Configuration

Generated Files & Directories

Traefik Mode (Highlights)

services:
  db:
    image: mariadb:10.11
    networks: [ ${NETWORK}, borgmatic-db ]

  redis:                 # if enabled
    image: redis:7-alpine
    command: redis-server --maxmemory 64mb --maxmemory-policy allkeys-lru

  wordpress:
    image: wordpress:latest
    environment:
      WORDPRESS_DB_HOST: wp-db:3306
      WORDPRESS_DB_USER: wpuser
      WORDPRESS_DB_PASSWORD: ${FROM_FILE}
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_TABLE_PREFIX: wp_
      WORDPRESS_CONFIG_EXTRA: |
        define('DISALLOW_FILE_EDIT', true);
        define('FORCE_SSL_ADMIN', true);
        define('WP_MEMORY_LIMIT', '512M');
        define('WP_MAX_MEMORY_LIMIT', '1024M');
        define('WP_CACHE', true);
        define('WP_POST_REVISIONS', 10);
        define('AUTOSAVE_INTERVAL', 300);
        define('WP_IMAGE_EDITORS', ['WP_Image_Editor_GD']);
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.${ROUTER_NAME}.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.${ROUTER_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${ROUTER_NAME}.tls.certresolver=myresolver"
      - "traefik.http.routers.${ROUTER_NAME}-www.rule=Host(`www.${DOMAIN}`)"
      - "traefik.http.routers.${ROUTER_NAME}-www.middlewares=${ROUTER_NAME}-redirect"
      - "traefik.http.middlewares.${ROUTER_NAME}-redirect.redirectregex.regex=^https://www\\.${DOMAIN}/(.*)"
      - "traefik.http.middlewares.${ROUTER_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${1}"
      - "traefik.http.middlewares.${ROUTER_NAME}-redirect.redirectregex.permanent=true"

Redis Object Cache (Recommended)

Enable Redis during installation (optional), then install the free Redis Object Cache plugin for significant performance gains.

Redis Object Cache plugin (wordpress.org)

Post-Install Hardening & Defaults

Backup Integration (Borgmatic)

Operations

# Logs
docker logs wordpress
docker logs wp-db

# Restart
cd $WP_DIR && docker compose restart

# Update (safe)
cd $WP_DIR && docker compose pull && docker compose up -d

# Instance status
sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --status

# Wipe and reinstall (destructive)
sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --install --deleteall

Troubleshooting

Security Best Practices

Verification Checklist

Apps

13: Matomo - Web Analytics

Matomo (formerly Piwik) is a full‑featured, self‑hosted web analytics platform. This guide covers installation and runtime specifics when deploying via Infinity Tools. For comprehensive configuration and administration, see the official Matomo documentation.

Architecture Overview

Prerequisites

Interdependencies: MariaDB joins borgmatic-db for backup discovery. Borgmatic relies on Apprise for notifications.

Installation Methods

Via Infinity Tools Menu

📱 APPLICATIONS → Matomo → Install

Command Line

# Status (no changes)
sudo bash /opt/InfinityTools/Solutions/setup-matomo.sh --status

# Interactive installation
sudo bash /opt/InfinityTools/Solutions/setup-matomo.sh --install

Key Configuration

Generated Files & Directories

Compose (Traefik Mode - Highlights)

services:
  db:
    image: mariadb:${DB_VERSION}
    networks: [ ${NETWORK}, borgmatic-db ]
    command: >
      --max-allowed-packet=64M
      --innodb-buffer-pool-size=512M

  matomo:
    image: matomo:${MATOMO_VERSION}
    environment:
      MATOMO_DATABASE_HOST: matomo-db
      MATOMO_DATABASE_ADAPTER: mysql
      MATOMO_DATABASE_TABLES_PREFIX: matomo_
      MATOMO_DATABASE_USERNAME: ${MYSQL_USER}
      MATOMO_DATABASE_PASSWORD: ${MYSQL_PASSWORD}
      MATOMO_DATABASE_DBNAME: ${MYSQL_DATABASE}
      PHP_MEMORY_LIMIT: 512M
    volumes:
      - ./config:/var/www/html/config
      - ./logs:/var/www/html/logs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.matomo.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.matomo.entrypoints=websecure"
      - "traefik.http.routers.matomo.tls.certresolver=myresolver"
      - "traefik.http.services.matomo.loadbalancer.server.port=80"

