3. Pro Path Docs for IT professionals Installation Your basic prerequisites for Infinity Tools installation. 1: Getting Started This guide is designed for IT professionals who are familiar with Linux, servers, networking, and modern DevOps practices. If you're comfortable with Docker, containerization, and command-line administration, you're in the right place. Prerequisites Before installing Infinity Tools, ensure you have: Required ✅ Linux Server - Any modern Linux distribution (Ubuntu, Debian, CentOS, Fedora, Arch, etc.) ✅ Root/Sudo Access - Full administrative privileges ✅ Internet Connection - Required for downloading dependencies and Docker images ✅ Minimum 2GB RAM - Recommended 4GB+ for running multiple services ✅ 20GB+ Storage - For applications and data (more recommended for production) Technical Knowledge Assumed This guide assumes you're familiar with: Linux command-line operations Docker and Docker Compose Basic networking concepts (ports, DNS, reverse proxies) SSL/TLS certificates and Let's Encrypt SSH connections and key management System administration basics Server Setup Options Option 1: Self-Hosted Server If you have physical hardware or are running a virtualization platform: Requirements: Physical server or VM with a supported Linux distribution Direct internet access or through a router/firewall Ability to configure DNS records (for SSL certificates) Considerations: Network configuration and firewall rules Static IP address recommended Domain name for SSL certificates (optional but recommended) Option 2: Cloud/VPS Provider Most IT professionals will use a cloud provider. Popular options include: Hetzner Cloud (Recommended) Excellent price-to-performance ratio EU-based with strong data protection Simple interface, great for automation Starting at ~€4/month for basic instances DigitalOcean Developer-friendly interface Strong documentation and community Good performance and reliability Starting at $6/month for basic droplets Other Options: AWS EC2, Google Cloud Platform, Azure (more complex but powerful) Linode, Vultr, Scaleway (good alternatives) Any provider that offers a Linux server with root access Server Configuration Regardless of your hosting choice, configure your server with: Fresh Linux Installation Clean install of your preferred distribution All security updates applied ( apt update && apt upgrade or equivalent) Non-Root User with Sudo Create a user account with sudo privileges SSH key authentication configured (password auth disabled recommended) Basic Firewall At minimum, allow SSH (port 22) and HTTP/HTTPS (ports 80/443) UFW or firewalld configured and enabled DNS Configuration (for SSL certificates) Domain name pointing to your server's IP address If using Traefik, ensure DNS A record is configured before installation System Requirements Minimum Specifications CPU: 1 core (2 cores recommended) RAM: 2GB (4GB+ recommended) Storage: 20GB SSD (more for production workloads) Network: Stable internet connection Recommended for Production CPU: 2-4 cores RAM: 4-8GB Storage: 50GB+ SSD with backup storage Network: 100Mbps+ connection Storage Considerations Infinity Tools stores data in /opt/speedbits/ by default: Application data volumes Database files Configuration files SSL certificates Ensure sufficient disk space and consider: Using separate volumes for databases Regular backup strategies Monitoring disk usage What You'll Need Before Installation 1. Domain Name (Optional but Recommended) For automatic SSL certificates via Let's Encrypt: A domain name you control Ability to create DNS A records DNS pointing to your server's IP address Without a domain: You can still use Infinity Tools with self-signed certificates or IP-based access, but SSL won't be automatically trusted by browsers. 2. Email Address For SSL certificate notifications and administrative purposes: Valid email address (for Let's Encrypt certificate warnings) Consider a dedicated email for server administration 3. SSH Access Ensure you can: Connect to your server via SSH Use sudo/root privileges Transfer files if needed (SCP/SFTP) Next Steps Once your server is ready: SSH into your server Download or transfer Infinity Tools installer Run the installer (covered in the next article) The installation process will: Check system readiness Install Docker if needed Set up Infinity Tools in /opt/InfinityTools/ Create the infinity-tools command for easy access Quick Reference Installation Path: /opt/InfinityTools/ Command: sudo infinity-tools Data Directory: /opt/speedbits/ Configuration: /opt/speedbits/_configuration/ Common Considerations Firewall Ports Default ports used by Infinity Tools: 80/443 - HTTP/HTTPS (Traefik) 22 - SSH Various - Application-specific ports (configurable) Docker Resources Docker will be installed if not present. Consider: Docker daemon configuration Storage driver selection Network configuration Resource limits Backup Strategy Infinity Tools includes Borgmatic for backups, but you should also: Plan for backup storage location Configure retention policies Test restore procedures Troubleshooting Common Issues Port conflicts: Check for existing services using ports 80/443 or other expected ports. Network issues: Ensure firewall allows necessary traffic and DNS is properly configured. Ready to Install? Once your server meets these prerequisites, proceed to the installation guide which will cover: Establishing SSH connection Getting Infinity Tools onto your server Running the installer Initial configuration Next: Installation and Initial Setup Guide (Article 2) 2: Installing Infinity Tools This chapter covers the complete installation process for Infinity Tools on your Linux server. We'll cover SSH connection, downloading the installer, and running the installation with technical details relevant to system administrators. Prerequisites Recap Ensure you have: ✅ Linux server with root/sudo access ✅ SSH client installed on your local machine ✅ Server IP address and credentials ✅ Internet connectivity on both local and server Obtaining the Infinity Tools Installer You'll receive the Infinity Tools installer as a file (typically named infinity-tools-installer.run ) through your preferred delivery method. File Transfer Methods Method 1: SCP (Secure Copy) - Recommended # From your local machine scp infinity-tools-installer.run root@YOUR_SERVER_IP:/tmp/ Method 2: SFTP (Secure File Transfer Protocol) # Connect via SFTP sftp root@YOUR_SERVER_IP # Upload file put infinity-tools-installer.run /tmp/ # Exit SFTP quit Verify File Integrity # Check file size ls -lh infinity-tools-installer.run # Verify file type file infinity-tools-installer.run # Check for corruption (if checksum available) # sha256sum infinity-tools-installer.run # Compare with provided checksum # Verify file permissions ls -la infinity-tools-installer.run Installation Process Pre-Installation Setup Make the installer executable and verify permissions: chmod +x infinity-tools-installer.run ls -la infinity-tools-installer.run Run Installation Execute the installer with root privileges: sudo ./infinity-tools-installer.run Installation Process Details The installer performs the following operations: Archive Extraction: Uses makeself to extract to temporary directory Creates /tmp/selfgz[random]/InfinityTools/ Contains all scripts, configurations, and dependencies File Installation: Copies files to /opt/InfinityTools/ Sets executable permissions on all *.sh files Preserves directory structure and file ownership Dependency Installation: Installs GUM (interactive menu tool) if not present Detects package manager (apt, dnf, pacman, apk) Adds repository and installs via appropriate package manager System Integration: Creates symbolic link: /usr/local/bin/infinity-tools Creates desktop entry (if GUI environment detected) Sets up proper file permissions and ownership Installation Output Expected installation output: ╔════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ♾️ Infinity Tools - Linux Server Suite ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════╝ 📦 Installing Infinity Tools... Source: /tmp/selfgz12345/InfinityTools Target: /opt/InfinityTools 📋 Copying files... 🔧 Setting permissions... 📦 Checking dependencies... Installing 'gum' (interactive menu tool)... 🔗 Creating command shortcut... 🖥️ Creating desktop shortcut... ╔════════════════════════════════════════════════════════════════════════════════╗ ║ ✅ INSTALLATION SUCCESSFUL! ║ ╚════════════════════════════════════════════════════════════════════════════════╝ First Run Launch Infinity Tools sudo bash infinity-tools Initial System Check On first run, Infinity Tools will: Load all helper modules from StartHelper/ Check system readiness and dependencies Initialize the interactive menu system Display service status and health information Menu Navigation The main menu provides access to: 📱 APPS - SOFTWARE: Application installation scripts 🔐 SECURITY & NETWORKING: Security hardening and network tools 🏗️ INFRASTRUCTURE & CORE SYSTEMS: Docker, Portainer, system tools 💾 BACKUP MANAGEMENT: Borgmatic, Rclone, backup configuration 📊 STATUS & HEALTH: System monitoring and health checks Installation Architecture Directory Structure /opt/InfinityTools/ ├── start-tools.sh # Main launcher script ├── install.sh # Installation script ├── Solutions/ # Application installers │ ├── setup-traefik.sh │ ├── setup-wordpress.sh │ └── ... ├── Infrastructure/ # Core system tools │ ├── install-docker.sh │ ├── increase-security.sh │ └── ... ├── StartHelper/ # Helper modules │ ├── menu-builder.sh │ ├── service-metadata.sh │ └── ... ├── Uninstallations/ # Removal scripts ├── Fallback/ # Recovery tools └── Repair/ # Maintenance utilities Data Directory Application data is stored in: /opt/speedbits/ ├── _configuration/ # Global configuration ├── traefik/ # Traefik data ├── wordpress/ # WordPress instances ├── vaultwarden/ # Vaultwarden data └── ... Configuration Management Global Configuration Infinity Tools uses a centralized configuration system: # Main configuration file /opt/speedbits/_configuration/config # Port configuration Infrastructure/ports-config.yml # Service metadata StartHelper/service-metadata.sh Environment Variables Key environment variables for customization: # Debug mode export INFINITY_DEBUG=true # Custom installation path (not recommended) export INFINITY_INSTALL_DIR=/custom/path # Disable tracking export INFINITY_NO_TRACKING=true Security Considerations File Permissions # Check script permissions find /opt/InfinityTools -name "*.sh" -ls # Verify ownership ls -la /opt/InfinityTools/ # Check for world-writable files find /opt/InfinityTools -perm -002 -type f Network Security Infinity Tools implements: Network isolation between services SSL/TLS termination at Traefik Firewall configuration via UFW SSH hardening options Troubleshooting Common Issues Installation fails with permission errors: # Ensure running as root sudo whoami # Check file permissions ls -la infinity-tools-installer.run # Verify disk space df -h /opt GUM installation fails: # Manual GUM installation curl -sL https://github.com/charmbracelet/gum/releases/download/v0.13.0/gum_0.13.0_Linux_x86_64.tar.gz | tar -xz sudo mv gum /usr/local/bin/ Command not found after installation: # Check symbolic link ls -la /usr/local/bin/infinity-tools # Recreate if missing sudo ln -sf /opt/InfinityTools/start-tools.sh /usr/local/bin/infinity-tools # Update PATH if necessary echo 'export PATH="/usr/local/bin:$PATH"' >> ~/.bashrc source ~/.bashrc Log Analysis # Check installation logs journalctl -u infinity-tools 2>/dev/null || echo "No systemd service" # Check Docker logs docker logs infinity-tools 2>/dev/null || echo "No Docker container" # Check system logs tail -f /var/log/syslog | grep -i infinity Uninstallation Complete Removal # Remove Infinity Tools sudo rm -rf /opt/InfinityTools/ # Remove symbolic link sudo rm -f /usr/local/bin/infinity-tools # Remove desktop entry sudo rm -f /usr/share/applications/infinity-tools.desktop # Remove data (WARNING: This deletes all application data) sudo rm -rf /opt/speedbits/ Selective Cleanup To remove only Infinity Tools while preserving data: # Remove only the application sudo rm -rf /opt/InfinityTools/ # Keep data directory # /opt/speedbits/ remains intact Next Steps After successful installation: Install Docker: Navigate to Infrastructure → Install Docker Configure Traefik: Set up reverse proxy and SSL Deploy Applications: Install your required services Configure Backups: Set up Borgmatic for data protection Security Hardening: Apply security configurations Quick Reference # Start Infinity Tools sudo infinity-tools # Manual execution cd /opt/InfinityTools && sudo bash start-tools.sh # Check status sudo infinity-tools --status 2>/dev/null || echo "Status check not available" # View logs sudo journalctl -f -u infinity-tools 2>/dev/null || echo "No systemd service" # Update (if available) cd /opt/InfinityTools && git pull 2>/dev/null || echo "Not a git repository" Installation Complete: Infinity Tools is now installed and ready for configuration. Proceed to the next chapter to begin deploying your infrastructure stack. Next: Infrastructure Setup and Application Deployment (Chapter 3) Foundations Foundational apps for almost any Infinity Tools installation. 