Post‑Install Tasks

Cron Archiving

*/5 * * * * docker exec matomo /usr/local/bin/php /var/www/html/console core:archive >/dev/null 2>&1

Backup Integration (Borgmatic)

Operations

# Logs
docker logs matomo
docker logs matomo-db

# Restart
cd /opt/speedbits/matomo && docker compose restart

# Update
cd /opt/speedbits/matomo && docker compose pull && docker compose up -d

Troubleshooting

Security Best Practices

Verification Checklist

References

Apps

14: Webmin - System Administration Platform

Webmin provides a web-based system administration interface for Linux servers. It offers user management, service control, file system access, package management, network configuration, and system monitoring through a unified web UI. For module documentation, API details, and advanced configuration, see the official Webmin documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Webmin → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-webmin.sh --install

# With domain (Traefik mode)
export WEBMIN_USE_TRAEFIK=true
export WEBMIN_DOMAIN="webmin.example.com"
sudo -E bash /opt/InfinityTools/Solutions/setup-webmin.sh --install

# With host filesystem access (read-only)
export WEBMIN_HOST_ACCESS=readonly
sudo -E bash /opt/InfinityTools/Solutions/setup-webmin.sh --install

# With host filesystem access (read-write)
export WEBMIN_HOST_ACCESS=readwrite
sudo -E bash /opt/InfinityTools/Solutions/setup-webmin.sh --install

# Custom port (standalone mode)
sudo bash /opt/InfinityTools/Solutions/setup-webmin.sh --install 9443

Deployment Modes

Traefik Mode

Uses Traefik for SSL termination and domain routing:

Standalone Mode (Recommended)

Direct HTTPS access with self-signed certificate, accessed via SSH tunnel:

Host Filesystem Access Configuration

During installation, you'll be prompted for host filesystem access level:

Volume Mount:

Installation Process

Configuration Steps

  1. SSL Mode Selection: Choose Traefik or Standalone
  2. If Traefik: Provide domain name
  3. If Standalone: Specify HTTPS port (default: 8443)
  4. Host Access: Choose filesystem access level
  5. User Creation: System user webminadmin created with random password

What Gets Created

Access Methods

Traefik Mode

https://webmin.example.com

Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

Standalone Mode (SSH Tunnel)

On local machine:

ssh -L 8443:localhost:10000 user@server-ip

Then in browser:

https://localhost:8443

Accept self-signed certificate warning (Advanced → Proceed).

Alternative: Direct Container IP

# Get container IP
CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' webmin)

# SSH tunnel to container IP
ssh -L 8443:$CONTAINER_IP:10000 user@server-ip

Authentication

Default Credentials

⚠️ CRITICAL: Password is displayed only once. Save it immediately!

System Authentication

File Manager: Container vs Host Filesystem

⭐ CRITICAL: Webmin's File Manager initially shows the container's filesystem, not the host system.

Accessing Host Files

  1. Navigate to OtherFile Manager
  2. You'll see container filesystem (minimal, typically empty)
  3. To access host: Type /host/ in the path bar
  4. Press Enter or click "Go"
  5. Host filesystem is now accessible

Path Mapping

Common Host Paths

Access Level Behavior

Key Features

System Administration

File Management

Network Configuration

Security Configuration

Access Security

Filesystem Security

Container Security

Configuration Persistence

Troubleshooting

Container Not Starting

docker logs webmin
docker ps -a | grep webmin

Authentication Issues

File Manager Issues

SSH Tunnel Issues

Traefik Routing Issues

Production Considerations

Integration with Infinity Tools

Webmin complements Infinity Tools by providing:

Note: Infinity Tools applications run in Docker containers. Webmin provides host system management. Use Portainer (Chapter 13) for Docker container management.

Next Steps

Webmin is now operational. Use it to:

For advanced Webmin features, module development, and enterprise capabilities, refer to the official Webmin documentation.

Apps

15: BookStack - Documentation Platform / Wiki

BookStack is a self-hosted documentation and wiki platform built with PHP and Laravel. It provides a hierarchical content structure (Books → Chapters → Pages), WYSIWYG editing with Markdown support, full-text search, user roles, and export capabilities. For API documentation, advanced customization, and development guides, see the official BookStack documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → BookStack → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install

# With domain (Traefik mode)
export BS_DOMAIN="docs.example.com"
export BS_EMAIL="admin@example.com"
sudo -E bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install

# Standalone mode with custom port
export BS_USE_TRAEFIK=false
export BS_PORT=8092
sudo -E bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install

# Fresh install (delete all data)
sudo bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install --deleteall

Deployment Modes

Traefik Mode (Default)

Uses Traefik for SSL termination and domain routing:

Standalone Mode

Direct access with optional HTTPS (self-signed):

Architecture

Containers

Data Persistence

Networks

Installation Process

Configuration Steps

  1. SSL Mode Selection: Choose Traefik (default) or Standalone
  2. If Traefik: Provide domain name and email
  3. If Standalone: Specify port (default: 8092) and SSL mode
  4. Database Setup: Random passwords generated and saved
  5. App Key: Encryption key generated for BookStack

What Gets Created

Database Configuration

Database Details

Accessing Database

# View database password
cat /opt/speedbits/bookstack/db_password.txt

# Connect to database
docker exec -it bookstack-db mysql -u bookstack -p bookstack
# Enter password from db_password.txt

# Backup database
docker exec bookstack-db mysqldump -u bookstack -p bookstack > backup.sql

Access Methods

Traefik Mode

https://docs.example.com

Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

Standalone Mode

HTTP:

http://SERVER_IP:8092

HTTPS:

https://SERVER_IP:8092

Accept self-signed certificate warning (Advanced → Proceed).

Authentication

Default Credentials

⚠️ CRITICAL: Change these immediately after first login! These are public defaults.

User Roles

Environment Variables

BookStack Container

Key Features

Content Management

User Management

Export & Integration

Security Configuration

Access Security

Container Security

Configuration Persistence

Backup & Restore

Backup Strategy

# Full backup
cd /opt/speedbits
tar czf bookstack-backup-$(date +%Y%m%d).tar.gz bookstack/

# Database-only backup
docker exec bookstack-db mysqldump -u bookstack -p bookstack > bookstack-db-$(date +%Y%m%d).sql

# Config-only backup
tar czf bookstack-config-$(date +%Y%m%d).tar.gz -C /opt/speedbits/bookstack config/

Restore Process

  1. Stop containers: cd /opt/speedbits/bookstack && docker compose down
  2. Restore data: Extract backup to /opt/speedbits/bookstack/
  3. Restore database: docker exec -i bookstack-db mysql -u bookstack -p bookstack < backup.sql
  4. Start containers: docker compose up -d

Troubleshooting

Container Not Starting

docker logs bookstack
docker logs bookstack-db
docker ps -a | grep bookstack

Database Connection Issues

SSL Certificate Issues

Performance Issues

Production Considerations

Integration with Infinity Tools

BookStack complements Infinity Tools by providing:

Note: The Infinity Tools documentation sync script (sync-bookstack.sh) can automatically upload HTML documentation files to BookStack.

SMTP Configuration

After installation, you can configure SMTP for email functionality:

Next Steps

BookStack is now operational. Use it to:

For advanced features, API usage, custom themes, and development guides, refer to the official BookStack documentation.

Apps

16: Uptime Kuma - Monitoring & Status Pages

Uptime Kuma is a self-hosted monitoring solution built with Node.js. It provides uptime monitoring, incident tracking, status pages, and 90+ notification integrations. Supports HTTP(s), TCP, Ping, DNS, Docker containers, and more. For API documentation, advanced configuration, and development guides, see the official Uptime Kuma repository.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Uptime Kuma → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-uptime-kuma.sh --install

# With domain (Traefik mode)
export BS_DOMAIN="status.example.com"
sudo -E bash /opt/InfinityTools/Solutions/setup-uptime-kuma.sh --install

Deployment Modes

Traefik Mode (Default)

Uses Traefik for SSL termination and domain routing:

Standalone Mode

Direct access with HTTP or HTTPS (self-signed):