3: Infrastructure Prerequisites This chapter covers the essential infrastructure components that must be in place before deploying applications with Infinity Tools. The system includes automated readiness checks, but understanding the underlying architecture is crucial for troubleshooting and optimization. Prerequisites Overview Infinity Tools requires the following infrastructure components, which it handles automatically: ✅ Docker Engine - Container runtime and orchestration ✅ Docker Compose - Multi-container application definitions ✅ Docker Network - Service discovery and communication ✅ System Dependencies - GUM, Dialog, curl/wget ✅ Resource Requirements - Disk space, memory, network Automated Readiness Check Infinity Tools includes an automated readiness checker that validates and installs prerequisites: sudo infinity-tools The readiness check performs the following operations in sequence: 1. System Requirements Validation # Check root privileges [ "$EUID" -eq 0 ] # Verify disk space (minimum 1GB) df / | awk 'NR==2 {print $4}' # Check for download tools command -v curl || command -v wget # WSL2 detection and configuration grep -qi microsoft /proc/version 2. GUM Installation GUM provides the modern terminal UI. Installation process: # Architecture detection arch=$(uname -m) case $arch in x86_64) arch="x86_64" ;; aarch64|arm64) arch="arm64" ;; armv7l) arch="armv7" ;; esac # Download and install binary gum_version="v0.13.0" download_url="https://github.com/charmbracelet/gum/releases/download/${gum_version}/gum_${gum_version#v}_Linux_${arch}.tar.gz" 3. Docker Installation and Configuration Docker installation is handled by the install-docker.sh script: # Check existing installation command -v docker # Verify Docker service status systemctl is-active docker # Check Docker Compose availability docker compose version || docker-compose --version 4. Docker Network Setup Creates the default "proxy" network for service communication: # Check existing networks docker network ls --format '{{.Name}}' | grep -v -E '^(bridge|host|none)$' # Create network if needed docker network create proxy # Store network configuration echo "DOCKER_NETWORK=proxy" > /tmp/infinity-tools-network.conf Docker Architecture Container Runtime Infinity Tools uses Docker Engine with the following configuration: Storage Driver: Overlay2 (default) Network Driver: Bridge networks Logging Driver: JSON-file Restart Policy: unless-stopped Docker Compose Integration All services are defined using Docker Compose v2 (plugin) format: version: '3.8' services: service-name: image: image:tag container_name: service-name restart: unless-stopped networks: - proxy volumes: - /opt/speedbits/service:/data environment: - KEY=value Network Architecture Default Network Configuration The "proxy" network provides: Service Discovery: Containers can reach each other by name Isolation: Services are isolated from host network Traefik Integration: Enables automatic reverse proxy configuration DNS Resolution: Built-in container name resolution Network Topology Internet → Traefik (proxy network) → Application Containers ↓ Database Containers (borgmatic-db network) System Dependencies Required Packages The readiness check installs the following packages: # Core utilities curl wget git jq # UI components gum dialog # Optional tools rclone Package Manager Support Infinity Tools supports multiple package managers: APT (Debian/Ubuntu) DNF (Fedora/RHEL) YUM (CentOS/RHEL) PACMAN (Arch Linux) APK (Alpine Linux) Resource Requirements Minimum Specifications CPU: 1 core (2+ recommended) RAM: 2GB (4GB+ recommended) Storage: 20GB SSD (50GB+ recommended) Network: Stable internet connection Storage Considerations Infinity Tools uses the following storage structure: /opt/speedbits/ ├── _configuration/ # Global configuration ├── traefik/ # Traefik data and certificates ├── wordpress/ # WordPress instances ├── vaultwarden/ # Vaultwarden data └── ... # Other service data /var/lib/docker/ # Docker system data ├── volumes/ # Named volumes ├── networks/ # Network configurations └── containers/ # Container data Security Considerations Docker Security Non-root containers: Services run with PUID/PGID 1000 Read-only filesystems: Where applicable No new privileges: Security opt applied Network isolation: Services on isolated networks File Permissions # Check script permissions find /opt/InfinityTools -name "*.sh" -exec ls -la {} \; # Verify ownership ls -la /opt/InfinityTools/ # Check for world-writable files find /opt/InfinityTools -perm -002 -type f Monitoring and Troubleshooting System Status Commands # Docker status systemctl status docker docker info # Network status docker network ls docker network inspect proxy # Container status docker ps -a docker stats # Logs journalctl -u docker docker logs container-name Common Issues Docker service not starting: sudo systemctl start docker sudo systemctl enable docker sudo systemctl status docker Network creation fails: # Check if network already exists docker network ls | grep proxy # Remove and recreate if needed docker network rm proxy docker network create proxy Permission issues: # Add user to docker group sudo usermod -aG docker $USER newgrp docker # Check group membership groups $USER Performance Optimization Docker Configuration For production environments, consider these optimizations: # /etc/docker/daemon.json { "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" }, "storage-driver": "overlay2", "storage-opts": [ "overlay2.override_kernel_check=true" ] } Resource Limits Set appropriate resource limits for containers: services: service-name: deploy: resources: limits: memory: 512M cpus: '0.5' reservations: memory: 256M cpus: '0.25' Backup Considerations Docker Data Backup Important data locations for backup: Application Data: /opt/speedbits/ Docker Volumes: /var/lib/docker/volumes/ Configuration: /opt/InfinityTools/ SSL Certificates: /opt/speedbits/traefik/letsencrypt/ Next Steps With infrastructure prerequisites satisfied, you're ready to deploy Traefik - the reverse proxy that provides SSL termination and routing for all services. Verification Checklist ✅ Docker Engine running and accessible ✅ Docker Compose available ✅ Proxy network created ✅ GUM installed for UI ✅ System resources adequate ✅ Network connectivity verified Next: Installing Traefik - Reverse Proxy Configuration (Chapter 4) 4. Traefik - Reverse Proxy Configuration Traefik serves as the reverse proxy and SSL termination point for all Infinity Tools services. This chapter covers the installation, configuration, and management of Traefik within the Infinity Tools ecosystem. For advanced configuration and troubleshooting, refer to the official Traefik documentation . Traefik Architecture Overview Traefik provides the following core functionality: ✅ SSL/TLS Termination - Automatic Let's Encrypt certificate management ✅ Reverse Proxy - Request routing based on Host headers ✅ Load Balancing - Distribution of traffic across service instances ✅ Service Discovery - Automatic detection of Docker containers ✅ Middleware Support - Security headers, authentication, rate limiting Installation Process Via Infinity Tools Menu Navigate to the Infinity Tools menu and select: 🔐 SECURITY & NETWORKING → Install Traefik Command Line Installation # Direct script execution sudo bash /opt/InfinityTools/Solutions/setup-traefik.sh --install # With environment variables export ACME_EMAIL="admin@domain.com" export PROXY_NETWORK="proxy" sudo -E bash /opt/InfinityTools/Solutions/setup-traefik.sh --install Configuration Parameters Required Configuration During installation, you'll be prompted for: ACME Email: Email address for Let's Encrypt certificate notifications Domain Name: Primary domain for SSL certificate generation IPv6 Support: Enable/disable IPv6 for ACME challenges Network Configuration: Docker network for service communication Environment Variables # Optional environment variables export ACME_EMAIL="admin@domain.com" # Let's Encrypt email export PROXY_NETWORK="proxy" # Docker network name export TRAEFIK_DOMAIN="traefik.domain.com" # Traefik dashboard domain export TRAEFIK_PORT="8080" # Dashboard port (if enabled) Generated Configuration Traefik Configuration File Location: /opt/speedbits/traefik/traefik.yml entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure scheme: https permanent: true websecure: address: ":443" certificatesResolvers: myresolver: acme: email: admin@domain.com storage: /letsencrypt/acme.json httpChallenge: entryPoint: web providers: docker: exposedByDefault: false serversTransport: insecureSkipVerify: true global: checkNewVersion: false sendAnonymousUsage: false Docker Compose Configuration Location: /opt/speedbits/traefik/docker-compose.yml version: '3.8' services: traefik: image: traefik:v3.0 container_name: traefik command: - "--configFile=/traefik.yml" ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /opt/speedbits/traefik/traefik.yml:/traefik.yml:ro - /opt/speedbits/traefik/letsencrypt:/letsencrypt restart: unless-stopped networks: - proxy networks: proxy: external: true SSL Certificate Management Let's Encrypt Integration Traefik automatically manages SSL certificates using Let's Encrypt: HTTP-01 Challenge: Validates domain ownership via HTTP Automatic Renewal: Certificates are renewed automatically Wildcard Support: Supports wildcard certificates via DNS challenge Certificate Storage: Stored in /opt/speedbits/traefik/letsencrypt/ Certificate Monitoring # Check certificate status docker logs traefik | grep -i acme # View certificate files ls -la /opt/speedbits/traefik/letsencrypt/ # Check certificate expiration openssl x509 -in /opt/speedbits/traefik/letsencrypt/acme.json -text -noout Service Integration Automatic Service Discovery Traefik automatically discovers services with the following labels: labels: - "traefik.enable=true" - "traefik.http.routers.service-name.rule=Host(`service.domain.com`)" - "traefik.http.routers.service-name.entrypoints=websecure" - "traefik.http.routers.service-name.tls.certresolver=myresolver" - "traefik.http.services.service-name.loadbalancer.server.port=8080" Network Requirements Services must be connected to the same Docker network as Traefik: networks: - proxy # Ensure network exists docker network create proxy Security Configuration Security Headers Traefik can be configured with security middleware: labels: - "traefik.http.middlewares.security-headers.headers.customResponseHeaders.X-Content-Type-Options=nosniff" - "traefik.http.middlewares.security-headers.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN" - "traefik.http.middlewares.security-headers.headers.customResponseHeaders.X-XSS-Protection=1; mode=block" - "traefik.http.routers.service-name.middlewares=security-headers" Access Control Basic authentication can be configured for services: # Generate password hash echo $(htpasswd -nb admin password) | sed -e s/\\$/\\$\\$/g # Apply to service labels: - "traefik.http.middlewares.auth.basicauth.users=admin:$$2y$$10$$..." - "traefik.http.routers.service-name.middlewares=auth" Monitoring and Logging Traefik Dashboard The Traefik dashboard can be enabled for monitoring: # Add to docker-compose.yml labels: - "traefik.enable=true" - "traefik.http.routers.dashboard.rule=Host(`traefik.domain.com`)" - "traefik.http.routers.dashboard.tls.certresolver=myresolver" - "traefik.http.routers.dashboard.service=api@internal" Logging Configuration # Add to traefik.yml log: level: INFO filePath: /var/log/traefik.log accessLog: filePath: /var/log/access.log format: json Performance Optimization Resource Limits services: traefik: deploy: resources: limits: memory: 512M cpus: '0.5' reservations: memory: 256M cpus: '0.25' Caching Configuration # Add to traefik.yml http: middlewares: cache: headers: customRequestHeaders: Cache-Control: "max-age=3600" Troubleshooting Common Issues Certificate Generation Fails: # Check domain DNS resolution dig domain.com nslookup domain.com # Verify port 80 accessibility telnet domain.com 80 # Check Traefik logs docker logs traefik | grep -i acme Service Not Accessible: # Check service labels docker inspect service-name | grep -A 10 Labels # Verify network connectivity docker network inspect proxy # Check Traefik routing curl -H "Host: service.domain.com" http://localhost Performance Issues: # Monitor resource usage docker stats traefik # Check connection limits ss -tulnp | grep :443 # Review access logs tail -f /opt/speedbits/traefik/logs/access.log Debugging Commands # Check Traefik configuration docker exec traefik traefik version # Test configuration docker exec traefik traefik --configFile=/traefik.yml --logLevel=DEBUG # View active routes curl -s http://localhost:8080/api/http/routers | jq # Check certificate status docker exec traefik cat /letsencrypt/acme.json | jq Backup and Recovery Configuration Backup # Backup Traefik configuration tar -czf traefik-backup.tar.gz -C /opt/speedbits/traefik . # Backup SSL certificates cp -r /opt/speedbits/traefik/letsencrypt/ /backup/traefik-certs/ Disaster Recovery # Restore configuration tar -xzf traefik-backup.tar.gz -C /opt/speedbits/traefik/ # Restart Traefik cd /opt/speedbits/traefik docker compose down docker compose up -d Integration with Other Services Service Dependencies Most Infinity Tools services check for Traefik availability: # Service installation checks if ! docker ps --format '{{.Names}}' | grep -q "^traefik$"; then echo "Traefik is not running!" echo "Please install Traefik first" exit 1 fi Network Integration Services automatically join the proxy network: networks: proxy: external: true name: proxy Advanced Configuration Custom Middleware # Rate limiting labels: - "traefik.http.middlewares.ratelimit.ratelimit.burst=100" - "traefik.http.middlewares.ratelimit.ratelimit.average=50" # IP whitelisting labels: - "traefik.http.middlewares.ipwhitelist.ipwhitelist.sourcerange=192.168.1.0/24" Load Balancing labels: - "traefik.http.services.service-name.loadbalancer.server.port=8080" - "traefik.http.services.service-name.loadbalancer.healthcheck.path=/health" - "traefik.http.services.service-name.loadbalancer.healthcheck.interval=30s" Next Steps With Traefik installed and configured, you can now deploy applications that will automatically integrate with the reverse proxy system. Verification Checklist ✅ Traefik container running and healthy ✅ SSL certificates generated for configured domains ✅ HTTP to HTTPS redirection working ✅ Docker network connectivity verified ✅ Service discovery functioning Next: Application Deployment and Management (Coming Soon) 5: Apprise - Notifications Hub Apprise provides a unified notification gateway (HTTP API) for 90+ providers (email, Slack, Discord, Telegram, etc.). Infinity Tools integrates Apprise for infrastructure alerts (e.g., Borgmatic ). For provider matrices and syntax, see the official Apprise documentation . We included it here since Borgmatic , the backup solution provided by Infinity Tools, requires it (and we assume you like to create backups). Prerequisites ✅ Traefik installed (Chapter 4) for HTTPS (optional) ✅ Docker running (Chapter 3) ✅ Optional: Subdomain (Chapter 4.5), e.g., alerts.example.com Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Apprise → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-apprise.sh --install # With domain (Traefik mode) export APPRISE_DOMAIN="alerts.example.com" sudo -E bash /opt/InfinityTools/Solutions/setup-apprise.sh --install Service Endpoints Local API: http://apprise:8000/notify With domain (Traefik): https://alerts.example.com/notify Provider URLs Apprise uses provider URLs to define targets: # SMTP (STARTTLS) mailtos://USERNAME:PASSWORD@SMTP_HOST:587/?from=from@example.com&to=ops@example.com # Slack (Webhook) slack://TOKENA/TOKENB/TOKENC # Telegram tgram://BOT_TOKEN/CHAT_ID Sending Notifications cURL curl -X POST "http://apprise:8000/notify" \ -d "title=Backup" \ -d "body=Borgmatic completed successfully" \ -d "url=PROVIDER_URL" JSON curl -X POST "http://apprise:8000/notify" \ -H 'Content-Type: application/json' \ -d '{ "title": "Backup", "body": "Borgmatic completed successfully", "url": ["PROVIDER_URL1", "PROVIDER_URL2"] }' Integration Notes Borgmatic: Points to Apprise API for start/finish/failure hooks Other services: Can post to the same endpoint Security: Prefer Traefik HTTPS and restrict access if exposing publicly Troubleshooting Logs: docker logs apprise Validate provider URL syntax against docs Check egress connectivity to provider endpoints Next Proceed to Borgmatic (Chapter 6) to configure automated backups with notifications. 6: Borgmatic - Enterprise Backup Solution Borgmatic is a configuration-driven wrapper for BorgBackup that provides enterprise-grade backup capabilities with deduplication, encryption, and automated scheduling. It implements a dual-backup strategy separating file and database backups with different retention policies. For comprehensive configuration options, advanced features, and API documentation, please refer to the official Borgmatic documentation . Interdependencies Required dependency: Apprise must be installed and running for notification delivery (success/failure/security alerts). Install via 📱 APPLICATIONS → Apprise → Install before enabling Borgmatic. Prerequisites ✅ Docker running (Chapter 3) ✅ Apprise installed (Chapter 5) for notifications ✅ Storage capacity (backups require free disk space) ✅ Optional: Traefik (not required for Borgmatic) Architecture Overview Borgmatic in Infinity Tools implements a sophisticated backup architecture: ✅ Dual Backup Strategy - Separate file and database backup schedules ✅ Deduplication - Efficient storage using Borg's chunking algorithm ✅ Encryption - AES-256 encryption with repokey mode ✅ Ransomware Protection - Canary file monitoring system ✅ Multi-Database Support - MariaDB, PostgreSQL, SQLite, MongoDB ✅ Notification Integration - Apprise integration for alerts Installation Methods Via Infinity Tools Menu Navigate to the Infinity Tools menu and select: 💾 BACKUP MANAGEMENT → Install Borgmatic Command Line Installation # Direct script execution sudo bash /opt/InfinityTools/Solutions/setup-borgmatic.sh --install # With environment variables export BORGMATIC_SCHEDULE="daily" export BORGMATIC_RETENTION="7,4,6" export BORGMATIC_COMPRESSION="zstd" export BORGMATIC_ENCRYPTION="repokey" sudo -E bash /opt/InfinityTools/Solutions/setup-borgmatic.sh --install Configuration Parameters Schedule Configuration Borgmatic supports multiple schedule options: # Environment Variables export BORGMATIC_SCHEDULE="daily" # daily, twice-daily, weekly export BORGMATIC_RETENTION="7,4,6" # daily,weekly,monthly export BORGMATIC_COMPRESSION="zstd" # lz4, zlib, lzma, zstd export BORGMATIC_ENCRYPTION="repokey" # none, keyfile, repokey Dual Backup Strategy The system implements two separate backup configurations: File Backups: Daily schedule, long-term retention Database Backups: High-frequency schedule, short-term retention Generated Configuration File Backup Configuration Location: /opt/speedbits/borgmatic/borgmatic-files.yml # Borgmatic Files Configuration source_directories: - /opt/speedbits repositories: - path: /backups/borgmatic-repo label: speedbits-repo exclude_patterns: - '*.tmp' - '*.log' - '*/logs/*' - '*/cache/*' - '*/tmp/*' - '*/.git/*' - '*/node_modules/*' - '*/venv/*' - '*/__pycache__/*' - '*/database-dumps/*' - '*/netdata/lib/*' - '*/netdata/cache/*' compression: zstd archive_name_format: 'speedbits-files-{hostname}-{now:%Y-%m-%d-%H%M%S}' keep_daily: 7 keep_weekly: 4 keep_monthly: 6 checks: - name: repository frequency: 2 weeks - name: archives frequency: 2 weeks Database Backup Configuration Location: /opt/speedbits/borgmatic/borgmatic-databases.yml # Borgmatic Database Configuration source_directories: - /backups/database-dumps repositories: - path: /backups/borgmatic-repo label: speedbits-repo compression: zstd,9 archive_name_format: 'speedbits-databases-{hostname}-{now:%Y-%m-%d-%H%M%S}' keep_hourly: 48 keep_daily: 7 # Database preparation hooks hooks: before_backup: - /usr/local/bin/backup-databases.sh after_backup: - /usr/local/bin/cleanup-database-dumps.sh Security Features Ransomware Protection Borgmatic implements canary file monitoring: # Canary file system mkdir -p /opt/speedbits/dont-touch-this-folder echo "This is a test" > /opt/speedbits/dont-touch-this-folder/dont-change-this-file-critical-data.txt chmod 644 /opt/speedbits/dont-touch-this-folder/dont-change-this-file-critical-data.txt # Security monitoring in borgmatic-files.yml commands: - before: action when: [create] run: - if [ ! -f /opt/speedbits/dont-touch-this-folder/dont-change-this-file-critical-data.txt ]; then echo "CANARY FILE MISSING!" && curl -X POST http://apprise:8000/notify -d "body=SECURITY ALERT Canary file is MISSING." -d "title=CANARY FILE MISSING" -d "tag=security" 2>/dev/null || true && exit 1; fi Encryption Configuration Borgmatic uses repokey encryption mode: # Repository initialization borg init --encryption=repokey --make-parent-dirs /backups/borgmatic-repo # Passphrase management BORG_PASSCOMMAND="cat /etc/borgmatic/repo-passphrase.txt" export BORG_PASSCOMMAND Database Integration Multi-Database Support Borgmatic automatically discovers and backs up multiple database types: # Database discovery script #!/bin/bash # /usr/local/bin/backup-databases.sh # MariaDB/MySQL if docker ps --format '{{.Names}}' | grep -q "mariadb\|mysql"; then docker exec mariadb mysqldump --all-databases > /backups/database-dumps/mariadb-$(date +%Y%m%d-%H%M%S).sql fi # PostgreSQL if docker ps --format '{{.Names}}' | grep -q "postgres"; then docker exec postgres pg_dumpall > /backups/database-dumps/postgres-$(date +%Y%m%d-%H%M%S).sql fi # SQLite find /opt/speedbits -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" | while read db; do cp "$db" "/backups/database-dumps/sqlite-$(basename "$db")-$(date +%Y%m%d-%H%M%S)" done Docker Compose Configuration Container Setup Location: /opt/speedbits/borgmatic/docker-compose.yml version: '3.8' services: borgmatic: image: borgmatic/borgmatic:latest container_name: borgmatic restart: unless-stopped environment: BORG_PASSCOMMAND: "cat /etc/borgmatic/repo-passphrase.txt" volumes: - /opt/speedbits:/opt/speedbits:ro - /opt/speedbits-backup:/backups - /opt/speedbits/borgmatic:/etc/borgmatic:ro - /var/run/docker.sock:/var/run/docker.sock:ro networks: - borgmatic-network - borgmatic-db command: | /bin/sh -c " echo 'Initializing Borgmatic...' # Install rclone for cloud storage support if ! command -v rclone >/dev/null 2>&1; then echo 'Installing rclone for cloud storage support...' apk add --no-cache rclone || echo 'rclone installation failed, continuing...' fi # Initialize repository if needed if ! borg info /backups/borgmatic-repo >/dev/null 2>&1; then echo 'Creating new Borg repository...' borg init --encryption=repokey --make-parent-dirs /backups/borgmatic-repo fi # Set up cron jobs { echo 'BORG_PASSCOMMAND=\"cat /etc/borgmatic/repo-passphrase.txt\"' echo '0 2 * * * borgmatic --config /etc/borgmatic/borgmatic-files.yml create --verbosity 1' echo '0 */6 * * * borgmatic --config /etc/borgmatic/borgmatic-databases.yml create --verbosity 1' } | crontab - # Start cron daemon crond -f " networks: borgmatic-network: driver: bridge borgmatic-db: external: true Monitoring and Notifications Apprise Integration Borgmatic integrates with Apprise for notifications: # Notification configuration in borgmatic-files.yml commands: - before: action when: [create] run: - curl -X POST http://apprise:8000/notify -d "body=Starting scheduled file backup" -d "title=File Backup Started" -d "tag=backup" 2>/dev/null || true - after: action when: [create] states: [finish] run: - curl -X POST http://apprise:8000/notify -d "body=File backup completed successfully" -d "title=File Backup Complete" -d "tag=backup" 2>/dev/null || true - after: action when: [create] states: [fail] run: - curl -X POST http://apprise:8000/notify -d "body=File backup FAILED" -d "title=File Backup FAILED" -d "tag=backup,error" 2>/dev/null || true Health Monitoring # Check backup status docker exec borgmatic borg list /backups/borgmatic-repo # Check repository integrity docker exec borgmatic borg check /backups/borgmatic-repo # View backup logs docker logs borgmatic # Check cron jobs docker exec borgmatic crontab -l Advanced Configuration Cloud Storage Integration Borgmatic supports cloud storage via rclone: # rclone configuration rclone config create remote s3 \ provider=AWS \ access_key_id=your_access_key \ secret_access_key=your_secret_key \ region=us-east-1 # Cloud backup command rclone sync /opt/speedbits-backup/borgmatic-repo remote:backups/borgmatic-repo Custom Hooks Implement custom backup hooks: # Custom pre-backup hook hooks: before_backup: - /usr/local/bin/pre-backup.sh - /usr/local/bin/backup-databases.sh after_backup: - /usr/local/bin/post-backup.sh - /usr/local/bin/cleanup-temp-files.sh on_error: - /usr/local/bin/backup-error-handler.sh Performance Optimization Compression Settings Choose compression based on your needs: lz4: Fastest, least compression zstd: Balanced speed and compression zlib: Good compression, moderate speed lzma: Best compression, slowest Resource Management # Resource limits in docker-compose.yml services: borgmatic: deploy: resources: limits: memory: 1G cpus: '1.0' reservations: memory: 512M cpus: '0.5' Disaster Recovery Backup Restoration # List available archives docker exec borgmatic borg list /backups/borgmatic-repo # Extract specific archive docker exec borgmatic borg extract /backups/borgmatic-repo::speedbits-files-server-2024-01-15-020000 # Extract to specific location docker exec borgmatic borg extract /backups/borgmatic-repo::speedbits-files-server-2024-01-15-020000 /restore/path Repository Recovery # Check repository integrity docker exec borgmatic borg check /backups/borgmatic-repo # Repair repository if needed docker exec borgmatic borg check --repair /backups/borgmatic-repo # Recover from cloud storage rclone sync remote:backups/borgmatic-repo /opt/speedbits-backup/borgmatic-repo Troubleshooting Common Issues Backup Failures: # Check container logs docker logs borgmatic # Check cron jobs docker exec borgmatic crontab -l # Test manual backup docker exec borgmatic borgmatic --config /etc/borgmatic/borgmatic-files.yml create --verbosity 2 Repository Issues: # Check repository status docker exec borgmatic borg info /backups/borgmatic-repo # Verify passphrase docker exec borgmatic cat /etc/borgmatic/repo-passphrase.txt # Check disk space df -h /opt/speedbits-backup Debug Commands # Container status docker ps | grep borgmatic # Container exec docker exec -it borgmatic /bin/sh # Check mounted volumes docker inspect borgmatic | grep -A 10 Mounts # View configuration docker exec borgmatic cat /etc/borgmatic/borgmatic-files.yml Best Practices Security Use strong, unique passphrases Store passphrases securely (password manager) Enable canary file monitoring Regular backup testing and restoration Operational Monitor backup success/failure notifications Regular repository integrity checks Test disaster recovery procedures Document restoration