Architecture

Container

Data Persistence

Networks

Docker Socket Access

Optional read-only access to /var/run/docker.sock for Docker container monitoring:

Installation Process

Configuration Steps

  1. SSL Mode Selection: Choose Traefik (default) or Standalone
  2. If Traefik: Provide domain name
  3. If Standalone: Specify port (default: 3001) and SSL mode
  4. Docker Monitoring: Optional enable Docker socket access
  5. Timezone: Optional timezone configuration (default: UTC)

What Gets Created

Access Methods

Traefik Mode

https://status.example.com

Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

Standalone Mode

HTTP:

http://SERVER_IP:3001

HTTPS:

https://SERVER_IP:3001

Accept self-signed certificate warning (Advanced → Proceed).

Authentication

First-Time Setup

Password Reset

docker exec -it uptime-kuma npm run reset-password

Follow prompts to enter username and new password.

Monitor Types

Supported Protocols

Monitor Configuration

Notification Integrations

Supported Providers

Apprise Integration

If Apprise is installed (Chapter 5), use it for notifications:

Status Pages

Features

Use Cases

Environment Variables

Uptime Kuma Container

Data Storage

Security Configuration

Access Security

Container Security

Configuration Persistence

Backup & Restore

Backup Strategy

# Full backup
cd /opt/speedbits
tar czf uptime-kuma-backup-$(date +%Y%m%d).tar.gz uptime-kuma/

# Using Uptime Kuma built-in backup
# Settings → Backup → Download Backup

Restore Process

  1. Stop container: cd /opt/speedbits/uptime-kuma && docker compose down
  2. Restore data: Extract backup to /opt/speedbits/uptime-kuma/
  3. Start container: docker compose up -d

Troubleshooting

Container Not Starting

docker logs uptime-kuma
docker ps -a | grep uptime-kuma

SSL Certificate Issues

Docker Monitoring Issues

Monitor Not Responding

Production Considerations

Integration with Infinity Tools

Uptime Kuma complements Infinity Tools by providing:

API & Automation

REST API

Webhooks

Next Steps

Uptime Kuma is now operational. Use it to:

For advanced features, API usage, custom themes, and development guides, refer to the official Uptime Kuma repository.

Apps

17: Netdata - Real-time Performance Monitoring

Netdata is a distributed, real-time performance monitoring solution built with C and Node.js. It provides sub-second granularity metrics collection, zero-configuration operation, and comprehensive system monitoring including CPU, memory, disk, network, processes, and Docker containers. For API documentation, advanced configuration, and development guides, see the official Netdata documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Netdata → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-netdata.sh --install

Deployment Modes

Traefik Mode (Default)

Uses Traefik for SSL termination and domain routing:

Standalone Mode

Direct access with HTTP or HTTPS (self-signed):

Architecture

Container

Data Persistence

Host Access

Netdata requires access to host system for monitoring:

Networks

Installation Process

Configuration Steps

  1. SSL Mode Selection: Choose Traefik (default) or Standalone
  2. If Traefik: Provide domain name
  3. If Standalone: Specify port (default: 19999) and SSL mode
  4. Streaming: Optional parent-child streaming configuration
  5. Apprise Integration: Optional alert notification setup

What Gets Created

Access Methods

Traefik Mode

https://monitor.example.com

Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

Standalone Mode

HTTP:

http://SERVER_IP:19999

HTTPS:

https://SERVER_IP:19999

Accept self-signed certificate warning (Advanced → Proceed).

Security Configuration

Access Security

Container Security

Authentication

⚠️ CRITICAL: Netdata has NO username/password protection by default!

Metrics Collection

System Metrics

Docker Metrics

Data Retention

Alert Configuration

Default Alerts

Pre-configured alerts in health.d/:

Apprise Integration

If Apprise is enabled:

Custom Alerts

Create custom alerts in health.d/:

# Example: Custom alert
alarm: custom_metric
    on: system.cpu
  lookup: average -3m unaligned of user,system
   units: %
   every: 1m
    warn: $this > 75
    crit: $this > 90
   delay: down 5m multiplier 1.5 max 1h
    info: Custom CPU alert
      to: sysadmin

Parent-Child Streaming

Configuration

Stream metrics to a Netdata Director (parent server):