procedures Next Steps With Borgmatic installed and configured, you have enterprise-grade backup protection ready for all your services. This infrastructure will automatically protect any applications you install going forward. Verification Checklist ✅ Borgmatic container running and healthy ✅ File and database backup schedules active ✅ Repository initialized and encrypted ✅ Canary file monitoring enabled ✅ Notification system configured ✅ Backup restoration tested Next: Installing Vaultwarden - Password Management Solution (Chapter 6) 7: Portainer - Docker Management Platform Portainer CE (Community Edition) provides a web-based management interface for Docker environments. It offers container lifecycle management, stack deployment, image/volume/network management, resource monitoring, and role-based access control. For advanced features, API documentation, and enterprise features, see the official Portainer documentation . Prerequisites ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., portainer.example.com Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Portainer → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-portainer.sh --install # With domain (Traefik mode) export PORTAINER_DOMAIN="portainer.example.com" sudo -E bash /opt/InfinityTools/Solutions/setup-portainer.sh --install Deployment Modes Traefik Mode (Recommended) Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://portainer.example.com Security headers configured via Traefik middleware Requires: Traefik running, DNS A record configured Standalone Mode Direct HTTPS access with self-signed certificate: Access via: https://SERVER_IP:9443 Self-signed SSL (browser warning on first access) No domain required Suitable for internal/development use Installation Process Configuration Steps SSL Mode Selection: Choose Traefik or Standalone If Traefik: Provide domain name (e.g., portainer.example.com ) If Standalone: Specify HTTPS port (default: 9443) Network Detection: Automatically detects Traefik network if available What Gets Created Directory: /opt/speedbits/portainer Container: portainer (portainer/portainer-ce:2.21.4) Data Volume: /opt/speedbits/portainer/data Docker Compose: /opt/speedbits/portainer/docker-compose.yml Network: Joins Traefik network (Traefik mode) or creates internal network (Standalone) First-Time Setup Admin Account Creation ⚠️ CRITICAL: Portainer requires admin credential creation on first access. No default credentials exist. Access Portainer via the provided URL Create administrator account: Username: Any (typically "admin") Password: Minimum 12 characters (enforced) Select Docker environment Connect to local Docker socket Password Recovery If admin password is lost, reset requires: cd /opt/speedbits/portainer docker compose down rm -rf data/ docker compose up -d Note: This resets all Portainer configuration (users, settings, RBAC). Docker containers are unaffected. Service Endpoints Traefik mode: https://portainer.example.com Standalone mode: https://SERVER_IP:9443 Internal API: Portainer exposes port 9000 internally (mapped via Traefik or directly) Key Features Container Management Lifecycle operations (start/stop/restart/remove) Log viewing and streaming Container inspection (env vars, mounts, networks) Console access (exec into containers) Resource limits and constraints Stack Deployment Deploy docker-compose stacks via web UI Edit stack configurations Update and rollback stacks Environment variable management Image Management Browse local images Pull from registries (Docker Hub, private registries) Remove unused images Image tagging and management Volume and Network Management Create/manage Docker volumes Network configuration and inspection Volume backup considerations Monitoring and Statistics Real-time resource usage (CPU, memory, network) Container health status Historical performance data Event logs Security Configuration Initial Security ✅ Strong admin password (20+ characters recommended) ✅ Enable 2FA: Settings → Users → Two-Factor Authentication ✅ Use Traefik mode for production (Let's Encrypt SSL) ✅ Security headers configured via Traefik middleware (Traefik mode) Role-Based Access Control (RBAC) Create team members with restricted access Assign roles (admin, operator, viewer) Environment-level permissions Audit logging Backup Configuration Export Portainer settings: Settings → Backup Configuration Regular backups recommended Backup includes: users, roles, settings, stack definitions Does NOT include: Docker container data (managed separately via Borgmatic) Integration with Infinity Tools Portainer complements Infinity Tools by providing: Visual management of Infinity Tools containers Log access for troubleshooting Resource monitoring for capacity planning Stack deployment for custom applications Note: Infinity Tools applications are managed via their respective setup scripts. Portainer provides visibility and operational control, but configuration changes should be made through Infinity Tools scripts to maintain consistency. Troubleshooting Container Not Starting docker logs portainer docker ps -a | grep portainer Traefik Routing Issues Verify Traefik is running: docker ps | grep traefik Check Traefik logs: docker logs traefik Verify DNS resolution: dig portainer.example.com Confirm SSL certificate: Check Traefik dashboard or logs Docker Socket Access Portainer requires read-only access to /var/run/docker.sock . The setup script configures this automatically. If issues occur: ls -l /var/run/docker.sock docker ps # Verify Docker is accessible Production Considerations High Availability: Portainer CE is single-instance. For HA, consider Portainer Business Edition Backup Strategy: Regular Portainer config exports + Borgmatic for container data Access Control: Implement RBAC for team members Network Security: Use Traefik with firewall rules restricting access Monitoring: Integrate with monitoring solutions (Netdata, Uptime Kuma) Next Steps Portainer is now operational. Use it to: Monitor Infinity Tools containers Deploy additional Docker applications Manage Docker resources Troubleshoot container issues For advanced Portainer features, team management, and enterprise capabilities, refer to the official Portainer documentation . Apps Productivity apps in no particular order. 8: Vaultwarden - Password Management Solution Vaultwarden is a lightweight, self-hosted password management solution that provides full Bitwarden API compatibility while using significantly fewer resources than the official Bitwarden server. It supports all Bitwarden clients and offers enterprise-grade security features. For comprehensive configuration options, API documentation, and advanced features, please refer to the official Vaultwarden documentation . Architecture Overview Vaultwarden provides the following core functionality: ✅ Bitwarden API Compatibility - Full compatibility with all Bitwarden clients ✅ End-to-End Encryption - AES-256 encryption for all data ✅ Multi-User Support - Organization and user management ✅ WebSocket Support - Real-time synchronization ✅ Admin Panel - Comprehensive management interface ✅ Database Flexibility - SQLite, PostgreSQL, MySQL support Prerequisites Before installing Vaultwarden, ensure the following infrastructure is in place: ✅ Traefik installed (from Chapter 4) ✅ Docker running (from Chapter 3) ✅ Borgmatic installed (from Chapter 5) - Automated backup protection ✅ Domain configured (from Chapter 4.5) ✅ SSL certificates (Let's Encrypt via Traefik) Installation Methods Via Infinity Tools Menu Navigate to the Infinity Tools menu and select: 📱 APPLICATIONS → Vaultwarden → Install Command Line Installation # Direct script execution sudo bash /opt/InfinityTools/Solutions/setup-vaultwarden.sh --install # With environment variables export VW_DOMAIN="vault.domain.com" export VW_USE_TRAEFIK="true" export VW_SIGNUPS="false" export PROXY_NETWORK="proxy" sudo -E bash /opt/InfinityTools/Solutions/setup-vaultwarden.sh --install Configuration Parameters Required Configuration During installation, you'll configure: SSL Mode: Traefik integration or standalone Domain: FQDN for web vault access Signup Policy: Open registration or admin-only Admin Token: Generated automatically for admin access Environment Variables # SSL and Domain Configuration export VW_USE_TRAEFIK="true" # Use Traefik for SSL termination export VW_DOMAIN="vault.domain.com" # FQDN for web vault export VW_PORT="8443" # Port for standalone mode # User Management export VW_SIGNUPS="false" # Disable open registration export VW_SIGNUPS_VERIFY="true" # Require email verification # Network Configuration export PROXY_NETWORK="proxy" # Docker network name Generated Configuration Docker Compose Configuration (Traefik Mode) Location: /opt/speedbits/vaultwarden/docker-compose.yml version: '3.8' services: vaultwarden: image: vaultwarden/server:1.34.3 container_name: vaultwarden restart: unless-stopped environment: DOMAIN: https://vault.domain.com ADMIN_TOKEN_FILE: /run/secrets/admin_token.txt SIGNUPS_ALLOWED: "false" SIGNUPS_VERIFY: "true" DATABASE_URL: /data/db.sqlite3 WEBSOCKET_ENABLED: "true" WEBSOCKET_ADDRESS: 0.0.0.0 WEBSOCKET_PORT: 3012 volumes: - /opt/speedbits/vaultwarden/data:/data - /opt/speedbits/vaultwarden/admin_token.txt:/run/secrets/admin_token.txt:ro labels: - "traefik.enable=true" - "traefik.http.routers.vaultwarden.rule=Host(`vault.domain.com`)" - "traefik.http.routers.vaultwarden.entrypoints=websecure" - "traefik.http.routers.vaultwarden.tls.certresolver=myresolver" - "traefik.http.services.vaultwarden.loadbalancer.server.port=80" - "traefik.http.routers.vaultwarden-websocket.rule=Host(`vault.domain.com`) && Path(`/notifications/hub`)" - "traefik.http.routers.vaultwarden-websocket.entrypoints=websecure" - "traefik.http.routers.vaultwarden-websocket.tls.certresolver=myresolver" - "traefik.http.services.vaultwarden-websocket.loadbalancer.server.port=3012" networks: - proxy networks: proxy: external: true Standalone Configuration For environments without Traefik: version: '3.8' services: vaultwarden: image: vaultwarden/server:1.34.3 container_name: vaultwarden restart: unless-stopped environment: DOMAIN: https://localhost:8443 ADMIN_TOKEN_FILE: /run/secrets/admin_token.txt SIGNUPS_ALLOWED: "false" DATABASE_URL: /data/db.sqlite3 WEBSOCKET_ENABLED: "true" WEBSOCKET_ADDRESS: 0.0.0.0 WEBSOCKET_PORT: 3012 ROCKET_TLS: '{certs="/ssl/vaultwarden.crt",key="/ssl/vaultwarden.key"}' ROCKET_PORT: 443 volumes: - /opt/speedbits/vaultwarden/data:/data - /opt/speedbits/vaultwarden/admin_token.txt:/run/secrets/admin_token.txt:ro - /opt/speedbits/vaultwarden/ssl:/ssl:ro ports: - "8443:443" networks: - proxy Security Configuration Admin Token Management Admin tokens are stored securely and provide access to the admin panel: # Generate new admin token openssl rand -base64 48 # Store in secure location echo "generated_token" > /opt/speedbits/vaultwarden/admin_token.txt chmod 600 /opt/speedbits/vaultwarden/admin_token.txt Security Headers Traefik middleware provides comprehensive security headers: labels: - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.X-Content-Type-Options=nosniff" - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN" - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.X-XSS-Protection=1; mode=block" - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.Strict-Transport-Security=max-age=31536000; includeSubDomains" - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.Referrer-Policy=strict-origin-when-cross-origin" - "traefik.http.middlewares.vaultwarden-security.headers.customResponseHeaders.Content-Security-Policy=default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' wss://vault.domain.com https://vault.domain.com; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';" Database Configuration SQLite (Default) Vaultwarden uses SQLite by default for simplicity: environment: DATABASE_URL: /data/db.sqlite3 PostgreSQL Configuration For production environments, PostgreSQL is recommended: environment: DATABASE_URL: postgresql://vaultwarden:password@postgres:5432/vaultwarden # Add PostgreSQL service services: postgres: image: postgres:15-alpine container_name: vaultwarden-postgres restart: unless-stopped environment: POSTGRES_DB: vaultwarden POSTGRES_USER: vaultwarden POSTGRES_PASSWORD: secure_password volumes: - /opt/speedbits/vaultwarden/postgres:/var/lib/postgresql/data networks: - proxy Advanced Configuration Environment Variables Vaultwarden supports extensive configuration via environment variables: environment: # Domain and SSL DOMAIN: https://vault.domain.com ROCKET_TLS: '{certs="/ssl/vaultwarden.crt",key="/ssl/vaultwarden.key"}' # Database DATABASE_URL: /data/db.sqlite3 # User Management SIGNUPS_ALLOWED: "false" SIGNUPS_VERIFY: "true" SIGNUPS_VERIFY_RESEND_TIME: "3600" SIGNUPS_VERIFY_RESEND_LIMIT: "6" # Security ADMIN_TOKEN_FILE: /run/secrets/admin_token.txt INVITATIONS_ALLOWED: "true" INVITATION_ORG_NAME: "Organization Name" # WebSocket WEBSOCKET_ENABLED: "true" WEBSOCKET_ADDRESS: 0.0.0.0 WEBSOCKET_PORT: 3012 # SMTP (for email verification) SMTP_HOST: smtp.example.com SMTP_FROM: vaultwarden@example.com SMTP_PORT: 587 SMTP_SECURITY: starttls SMTP_USERNAME: smtp_user SMTP_PASSWORD: smtp_password Organization Management Configure organization settings for team password sharing: environment: ORG_CREATION_USERS: "admin@domain.com" ORG_NAME: "Company Name" ORG_OWNER_EMAIL: "admin@domain.com" Monitoring and Logging Health Checks # Add health check to docker-compose.yml healthcheck: test: ["CMD", "curl", "-f", "http://localhost:80/alive"] interval: 30s timeout: 10s retries: 3 start_period: 30s Logging Configuration environment: LOG_LEVEL: info LOG_FILE: /data/vaultwarden.log EXTENDED_LOGGING: "true" LOG_TIMESTAMP: "true" Backup and Recovery Data Backup Vaultwarden data is stored in the mounted volume: # Backup Vaultwarden data tar -czf vaultwarden-backup-$(date +%Y%m%d).tar.gz -C /opt/speedbits/vaultwarden/data . # Backup configuration cp /opt/speedbits/vaultwarden/docker-compose.yml /backup/vaultwarden-compose.yml cp /opt/speedbits/vaultwarden/admin_token.txt /backup/vaultwarden-admin-token.txt Disaster Recovery # Restore from backup tar -xzf vaultwarden-backup-20241201.tar.gz -C /opt/speedbits/vaultwarden/data/ # Restart service cd /opt/speedbits/vaultwarden docker compose down docker compose up -d Performance Optimization Resource Limits services: vaultwarden: deploy: resources: limits: memory: 512M cpus: '0.5' reservations: memory: 256M cpus: '0.25' Database Optimization For PostgreSQL, configure connection pooling: environment: DATABASE_URL: postgresql://vaultwarden:password@postgres:5432/vaultwarden?sslmode=require&max_connections=20 Troubleshooting Common Issues WebSocket Connection Failures: # Check WebSocket configuration docker logs vaultwarden | grep -i websocket # Verify Traefik routing curl -H "Host: vault.domain.com" http://localhost/notifications/hub Database Connection Issues: # Check database file permissions ls -la /opt/speedbits/vaultwarden/data/db.sqlite3 # Verify database integrity sqlite3 /opt/speedbits/vaultwarden/data/db.sqlite3 "PRAGMA integrity_check;" SSL Certificate Problems: # Check Traefik certificate status docker logs traefik | grep -i acme # Verify domain resolution dig vault.domain.com nslookup vault.domain.com Debug Commands # Container status docker ps | grep vaultwarden # Container logs docker logs vaultwarden # Container exec docker exec -it vaultwarden /bin/sh # Network connectivity docker network inspect proxy # Port binding ss -tulnp | grep :443 Integration with Other Services Borgmatic Backup Integration Include Vaultwarden in automated backups: # Add to borgmatic configuration locations: directories: - /opt/speedbits/vaultwarden/data # Exclude temporary files exclude_patterns: - "*.tmp" - "*.log" Monitoring Integration Add Vaultwarden to monitoring systems: # Health check endpoint curl -f https://vault.domain.com/alive # Metrics endpoint (if enabled) curl https://vault.domain.com/metrics Security Best Practices Access Control Disable open registration in production Use strong admin tokens Implement IP whitelisting for admin access Enable two-factor authentication for all users Network Security Use Traefik for SSL termination Implement rate limiting Configure fail2ban for brute force protection Regular security updates Next Steps With Vaultwarden installed and configured, you can now: Configure user accounts and organizations Set up SMTP for email notifications Implement backup strategies Integrate with existing identity providers Verification Checklist ✅ Vaultwarden container running and healthy ✅ Web vault accessible via HTTPS ✅ Admin panel accessible with admin token ✅ WebSocket connections working ✅ Database accessible and writable ✅ SSL certificates valid Next: Application Deployment and Management (Coming Soon) 9: Passbolt - Team Password Management Passbolt is an OpenPGP-based, self-hosted team password manager with strong security properties and a browser-extension-centric UX. For comprehensive configuration, hardening guidance, and usage documentation, see the official Passbolt documentation . Prerequisites ✅ Traefik installed (Chapter 4) and domain configured (Chapter 4.5) ✅ Docker running (Chapter 3) ✅ Borgmatic installed (Chapter 5) for automated backups ✅ Subdomain ready, e.g., pass.example.com Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Passbolt → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-passbolt.sh --install # or with environment variables export PB_DOMAIN="pass.example.com" sudo -E bash /opt/InfinityTools/Solutions/setup-passbolt.sh --install Configuration Overview Deployment modes: Traefik (recommended), standalone HTTPS (self-signed), or HTTP Database: MariaDB 10.11 managed alongside Passbolt Data paths: /opt/speedbits/passbolt/ (GPG keys, JWT keys, DB data) Version pinning: Passbolt image version pinned for stability Environment Parameters (examples) # SSL + domain export PB_DOMAIN="pass.example.com" # FQDN for Passbolt # Networking export PROXY_NETWORK="proxy" # Traefik network name What the Installer Sets Up Creates directories under /opt/speedbits/passbolt/ (GPG, jwt, db_data) Generates secure database credentials ( db_password.txt ) Runs Passbolt + MariaDB containers Configures Traefik labels for HTTPS routing (if selected) Outputs access URLs and image versions on completion Post-Install Steps Open the web UI: https://pass.example.com Follow the onboarding to create the first admin user Install the Passbolt browser extension (Chrome/Firefox) when prompted Configure SMTP in the Passbolt UI for email notifications Backup & Restore Passbolt data (GPG, jwt) and database live under /opt/speedbits/passbolt/ Borgmatic file backups include /opt/speedbits/ by default Database dumps are included in the high-frequency DB backups Operational Checks # Check container states sudo docker ps | egrep 'passbolt|passbolt-db' # View logs sudo docker logs passbolt --since 10m sudo docker logs passbolt-db --since 10m # Show current config hints (paths) ls -la /opt/speedbits/passbolt/ Troubleshooting SSL / Routing # Verify Traefik is running sudo docker ps | grep traefik # Check ACME events sudo docker logs traefik | grep -i acme # Confirm DNS dig +short pass.example.com Database Connectivity # Check DB container sudo docker logs passbolt-db --since 10m # Exec into DB and test sudo docker exec -it passbolt-db mysql -u passbolt -p Passbolt Health # Application logs sudo docker logs passbolt --since 10m # Restart services cd /opt/speedbits/passbolt && sudo docker compose down && sudo docker compose up -d Security Notes Restrict admin access to known IPs (Traefik middleware optional) Rotate database and JWT keys as part of change management Ensure regular backups and test restoration Verification ✅ Web UI reachable via HTTPS ✅ First admin created and logged in ✅ Browser extension paired ✅ Borgmatic backups succeeding For advanced configuration (SMTP, LDAP/SSO, security hardening), consult the official Passbolt documentation . 10: Syncthing - File Synchronization Syncthing provides continuous, peer‑to‑peer file synchronization across devices. For configuration reference and advanced topics (relays, discovery, ignore patterns), see the official Syncthing documentation . Dependency check Required: Docker (Chapter 3) Optional: Traefik (Chapter 4) + subdomain (Chapter 4.5) for HTTPS/UI exposure Optional: Borgmatic (Chapter 6) for file data protection Prerequisites ✅ Docker running (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) + subdomain (Chapter 4.5), e.g., sync.example.com ✅ Optional: Borgmatic installed (Chapter 6) for backups Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Syncthing → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-syncthing.sh --install Traefik Integration Select Traefik mode to expose the web UI via HTTPS and a domain: labels: - "traefik.enable=true" - "traefik.http.routers.syncthing.rule=Host(`sync.example.com`)" - "traefik.http.routers.syncthing.entrypoints=websecure" - "traefik.http.routers.syncthing.tls.certresolver=myresolver" - "traefik.http.services.syncthing.loadbalancer.server.port=8384" # Syncthing GUI networks: - proxy Standalone Access Without Traefik, map the GUI port directly and use self‑signed HTTPS: ports: - "8384:8384" # Web GUI (HTTPS) # Syncthing protocol ports are internal to the container; peers connect via relay/UPnP/NAT traversal Data & Configuration volumes: - /opt/speedbits/syncthing/config:/var/syncthing - /opt/speedbits/syncthing/Documents:/sync/Documents - /opt/speedbits/syncthing/Photos:/sync/Photos Security & Hardening Set GUI credentials (Settings → GUI) Restrict GUI to 0.0.0.0 only when behind Traefik; otherwise bind locally and reverse‑proxy Consider IP allowlists via Traefik middleware for WAN exposure Device Pairing Retrieve Device ID from each peer (web UI → Actions → Show ID) Add remote devices by ID; accept on the peer Share specific folders with your peer device Ignore Patterns Use .stignore to exclude files: # /opt/speedbits/syncthing/Documents/.stignore *.tmp .cache/ node_modules/ Operational Checks # Containers sudo docker ps | grep syncthing # Logs sudo docker logs syncthing --since 10m Troubleshooting Ensure DNS resolves sync.example.com if using Traefik Confirm the GUI is reachable via Traefik or mapped port Validate folder permissions (UID/GID 1000 by default in LinuxServer images) For advanced networking (relay servers, global discovery, NAT traversal), consult the Syncthing docs . 11: Nextcloud - Cloud Storage Platform Nextcloud is a full-featured, self-hosted collaboration and file storage platform. It provides file sync and share, WebDAV, CalDAV/CardDAV, and a rich app ecosystem. For full configuration details and the admin manual, see the official Nextcloud documentation . Architecture Overview ✅ Core services: Apache/PHP application with PostgreSQL database ✅ Protocols: WebDAV, CalDAV, CardDAV ✅ Identity: Local users; supports SSO/OIDC via apps ✅ Networking: Traefik reverse proxy (recommended) or standalone ✅ Data: Application files + user data volume + database Resource Requirements Minimum: 1 vCPU, 512 MB RAM, 10 GB disk (grows with user data) Recommended: 2+ vCPU, 2 GB+ RAM, 20 GB+ disk Prerequisites ✅ Traefik installed (Chapter 4) with Let's Encrypt ✅ Docker installed (Chapter 3) ✅ Apprise installed (Chapter 5) for notifications ✅ Borgmatic installed (Chapter 6) for automated backups ✅ Domain configured (Chapter 4.5) for production HTTPS Interdependencies: The PostgreSQL service is attached to a borgmatic-db network for backup discovery. Borgmatic relies on Apprise for notifications. Installation Methods Via Infinity Tools Menu 📱 APPLICATIONS → Nextcloud → Install Command Line # Show current status (no changes) sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh # Run interactive installation sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh --install Configuration Parameters SSL Mode: Traefik (HTTPS, recommended) or standalone (HTTP or self-signed HTTPS) Domain: Required for Traefik (e.g., cloud.example.com ) Standalone Port: If not using Traefik Default Quota: Per-user storage limit in GB (recommended) Credentials: Admin and DB passwords are generated and stored in /opt/speedbits/nextcloud/.env Generated Files & Directories /opt/speedbits/nextcloud/.env — Installation parameters and credentials /opt/speedbits/nextcloud/docker-compose.yml — Service definition /opt/speedbits/nextcloud/html — App files /opt/speedbits/nextcloud/data — User data /opt/speedbits/nextcloud/db — PostgreSQL data Compose (Traefik Mode - Highlights) services: db: image: postgres:${DB_VERSION} networks: [ ${NETWORK}, borgmatic-db ] nextcloud: image: nextcloud:${NEXTCLOUD_VERSION} environment: POSTGRES_HOST: nextcloud-db NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USER} NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD} NEXTCLOUD_TRUSTED_DOMAINS: ${DOMAIN} OVERWRITEPROTOCOL: https OVERWRITEHOST: ${DOMAIN} PHP_UPLOAD_LIMIT: 16G PHP_MEMORY_LIMIT: 512M labels: - "traefik.enable=true" - "traefik.http.routers.nextcloud.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.nextcloud.entrypoints=websecure" - "traefik.http.routers.nextcloud.tls.certresolver=myresolver" - "traefik.http.services.nextcloud.loadbalancer.server.port=80" - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent=true" - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex=https://(.