Use Cases

Environment Variables

Netdata Container

Configuration Files

Main Configuration

Customization

# Edit main config
nano /opt/speedbits/netdata-client/netdata/netdata.conf

# Edit alerts
nano /opt/speedbits/netdata-client/netdata/health.d/cpu_usage.conf

# Edit streaming
nano /opt/speedbits/netdata-client/netdata/stream.conf

Troubleshooting

Container Not Starting

docker logs netdata
docker ps -a | grep netdata

Missing Metrics

Docker Containers Not Showing

Alerts Not Working

Production Considerations

Integration with Infinity Tools

Netdata complements Infinity Tools by providing:

API & Automation

REST API

Exporting Data

Next Steps

Netdata is now operational. Use it to:

For advanced features, API usage, custom collectors, and development guides, refer to the official Netdata documentation.

Apps

18: Netdata Director - Multi-Server Monitoring Hub

Netdata Director is a parent-child streaming architecture that enables centralized monitoring of multiple servers. The Director (parent) receives metrics streams from child nodes, providing a unified dashboard, centralized alerting, and long-term historical data retention for all monitored infrastructure.

⚠️ LICENSE REQUIREMENT: Netdata Director is a Pro+ feature requiring a license. Community Netdata provides single-server monitoring only.

For advanced features, API documentation, and streaming configuration, see the official Netdata documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Netdata Director → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-netdata-director.sh --install

Architecture

Parent-Child Streaming

Container

Data Persistence

Deployment Modes

Traefik Mode (Default)

Uses Traefik for SSL termination and domain routing:

Standalone Mode

Direct access with HTTP or HTTPS (self-signed):

Stream API Key

Generation

Usage

Child nodes use this key to authenticate when streaming metrics:

Streaming Configuration

Director Configuration

File: /opt/speedbits/netdata-director/netdata/stream.conf

[stream]
    enabled = no  # Director doesn't stream to anyone

[$STREAM_API_KEY]
    enabled = yes
    default memory mode = dbengine
    health enabled by default = auto
    default postpone alarms on connect seconds = 60
    default history = 3600
    allow from = *

Child Node Configuration

Configured during child node installation:

Access Methods

Traefik Mode

https://monitoring.example.com

Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

Standalone Mode

HTTP:

http://SERVER_IP:19999

HTTPS:

https://SERVER_IP:19999

Security Configuration

Access Security

Authentication Limitations

⚠️ CRITICAL: Basic Auth cannot be used with Director because:

Security Alternatives

Stream API Key Security

Alert Configuration

Apprise Integration

If Apprise is enabled, Director sends alerts for ALL child nodes:

Alert Flow

  1. Child node detects issue
  2. Alert sent to Director
  3. Director forwards to Apprise
  4. Apprise sends to configured channels

Data Retention

Retention Periods

Storage

Child Node Connection

Connection Process

  1. Install Netdata on child server (Chapter 17)
  2. Enable streaming during installation
  3. Provide Director hostname/IP
  4. Provide Director port (default: 19999)
  5. Provide Stream API key
  6. Child node connects automatically

Connection Verification

Troubleshooting

Child Nodes Not Connecting

Streaming Issues

Production Considerations

Advanced Configuration

Multiple API Keys

Create separate API keys for different child nodes:

# In stream.conf, add multiple sections:
[api-key-1]
    enabled = yes
    allow from = 192.168.1.10

[api-key-2]
    enabled = yes
    allow from = 192.168.1.20

IP Restrictions

Restrict which IPs can connect:

[$STREAM_API_KEY]
    enabled = yes
    allow from = 192.168.1.0/24  # Only allow from this subnet

Integration with Infinity Tools

Netdata Director complements Infinity Tools by providing:

Next Steps

Netdata Director is now operational. Use it to:

For advanced features, streaming configuration, API usage, and development guides, refer to the official Netdata documentation.

Apps

19: WireGuard - VPN Infrastructure

WireGuard is a modern VPN protocol using ChaCha20 encryption and Curve25519 key exchange. This installation uses WG-Easy (WireGuard-UI) for web-based client management, providing a user-friendly interface for VPN administration while maintaining WireGuard's performance and security benefits.