*)/.well-known/(card|cal)dav" - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement=https://$${1}/remote.php/dav/" - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Content-Type-Options=nosniff" - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN" - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-XSS-Protection=1; mode=block" - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex,nextcloud-security" Post-Install Hardening & Tasks Trusted domains and overwrite settings are applied automatically (Traefik mode) Default quota is applied if configured Security hardening executed: brute-force protection, file locking, log level Background jobs switched to Cron Cron Setup */5 * * * * docker exec -u www-data nextcloud php -f /var/www/html/cron.php Backup Integration (Borgmatic) Database container is auto-registered with Borgmatic (if available) Include these paths in backups: /opt/speedbits/nextcloud/data — User files /opt/speedbits/nextcloud/db — Database volume /opt/speedbits/nextcloud/config (if present) — Config overrides Ensure Apprise is configured for notifications Operations # Logs docker logs nextcloud # Restart cd /opt/speedbits/nextcloud && docker compose restart # Update cd /opt/speedbits/nextcloud && docker compose pull && docker compose up -d # OCC (run as www-data) docker exec -u www-data nextcloud php occ status docker exec -u www-data nextcloud php occ app:list Troubleshooting SSL/Domain: Verify Traefik routing, DNS A/AAAA, and ACME logs Database: Check container health; confirm credentials in .env Storage: Monitor df -h /opt/speedbits/nextcloud ; enforce quotas Trusted Domains: occ config:system:set trusted_domains 1 --value="cloud.example.com" Background Jobs: Confirm cron runs; see Settings → Basic settings Security Best Practices Enable 2FA for admin and users Enforce sane quotas to prevent disk exhaustion Regularly apply updates and review logs Restrict admin access and consider IP allowlists Review app permissions and disable unused apps Verification Checklist ✅ Nextcloud and database containers running and healthy ✅ HTTPS reachable via Traefik with valid certificate ✅ Admin login works; quotas visible under Users ✅ Cron executing background jobs ✅ Backups configured and tested References Nextcloud Admin Manual Nextcloud desktop & mobile clients 12: WordPress - Production-Ready Setup WordPress is a widely used CMS for websites and blogs. This guide covers installation and runtime specifics when deploying via Infinity Tools. For platform usage, administration, and theme/plugin development, refer to the official WordPress documentation . Architecture Overview ✅ Services: WordPress (PHP/Apache), MariaDB 10.11, optional Redis cache ✅ Reverse Proxy: Traefik with Let's Encrypt (recommended) or standalone ✅ Networks: Traefik proxy network + borgmatic-db for DB backups ✅ Multi-instance: Supported via --instance= Prerequisites ✅ Traefik installed (Chapter 4) ✅ Docker installed (Chapter 3) ✅ Apprise installed (Chapter 5) for notifications ✅ Borgmatic installed (Chapter 6) for automated backups ✅ Domain configured (Chapter 4.5) for HTTPS Interdependencies: MariaDB is joined to borgmatic-db for backup discovery. Borgmatic depends on Apprise for notifications. Installation Methods Via Infinity Tools Menu 📱 APPLICATIONS → WordPress → Install Command Line # Status (no changes) sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --status # Default instance (interactive) sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --install # Named instance sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --install --instance=blog2 Key Configuration SSL Mode: Traefik (HTTPS) or standalone (HTTP or self-signed HTTPS) Domain: Required for Traefik (e.g., myblog.com ) Standalone Port: Required if not using Traefik Redis Cache: Optional. Can be enabled during install Multi-Instance Paths: Default: /opt/speedbits/wordpress Instance blog2 : /opt/speedbits/wordpress-blog2 Generated Files & Directories $WP_DIR/wp_data/ — WordPress files $WP_DIR/db_data/ — MariaDB data $WP_DIR/redis_data/ — Redis persistence (if enabled) $WP_DIR/docker-compose.yml — Service definition $WP_DIR/php/uploads.ini — PHP upload limits (50MB) $WP_DIR/db_password.txt — Generated DB password Traefik Mode (Highlights) services: db: image: mariadb:10.11 networks: [ ${NETWORK}, borgmatic-db ] redis: # if enabled image: redis:7-alpine command: redis-server --maxmemory 64mb --maxmemory-policy allkeys-lru wordpress: image: wordpress:latest environment: WORDPRESS_DB_HOST: wp-db:3306 WORDPRESS_DB_USER: wpuser WORDPRESS_DB_PASSWORD: ${FROM_FILE} WORDPRESS_DB_NAME: wordpress WORDPRESS_TABLE_PREFIX: wp_ WORDPRESS_CONFIG_EXTRA: | define('DISALLOW_FILE_EDIT', true); define('FORCE_SSL_ADMIN', true); define('WP_MEMORY_LIMIT', '512M'); define('WP_MAX_MEMORY_LIMIT', '1024M'); define('WP_CACHE', true); define('WP_POST_REVISIONS', 10); define('AUTOSAVE_INTERVAL', 300); define('WP_IMAGE_EDITORS', ['WP_Image_Editor_GD']); labels: - "traefik.enable=true" - "traefik.http.routers.${ROUTER_NAME}.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.${ROUTER_NAME}.entrypoints=websecure" - "traefik.http.routers.${ROUTER_NAME}.tls.certresolver=myresolver" - "traefik.http.routers.${ROUTER_NAME}-www.rule=Host(`www.${DOMAIN}`)" - "traefik.http.routers.${ROUTER_NAME}-www.middlewares=${ROUTER_NAME}-redirect" - "traefik.http.middlewares.${ROUTER_NAME}-redirect.redirectregex.regex=^https://www\\.${DOMAIN}/(.*)" - "traefik.http.middlewares.${ROUTER_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${1}" - "traefik.http.middlewares.${ROUTER_NAME}-redirect.redirectregex.permanent=true" Redis Object Cache (Recommended) Enable Redis during installation (optional), then install the free Redis Object Cache plugin for significant performance gains. Dashboard → Plugins → Add New Search Redis Object Cache by Till Krüss Install → Activate → Settings → Redis → Enable Object Cache Redis Object Cache plugin (wordpress.org) Post-Install Hardening & Defaults File editing disabled; XML‑RPC disabled OPcache enabled; memory limits tuned WWW → non‑WWW redirect configured (Traefik) Let's Encrypt certificates via Traefik Backup Integration (Borgmatic) MariaDB is auto‑registered with Borgmatic (if available) Include in backups: $WP_DIR/wp_data $WP_DIR/db_data $WP_DIR/redis_data (if enabled) Ensure Apprise notifications are configured Operations # Logs docker logs wordpress docker logs wp-db # Restart cd $WP_DIR && docker compose restart # Update (safe) cd $WP_DIR && docker compose pull && docker compose up -d # Instance status sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --status # Wipe and reinstall (destructive) sudo bash /opt/InfinityTools/Solutions/setup-wordpress.sh --install --deleteall Troubleshooting Database connection errors: verify db_password.txt , check wp-db logs, ensure volumes mounted SSL/ACME issues: check Traefik logs, DNS A/AAAA, ports 80/443 open Performance: enable Redis Object Cache; review plugins/themes bloat Uploads: default max upload 50MB via $WP_DIR/php/uploads.ini Security Best Practices Keep core, themes, and plugins updated Limit admin accounts; enforce strong passwords and 2FA Review plugin footprint; remove unused components Regularly test backups and restore procedures Verification Checklist ✅ WordPress, MariaDB (and Redis if used) containers running ✅ Site reachable over HTTPS with valid cert (Traefik) ✅ Admin login working; permalinks saved ✅ Redis Object Cache enabled (if configured) ✅ Backups configured and successful 13: Matomo - Web Analytics Matomo (formerly Piwik) is a full‑featured, self‑hosted web analytics platform. This guide covers installation and runtime specifics when deploying via Infinity Tools. For comprehensive configuration and administration, see the official Matomo documentation . Architecture Overview ✅ Services: Matomo (PHP/Apache) + MariaDB 10.11 ✅ Reverse Proxy: Traefik with Let's Encrypt (recommended) or standalone ✅ Networking: Traefik proxy network + borgmatic-db for DB backups ✅ Data: App config/logs + database volume Prerequisites ✅ Traefik installed (Chapter 4) ✅ Docker installed (Chapter 3) ✅ Apprise installed (Chapter 5) for notifications ✅ Borgmatic installed (Chapter 6) for automated backups ✅ Domain configured (Chapter 4.5) for HTTPS Interdependencies: MariaDB joins borgmatic-db for backup discovery. Borgmatic relies on Apprise for notifications. Installation Methods Via Infinity Tools Menu 📱 APPLICATIONS → Matomo → Install Command Line # Status (no changes) sudo bash /opt/InfinityTools/Solutions/setup-matomo.sh --status # Interactive installation sudo bash /opt/InfinityTools/Solutions/setup-matomo.sh --install Key Configuration SSL Mode: Traefik (HTTPS) or standalone (HTTP or self‑signed HTTPS) Domain: Required for Traefik (e.g., analytics.example.com ) Standalone Port: Required if not using Traefik Database: MariaDB 10.11 with tuned params Generated Files & Directories /opt/speedbits/matomo/.env — Installation parameters and DB creds /opt/speedbits/matomo/docker-compose.yml — Service definition /opt/speedbits/matomo/config — Matomo config /opt/speedbits/matomo/logs — Matomo logs /opt/speedbits/matomo/db — MariaDB data /opt/speedbits/matomo/db_password.txt — DB password (root‑only) Compose (Traefik Mode - Highlights) services: db: image: mariadb:${DB_VERSION} networks: [ ${NETWORK}, borgmatic-db ] command: > --max-allowed-packet=64M --innodb-buffer-pool-size=512M matomo: image: matomo:${MATOMO_VERSION} environment: MATOMO_DATABASE_HOST: matomo-db MATOMO_DATABASE_ADAPTER: mysql MATOMO_DATABASE_TABLES_PREFIX: matomo_ MATOMO_DATABASE_USERNAME: ${MYSQL_USER} MATOMO_DATABASE_PASSWORD: ${MYSQL_PASSWORD} MATOMO_DATABASE_DBNAME: ${MYSQL_DATABASE} PHP_MEMORY_LIMIT: 512M volumes: - ./config:/var/www/html/config - ./logs:/var/www/html/logs labels: - "traefik.enable=true" - "traefik.http.routers.matomo.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.matomo.entrypoints=websecure" - "traefik.http.routers.matomo.tls.certresolver=myresolver" - "traefik.http.services.matomo.loadbalancer.server.port=80" Post‑Install Tasks Complete the Matomo setup wizard in the browser (system check → DB → admin user → first website) Add the JavaScript tracking code to your site(s) (before ) Set up cron archiving (see below) Cron Archiving */5 * * * * docker exec matomo /usr/local/bin/php /var/www/html/console core:archive >/dev/null 2>&1 Backup Integration (Borgmatic) Database container is auto‑registered with Borgmatic (if available) Include in backups: /opt/speedbits/matomo/db — MariaDB data /opt/speedbits/matomo/config — App configuration /opt/speedbits/matomo/logs — Optional Ensure Apprise notifications are configured Operations # Logs docker logs matomo docker logs matomo-db # Restart cd /opt/speedbits/matomo && docker compose restart # Update cd /opt/speedbits/matomo && docker compose pull && docker compose up -d Troubleshooting DB connectivity: verify db_password.txt , check matomo-db logs SSL/ACME: check Traefik logs, DNS, ports 80/443 open Performance: tune archiving frequency; ensure DB buffer pool sizing matches workload Security Best Practices Restrict admin access; use strong credentials Regular updates; monitor logs Consider IP anonymization and consent tools for compliance Verification Checklist ✅ Matomo and database containers running ✅ HTTPS reachable via Traefik with valid certificate ✅ Setup wizard completed; admin login working ✅ Cron archiving running ✅ Backups configured and tested References Matomo Documentation 14: Webmin - System Administration Platform Webmin provides a web-based system administration interface for Linux servers. It offers user management, service control, file system access, package management, network configuration, and system monitoring through a unified web UI. For module documentation, API details, and advanced configuration, see the official Webmin documentation . Prerequisites ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., webmin.example.com Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Webmin → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-webmin.sh --install # With domain (Traefik mode) export WEBMIN_USE_TRAEFIK=true export WEBMIN_DOMAIN="webmin.example.com" sudo -E bash /opt/InfinityTools/Solutions/setup-webmin.sh --install # With host filesystem access (read-only) export WEBMIN_HOST_ACCESS=readonly sudo -E bash /opt/InfinityTools/Solutions/setup-webmin.sh --install # With host filesystem access (read-write) export WEBMIN_HOST_ACCESS=readwrite sudo -E bash /opt/InfinityTools/Solutions/setup-webmin.sh --install # Custom port (standalone mode) sudo bash /opt/InfinityTools/Solutions/setup-webmin.sh --install 9443 Deployment Modes Traefik Mode Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://webmin.example.com Direct web access (no SSH tunnel required) Requires: Traefik running, DNS A record configured Standalone Mode (Recommended) Direct HTTPS access with self-signed certificate, accessed via SSH tunnel: Access via: https://localhost:8443 (after SSH tunnel) SSH tunnel command: ssh -L 8443:localhost:10000 user@server Self-signed SSL (browser warning on first access) More secure (not directly exposed to internet) Default port: 8443 (configurable) Host Filesystem Access Configuration During installation, you'll be prompted for host filesystem access level: None (default) - Container filesystem only, no host access Read-Only - Host filesystem mounted at /host/ (read-only) Read-Write - Host filesystem mounted at /host/ (full access) Volume Mount: Read-Only: - /:/host:ro Read-Write: - /:/host Installation Process Configuration Steps SSL Mode Selection: Choose Traefik or Standalone If Traefik: Provide domain name If Standalone: Specify HTTPS port (default: 8443) Host Access: Choose filesystem access level User Creation: System user webminadmin created with random password What Gets Created Directory: /opt/speedbits/webmin Container: webmin (johanp/webmin:latest) Volumes: webmin-config , webmin-logs Docker Compose: /opt/speedbits/webmin/docker-compose.yml System User: webminadmin with sudo privileges Network: Joins Traefik network (Traefik mode) or creates internal network (Standalone) Access Methods Traefik Mode https://webmin.example.com Direct web access after DNS propagation and SSL certificate generation (30-60 seconds). Standalone Mode (SSH Tunnel) On local machine: ssh -L 8443:localhost:10000 user@server-ip Then in browser: https://localhost:8443 Accept self-signed certificate warning (Advanced → Proceed). Alternative: Direct Container IP # Get container IP CONTAINER_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' webmin) # SSH tunnel to container IP ssh -L 8443:$CONTAINER_IP:10000 user@server-ip Authentication Default Credentials Username: webminadmin Password: Randomly generated (shown once during installation) ⚠️ CRITICAL: Password is displayed only once. Save it immediately! System Authentication Any user in sudo or wheel group can login Uses system /etc/passwd , /etc/shadow , /etc/group Container runs as root with privileged access PAM authentication configured (can be disabled for internal password file) File Manager: Container vs Host Filesystem ⭐ CRITICAL: Webmin's File Manager initially shows the container's filesystem, not the host system. Accessing Host Files Navigate to Other → File Manager You'll see container filesystem (minimal, typically empty) To access host: Type /host/ in the path bar Press Enter or click "Go" Host filesystem is now accessible Path Mapping Container root: / (Webmin container filesystem) Host root: /host/ (mounted host filesystem) Common Host Paths /host/etc/ - Host system configuration /host/home/ - Host user home directories /host/opt/ - Host application data (Infinity Tools, Speedbits) /host/var/log/ - Host system logs /host/var/www/ - Host web directories Access Level Behavior Read-Only: Can browse /host/ but cannot modify files Read-Write: Full access to /host/ (create, edit, delete) None: /host/ directory doesn't exist Key Features System Administration User and group management Service management (systemd units) Package management (apt/yum) System information and monitoring Log file viewing File Management Web-based file browser Text editor for configuration files File upload/download Permission management Note: Use /host/ path for host filesystem access Network Configuration Network interface configuration Firewall rules (iptables/ufw) DNS configuration Port forwarding Security Configuration Access Security ✅ SSH tunnel recommended for standalone mode (not directly exposed) ✅ Traefik mode uses Let's Encrypt SSL (production-ready) ✅ Self-signed certificate in standalone mode (acceptable for tunneled access) ✅ System authentication via PAM or internal password file Filesystem Security Read-Only: Safe for viewing host files without modification risk Read-Write: Full access - use with caution, audit changes None: Most secure - container filesystem only Container Security Container runs as root (required for system management) Privileged mode enabled (required for system access) Mounts host user databases (passwd, shadow, group) Optional host filesystem mount Configuration Persistence Config Volume: webmin-config persists Webmin settings Logs Volume: webmin-logs persists log files Data Directory: /opt/speedbits/webmin contains docker-compose.yml All settings survive container restarts Troubleshooting Container Not Starting docker logs webmin docker ps -a | grep webmin Authentication Issues Verify user exists: docker exec webmin grep webminadmin /etc/passwd Check sudo group: groups webminadmin Verify password file: docker exec webmin cat /etc/webmin/miniserv.users Restart container: docker restart webmin File Manager Issues Can't see host files: Navigate to /host/ in path bar /host/ doesn't exist: Host access was set to "None" during installation Read-only errors: Host access was set to "Read-Only" To change access: Reinstall with different WEBMIN_HOST_ACCESS setting SSH Tunnel Issues Verify SSH access: ssh user@server-ip Check port matches installation: Default is 8443 Try container IP: ssh -L 8443:CONTAINER_IP:10000 user@server Verify Webmin is running: docker ps | grep webmin Traefik Routing Issues Verify Traefik is running: docker ps | grep traefik Check DNS resolution: dig webmin.example.com Verify SSL certificate: Check Traefik logs Wait 30-60 seconds after installation for certificate generation Production Considerations Access Method: SSH tunnel (standalone) is more secure than direct web access Filesystem Access: Use "Read-Only" unless file editing is required Password Management: Store credentials in password manager (Vaultwarden) User Management: Create separate Webmin users for team members Audit Logging: Monitor Webmin access logs for security Backup: Backup Webmin configuration volume regularly Integration with Infinity Tools Webmin complements Infinity Tools by providing: Visual system administration alongside containerized applications File management for host system (via /host/ mount) User management for system users Service monitoring and management Note: Infinity Tools applications run in Docker containers. Webmin provides host system management. Use Portainer (Chapter 13) for Docker container management. Next Steps Webmin is now operational. Use it to: Manage system users and permissions Browse and edit host filesystem (remember /host/ path!) Monitor system resources Configure system services View system logs For advanced Webmin features, module development, and enterprise capabilities, refer to the official Webmin documentation . 15: BookStack - Documentation Platform / Wiki BookStack is a self-hosted documentation and wiki platform built with PHP and Laravel. It provides a hierarchical content structure (Books → Chapters → Pages), WYSIWYG editing with Markdown support, full-text search, user roles, and export capabilities. For API documentation, advanced customization, and development guides, see the official BookStack documentation . Prerequisites ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., docs.example.com Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → BookStack → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install # With domain (Traefik mode) export BS_DOMAIN="docs.example.com" export BS_EMAIL="admin@example.com" sudo -E bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install # Standalone mode with custom port export BS_USE_TRAEFIK=false export BS_PORT=8092 sudo -E bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install # Fresh install (delete all data) sudo bash /opt/InfinityTools/Solutions/setup-bookstack.sh --install --deleteall Deployment Modes Traefik Mode (Default) Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://docs.example.com HTTP → HTTPS redirect configured Security headers (X-Frame-Options, CSP, etc.) Requires: Traefik running, DNS A record configured Standalone Mode Direct access with optional HTTPS (self-signed): HTTP: http://SERVER_IP:8092 HTTPS: https://SERVER_IP:8092 (self-signed cert via nginx proxy) Default port: 8092 (configurable) No domain required Architecture Containers bookstack - Main BookStack application (lscr.io/linuxserver/bookstack:latest) bookstack-db - MariaDB 10.11 database bookstack-ssl-proxy - Nginx SSL proxy (standalone HTTPS mode only) Data Persistence Database: /opt/speedbits/bookstack/db_data/ (MariaDB data) Config: /opt/speedbits/bookstack/config/ (BookStack config, uploads) SSL: /opt/speedbits/bookstack/ssl/ (standalone mode certificates) Networks Traefik network: Joins Traefik's proxy network (Traefik mode) bookstack-internal: Isolated bridge network (standalone mode) borgmatic-db: Database backup network (for Borgmatic integration) Installation Process Configuration Steps SSL Mode Selection: Choose Traefik (default) or Standalone If Traefik: Provide domain name and email If Standalone: Specify port (default: 8092) and SSL mode Database Setup: Random passwords generated and saved App Key: Encryption key generated for BookStack What Gets Created Directory: /opt/speedbits/bookstack Containers: bookstack , bookstack-db Docker Compose: /opt/speedbits/bookstack/docker-compose.yml Password Files: db_password.txt , db_root_password.txt , app_key.txt Volumes: Database data, config, SSL certificates Database Configuration Database Details Type: MariaDB 10.11 Database: bookstack User: bookstack Password: Randomly generated, saved in db_password.txt Root Password: Saved in db_root_password.txt Character Set: utf8mb4 Collation: utf8mb4_unicode_ci Max Packet Size: 256MB Accessing Database # View database password cat /opt/speedbits/bookstack/db_password.txt # Connect to database docker exec -it bookstack-db mysql -u bookstack -p bookstack # Enter password from db_password.txt # Backup database docker exec bookstack-db mysqldump -u bookstack -p bookstack > backup.sql Access Methods Traefik Mode https://docs.example.com Direct web access after DNS propagation and SSL certificate generation (30-60 seconds). Standalone Mode HTTP: http://SERVER_IP:8092 HTTPS: https://SERVER_IP:8092 Accept self-signed certificate warning (Advanced → Proceed). Authentication Default Credentials Email: admin@admin.com Password: password ⚠️ CRITICAL: Change these immediately after first login! These are public defaults. User Roles Admin - Full system access, user management, settings Editor - Can create/edit content, manage own content Viewer - Read-only access Guest - Public access (if enabled) Environment Variables BookStack Container APP_URL - Base URL (https://docs.example.com or http://SERVER_IP:8092) APP_KEY - Encryption key (base64 encoded, auto-generated) DB_HOST - Database host (bookstack-db:3306) DB_DATABASE - Database name (bookstack) DB_USERNAME - Database user (bookstack) DB_PASSWORD - Database password (from db_password.txt) MAIL_DRIVER - Email driver (smtp) MAIL_HOST - SMTP server MAIL_PORT - SMTP port MAIL_FROM - From email address Key Features Content Management Hierarchical structure: Books → Chapters → Pages WYSIWYG editor with Markdown support Full-text search across all content Image uploads and attachments Version history and revisions Tags and categorization User Management Role-based access control (RBAC) User invitations via email LDAP/Active Directory integration (advanced) OAuth providers (GitHub, Google, etc.) Export & Integration Export to PDF, HTML, Markdown, Plain Text REST API for programmatic access Webhook support RSS feeds Security Configuration Access Security ✅ Traefik mode uses Let's Encrypt SSL (production-ready) ✅ Standalone HTTPS uses self-signed certificates (acceptable for internal use) ✅ Security headers configured (X-Frame-Options, CSP, etc.) ✅ Password hashing (bcrypt) ⚠️ Change default admin credentials immediately Container Security Runs as non-root user (PUID/PGID: 1000) Database isolated in separate container Network isolation (internal networks) Volume mounts for data persistence Configuration Persistence Database Volume: db_data persists all content Config Volume: config persists settings and uploads Password Files: Saved in /opt/speedbits/bookstack/ All settings survive container restarts Backup & Restore Backup Strategy # Full backup cd /opt/speedbits tar czf bookstack-backup-$(date +%Y%m%d).tar.gz bookstack/ # Database-only backup docker exec bookstack-db mysqldump -u bookstack -p bookstack > bookstack-db-$(date +%Y%m%d).sql # Config-only backup tar czf bookstack-config-$(date +%Y%m%d).tar.gz -C /opt/speedbits/bookstack config/ Restore Process Stop containers: cd /opt/speedbits/bookstack && docker compose down Restore data: Extract backup to /opt/speedbits/bookstack/ Restore database: docker exec -i bookstack-db mysql -u bookstack -p bookstack < backup.sql Start containers: docker compose up -d Troubleshooting Container Not Starting docker logs bookstack docker logs bookstack-db docker ps -a | grep bookstack Database Connection Issues Verify database is running: docker ps | grep bookstack-db Check database logs: docker logs bookstack-db Test connection: docker exec bookstack-db mysqladmin ping -h localhost Verify password: cat /opt/speedbits/bookstack/db_password.txt SSL Certificate Issues Traefik mode: Check Traefik logs: docker logs traefik Traefik mode: Verify DNS: dig docs.example.com Standalone mode: Check nginx proxy logs: docker logs bookstack-ssl-proxy Standalone mode: Verify certificates: ls -la /opt/speedbits/bookstack/ssl/ Performance Issues Check container resources: docker stats bookstack bookstack-db Review database performance: docker exec bookstack-db mysqladmin processlist Optimize images before upload Consider database indexing for large content Production Considerations Access Method: Use Traefik mode for production (trusted SSL) Password Policy: Enforce strong passwords via user management Backup Strategy: Implement automated backups (integrate with Borgmatic) User Management: Use LDAP/OAuth for enterprise environments Monitoring: Monitor container health and resource usage Updates: Re-run install script periodically for updates Email: Configure SMTP for password resets and notifications Integration with Infinity Tools BookStack complements Infinity Tools by providing: Documentation platform for Infinity Tools guides Knowledge base for server configurations Team collaboration on documentation Export capabilities for offline access Note: The Infinity Tools documentation sync script ( sync-bookstack.sh ) can automatically upload HTML documentation files to BookStack. SMTP Configuration After installation, you can configure SMTP for email functionality: Run SMTP config wizard: sudo bash Infrastructure/bookstack-smtp-config.sh Or edit docker-compose.yml and set MAIL_HOST , MAIL_PORT , etc. Restart container: docker restart bookstack Next Steps BookStack is now operational. Use it to: Create documentation for your infrastructure Organize knowledge in books and chapters Collaborate with team members Export content for offline access Integrate with other tools via API For advanced features, API usage, custom themes, and development guides, refer to the official BookStack documentation . 