For protocol specifications, advanced configuration, and technical documentation, see the official WireGuard documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → WireGuard → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install

# With domain (Traefik mode)
export WG_DOMAIN="vpn.example.com"
export WG_USE_TRAEFIK="true"
sudo -E bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install

# Custom networks
export VPN_NETWORK_BASE="192.168.100"
export HOST_NETWORK_BASE="192.168.101"
export WG_VPN_PORT="51820"
sudo -E bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install

Architecture

Containers

Network Architecture

Data Persistence

Host Integration

Deployment Modes

Traefik Mode

Uses Traefik for SSL termination and domain routing:

Standalone Mode (Default)

Direct access with HTTPS (self-signed):

Installation Process

Configuration Steps

  1. Network Configuration: VPN network base (default: 10.13.13) and Host network base (default: 10.13.14)
  2. DNS Configuration: Auto-detected from server's /etc/resolv.conf
  3. SSL Mode Selection: Choose Traefik or Standalone
  4. VPN Port: UDP port for VPN connections (default: 51820)
  5. Server Endpoint: Public IP or domain name for client connections
  6. Kernel Module: WireGuard kernel module installed and loaded
  7. Systemd Service: Host network service created and enabled

What Gets Created

Access Methods

Traefik Mode

https://vpn.example.com

Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

Standalone Mode

https://SERVER_IP:8445

Accept self-signed certificate warning (Advanced → Proceed).

Authentication

Web UI Credentials

VPN Client Authentication

Network Configuration

VPN Network (10.13.13.0/24)

Host Network (10.13.14.0/24)

iptables Rules

# NAT for VPN → Host network
iptables -t nat -A POSTROUTING -s 10.13.13.0/24 -d 10.13.14.0/24 -j MASQUERADE

# Forwarding rules
iptables -A FORWARD -s 10.13.13.0/24 -d 10.13.14.0/24 -j ACCEPT
iptables -A FORWARD -s 10.13.14.0/24 -d 10.13.13.0/24 -j ACCEPT

Environment Variables

WireGuard Container

Client Management

Web UI Features

Client Configuration

Clients are created via web UI. Each client gets:

Security Configuration

Encryption

Access Security

Container Security

Firewall Configuration

Required Ports

Firewall Best Practices

# Open VPN port (REQUIRED)
sudo ufw allow 51820/udp

# Close other public ports (access via VPN instead)
sudo ufw delete allow 8443  # Webmin
sudo ufw delete allow 8444  # Apprise
sudo ufw delete allow 8445  # WireGuard web UI

Systemd Service

Host Network Service

Service: wireguard-host-network.service

Service Management

# Check status
systemctl status wireguard-host-network.service

# Restart service
sudo systemctl restart wireguard-host-network.service

# View logs
journalctl -u wireguard-host-network.service

Troubleshooting

VPN Connection Issues

Host Network Issues

Web UI Issues

Production Considerations

Integration with Infinity Tools

WireGuard complements Infinity Tools by providing:

Advanced Configuration

Custom Networks

Configure custom network ranges:

export VPN_NETWORK_BASE="192.168.100"
export HOST_NETWORK_BASE="192.168.101"
sudo -E bash setup-wireguard.sh --install

Custom VPN Port

export WG_VPN_PORT="51821"
sudo -E bash setup-wireguard.sh --install

Custom DNS

export VPN_DNS="8.8.8.8,8.8.4.4"
sudo -E bash setup-wireguard.sh --install

Client Configuration Export

Via Web UI

Via Command Line

# View admin client config
sudo bash setup-wireguard.sh --show-config

# Client configs stored in
ls /opt/speedbits/wireguard/data/peer_*/peer.conf

Next Steps

WireGuard is now operational. Use it to:

For advanced features, protocol specifications, and development guides, refer to the official WireGuard documentation.

Apps

20: Warpgate - SSH Bastion Host

Warpgate is a modern SSH/RDP bastion host providing centralized access control, session recording, and web-based management. It acts as a gateway for all SSH connections, reducing the attack surface by eliminating direct server access.

For protocol specifications, advanced configuration, and technical documentation, see the official Warpgate documentation.

Prerequisites

Installation via Infinity Tools

Menu Installation

📱 APPLICATIONS → Warpgate → Install

CLI Installation

sudo bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install

# With domain (Traefik mode)
export WARPGATE_DOMAIN="warpgate.example.com"
export WG_USE_TRAEFIK="true"
sudo -E bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install

# Standalone mode
export WG_USE_TRAEFIK="false"
export WG_PORT="8888"
sudo -E bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install

# With domain argument
sudo bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install warpgate.example.com

Architecture

Container

Ports

Data Persistence

Deployment Modes

Traefik Mode (Default)

Uses Traefik for SSL termination and domain routing:

Standalone Mode

Direct access with HTTPS (self-signed):

Installation Process

Configuration Steps

  1. SSL Mode Selection: Choose Traefik or Standalone
  2. Domain Configuration: If Traefik, specify domain (e.g., warpgate.example.com)
  3. Port Configuration: If Standalone, specify web UI port (default: 8888)
  4. Container Creation: Warpgate container created and started
  5. Interactive Setup: Admin account creation via warpgate setup command

What Gets Created

Access Methods

Traefik Mode

# Web interface
https://warpgate.example.com

# SSH bastion
ssh -p 2222 user@warpgate.example.com

Direct web access after DNS propagation and SSL certificate generation (30-60 seconds).

Standalone Mode

# Web interface
https://SERVER_IP:8888

# SSH bastion
ssh -p 2222 user@SERVER_IP

Accept self-signed certificate warning (Advanced → Proceed).

Initial Setup

Admin Account Creation

After container creation, Warpgate runs interactive setup:

docker run --rm -it \
  -v /opt/speedbits/warpgate/data:/data \
  ghcr.io/warp-tech/warpgate:latest \
  setup

Prompts:

Configuration File

After setup, configuration is stored in:

/opt/speedbits/warpgate/data/warpgate.yaml

File permissions: 600 (owner: uid 1000)

Authentication

Web Interface Authentication

SSH Bastion Authentication

Target Configuration

Adding Targets

Targets are servers that users can connect to through Warpgate:

Same-Server Target

For accessing the server where Warpgate runs:

User Management

Web Interface

User Access Control

SSH Connection Flow

Connection Process

  1. Client connects to Warpgate on port 2222
  2. Warpgate authenticates user (username/password)
  3. Warpgate presents available targets
  4. User selects target
  5. Warpgate connects to target using configured credentials
  6. Session is established and optionally recorded

SSH Command

# Traefik mode
ssh -p 2222 warpgate-user@warpgate.example.com

# Standalone mode
ssh -p 2222 warpgate-user@SERVER_IP

Security Configuration

Access Security

Firewall Best Practices

# Open Warpgate SSH bastion port
sudo ufw allow 2222/tcp

# Close direct SSH access (after testing Warpgate)
sudo ufw delete allow 22/tcp

# Open web interface port (if standalone)
sudo ufw allow 8888/tcp

Container Security

Environment Variables

Standalone Mode

Troubleshooting

Web Interface Issues

SSH Connection Issues

Target Connection Failures

Production Considerations

Integration with Infinity Tools

Warpgate complements Infinity Tools by providing:

Advanced Configuration

Custom Ports

# Custom web UI port (standalone)
export WG_PORT="9999"
sudo -E bash setup-warpgate.sh --install

# SSH port is always 2222 (exposed directly)

Configuration File

Edit configuration directly:

# Backup first
cp /opt/speedbits/warpgate/data/warpgate.yaml /opt/speedbits/warpgate/data/warpgate.yaml.backup

# Edit configuration
nano /opt/speedbits/warpgate/data/warpgate.yaml

# Restart container
docker restart warpgate

Session Recording

Enabling Recording

Session recording can be enabled per user or per target in the web interface. Recorded sessions are stored in the database and can be reviewed for security auditing.

User Management Script

Infinity Tools provides a helper script for creating system users:

sudo bash /opt/InfinityTools/Infrastructure/add-warpgate-user.sh

This script creates a warpgate system user with SSH key access. Edit the script to add your SSH public key before running.

Next Steps

Warpgate is now operational. Use it to:

For advanced features, API documentation, and development guides, refer to the official Warpgate documentation.

Other Infinity Tools Features

Covers other features (security and optimization) and deinstallation.