16: Uptime Kuma - Monitoring & Status Pages Uptime Kuma is a self-hosted monitoring solution built with Node.js. It provides uptime monitoring, incident tracking, status pages, and 90+ notification integrations. Supports HTTP(s), TCP, Ping, DNS, Docker containers, and more. For API documentation, advanced configuration, and development guides, see the official Uptime Kuma repository . Prerequisites ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., status.example.com Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Uptime Kuma → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-uptime-kuma.sh --install # With domain (Traefik mode) export BS_DOMAIN="status.example.com" sudo -E bash /opt/InfinityTools/Solutions/setup-uptime-kuma.sh --install Deployment Modes Traefik Mode (Default) Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://status.example.com Security headers configured Requires: Traefik running, DNS A record configured Standalone Mode Direct access with HTTP or HTTPS (self-signed): HTTP: http://SERVER_IP:3001 HTTPS: https://SERVER_IP:3001 (self-signed cert via nginx proxy) Default port: 3001 (configurable) No domain required Architecture Container uptime-kuma - Main application (louislam/uptime-kuma:1) uptime-kuma-ssl-proxy - Nginx SSL proxy (standalone HTTPS mode only) Data Persistence Data: /opt/speedbits/uptime-kuma/data/ (SQLite database, config) SSL: /opt/speedbits/uptime-kuma/ssl/ (standalone mode certificates) Networks Traefik network: Joins Traefik's proxy network (Traefik mode) kuma-internal: Isolated bridge network (standalone mode) Docker Socket Access Optional read-only access to /var/run/docker.sock for Docker container monitoring: Enables Docker container monitoring Read-only mount (security best practice) Configured during installation Installation Process Configuration Steps SSL Mode Selection: Choose Traefik (default) or Standalone If Traefik: Provide domain name If Standalone: Specify port (default: 3001) and SSL mode Docker Monitoring: Optional enable Docker socket access Timezone: Optional timezone configuration (default: UTC) What Gets Created Directory: /opt/speedbits/uptime-kuma Container: uptime-kuma Docker Compose: /opt/speedbits/uptime-kuma/docker-compose.yml Data Volume: SQLite database and configuration Access Methods Traefik Mode https://status.example.com Direct web access after DNS propagation and SSL certificate generation (30-60 seconds). Standalone Mode HTTP: http://SERVER_IP:3001 HTTPS: https://SERVER_IP:3001 Accept self-signed certificate warning (Advanced → Proceed). Authentication First-Time Setup No default credentials - Admin account must be created on first access Setup wizard: "Create your admin account" appears on first visit Password requirements: Minimum 8 characters (12+ recommended) ⚠️ CRITICAL: Write down credentials immediately - no password reset on first setup Password Reset docker exec -it uptime-kuma npm run reset-password Follow prompts to enter username and new password. Monitor Types Supported Protocols HTTP(s) - Websites, APIs, webhooks TCP - Port monitoring (SSH, databases, etc.) Ping (ICMP) - Server availability DNS - DNS record monitoring Docker Container - Container health (requires Docker socket) Keyword - Content-based monitoring SMTP - Email server monitoring gRPC - gRPC service monitoring Monitor Configuration Check interval - Frequency of checks (default: 60 seconds) Retry attempts - Number of retries before marking as down Timeout - Request timeout Expected status codes - HTTP status codes to consider "up" Keyword detection - Check for specific text in response Notification Integrations Supported Providers Discord - Webhook integration Slack - Webhook integration Telegram - Bot API Email - SMTP Apprise - Self-hosted Apprise (80+ services) Webhooks - Custom HTTP endpoints 90+ providers - See full list in Uptime Kuma settings Apprise Integration If Apprise is installed (Chapter 5), use it for notifications: Type: Apprise (Self-hosted) URL: http://apprise:8000/notify/{YOUR-KEY} Enables access to all Apprise-supported services Status Pages Features Public status pages (no authentication required) Customizable appearance (colors, logo, theme) Monitor selection (choose which monitors to display) Incident history Uptime statistics RSS feed support Use Cases Public service status (like status.github.com) Internal team dashboards Customer-facing status pages Service health transparency Environment Variables Uptime Kuma Container TZ - Timezone (default: UTC) Data Storage SQLite database stored in /app/data Persisted via Docker volume mount Includes monitors, notifications, status pages, user accounts Security Configuration Access Security ✅ Traefik mode uses Let's Encrypt SSL (production-ready) ✅ Standalone HTTPS uses self-signed certificates (acceptable for internal use) ✅ Security headers configured (X-Frame-Options, CSP, etc.) ✅ Docker socket mounted read-only (if enabled) ✅ Security option: no-new-privileges:true Container Security Runs as non-root user Read-only Docker socket access (if enabled) Network isolation Volume mounts for data persistence Configuration Persistence Data Volume: data persists all configuration SQLite Database: Stored in data directory All monitors, notifications, and settings survive container restarts Backup & Restore Backup Strategy # Full backup cd /opt/speedbits tar czf uptime-kuma-backup-$(date +%Y%m%d).tar.gz uptime-kuma/ # Using Uptime Kuma built-in backup # Settings → Backup → Download Backup Restore Process Stop container: cd /opt/speedbits/uptime-kuma && docker compose down Restore data: Extract backup to /opt/speedbits/uptime-kuma/ Start container: docker compose up -d Troubleshooting Container Not Starting docker logs uptime-kuma docker ps -a | grep uptime-kuma SSL Certificate Issues Traefik mode: Check Traefik logs: docker logs traefik Traefik mode: Verify DNS: dig status.example.com Standalone mode: Check nginx proxy logs: docker logs uptime-kuma-ssl-proxy Docker Monitoring Issues Verify Docker socket access: docker exec uptime-kuma ls /var/run/docker.sock Check container permissions Verify socket is mounted read-only Monitor Not Responding Check monitor configuration (URL, port, etc.) Verify service is actually running Check network connectivity from container Review monitor logs in Uptime Kuma dashboard Production Considerations Access Method: Use Traefik mode for production (trusted SSL) Password Policy: Enforce strong passwords (12+ characters) 2FA: Enable two-factor authentication (Settings → Security) Backup Strategy: Implement automated backups Monitoring: Monitor Uptime Kuma itself (meta-monitoring) Notifications: Configure multiple notification channels for redundancy Status Pages: Use public status pages instead of sharing admin access Integration with Infinity Tools Uptime Kuma complements Infinity Tools by providing: Monitoring for all Infinity Tools applications Docker container monitoring for infrastructure Status pages for public service transparency Notification integration with Apprise Recommended Monitors: Traefik dashboard All Infinity Tools application endpoints Docker daemon health Server resources (via Netdata if installed) API & Automation REST API Uptime Kuma provides REST API for programmatic access API documentation available in web interface Useful for automation and integration Webhooks Incoming webhooks for external integrations Outgoing webhooks for custom notifications Custom payload formatting Next Steps Uptime Kuma is now operational. Use it to: Monitor all Infinity Tools applications Track Docker container health Create public status pages Set up multi-channel notifications Track uptime statistics and incidents For advanced features, API usage, custom themes, and development guides, refer to the official Uptime Kuma repository . 17: Netdata - Real-time Performance Monitoring Netdata is a distributed, real-time performance monitoring solution built with C and Node.js. It provides sub-second granularity metrics collection, zero-configuration operation, and comprehensive system monitoring including CPU, memory, disk, network, processes, and Docker containers. For API documentation, advanced configuration, and development guides, see the official Netdata documentation . Prerequisites ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., monitor.example.com ✅ Optional: Apprise installed (Chapter 5) for alert notifications Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Netdata → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-netdata.sh --install Deployment Modes Traefik Mode (Default) Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://monitor.example.com Security headers configured Requires: Traefik running, DNS A record configured Standalone Mode Direct access with HTTP or HTTPS (self-signed): HTTP: http://SERVER_IP:19999 HTTPS: https://SERVER_IP:19999 (self-signed cert via nginx proxy) Default port: 19999 (configurable) No domain required Architecture Container netdata - Main application (netdata/netdata:latest) netdata-ssl-proxy - Nginx SSL proxy (standalone HTTPS mode only) Data Persistence Config: /opt/speedbits/netdata-client/netdata/ (configuration files) Lib: /opt/speedbits/netdata-client/netdata/lib/ (database, metrics) Cache: /opt/speedbits/netdata-client/netdata/cache/ (temporary data) SSL: /opt/speedbits/netdata-client/ssl/ (standalone mode certificates) Host Access Netdata requires access to host system for monitoring: /proc - Process and system information (read-only) /sys - System information (read-only) /var/run/docker.sock - Docker API (read-only, for container monitoring) /etc/passwd , /etc/group - User information (read-only) /etc/os-release - OS information (read-only) Networks Traefik network: Joins Traefik's proxy network (Traefik mode) netdata-internal: Isolated bridge network (standalone mode) borgmatic-db: Network for Apprise integration (if enabled) Installation Process Configuration Steps SSL Mode Selection: Choose Traefik (default) or Standalone If Traefik: Provide domain name If Standalone: Specify port (default: 19999) and SSL mode Streaming: Optional parent-child streaming configuration Apprise Integration: Optional alert notification setup What Gets Created Directory: /opt/speedbits/netdata-client Container: netdata Docker Compose: /opt/speedbits/netdata-client/docker-compose.yml Config Files: Health alerts, streaming config, Apprise integration Access Methods Traefik Mode https://monitor.example.com Direct web access after DNS propagation and SSL certificate generation (30-60 seconds). Standalone Mode HTTP: http://SERVER_IP:19999 HTTPS: https://SERVER_IP:19999 Accept self-signed certificate warning (Advanced → Proceed). Security Configuration Access Security ✅ Traefik mode uses Let's Encrypt SSL (production-ready) ✅ Standalone HTTPS uses self-signed certificates (acceptable for internal use) ✅ Security headers configured (X-Frame-Options, CSP, etc.) ⚠️ NO default authentication - Dashboard is publicly accessible Container Security Runs with SYS_PTRACE and SYS_ADMIN capabilities (required for monitoring) Security option: apparmor:unconfined Read-only mounts for host filesystem access Docker socket mounted read-only Authentication ⚠️ CRITICAL: Netdata has NO username/password protection by default! Traefik mode: Add Basic Auth via websiteprotection.sh Standalone mode: Keep on private network or use SSH tunnel VPN: Access via WireGuard VPN for secure remote access SSH Tunnel: ssh -L 19999:localhost:19999 user@server Metrics Collection System Metrics CPU - Per-core usage, load averages, interrupts Memory - RAM, swap, buffers, cache Disk - I/O, space usage, per-filesystem metrics Network - Per-interface traffic, connections, errors Processes - Per-process CPU, memory, I/O System Load - Load averages, context switches Docker Metrics Auto-discovery of all containers Per-container CPU, memory, disk, network Container health status Real-time metrics (1-second granularity) Data Retention Configurable retention period Default: 1 hour of 1-second data Can extend for longer historical data Low storage footprint (~50MB RAM) Alert Configuration Default Alerts Pre-configured alerts in health.d/ : CPU Usage: Warning > 80%, Critical > 95% RAM Usage: Warning > 80%, Critical > 95% Disk Space: Warning > 80%, Critical > 90% Apprise Integration If Apprise is enabled: Alerts sent to Apprise via HTTP POST Apprise forwards to configured channels Supports all Apprise notification providers Config file: health_alarm_notify.conf Custom Alerts Create custom alerts in health.d/ : # Example: Custom alert alarm: custom_metric on: system.cpu lookup: average -3m unaligned of user,system units: % every: 1m warn: $this > 75 crit: $this > 90 delay: down 5m multiplier 1.5 max 1h info: Custom CPU alert to: sysadmin Parent-Child Streaming Configuration Stream metrics to a Netdata Director (parent server): Configured in stream.conf Requires director hostname/IP and API key Enables centralized monitoring of multiple servers Local dashboard remains available Use Cases Multi-server monitoring Centralized dashboards Unified alerting Historical data aggregation Environment Variables Netdata Container NETDATA_CLAIM_TOKEN - Optional Netdata Cloud claim token NETDATA_CLAIM_ROOMS - Optional Netdata Cloud rooms NETDATA_CLAIM_URL - Netdata Cloud URL (default: https://app.netdata.cloud) DOCKER_HOST - Docker socket path (default: /var/run/docker.sock) Configuration Files Main Configuration netdata.conf - Main Netdata configuration stream.conf - Parent-child streaming configuration health_alarm_notify.conf - Alert notification configuration health.d/*.conf - Individual alert definitions Customization # Edit main config nano /opt/speedbits/netdata-client/netdata/netdata.conf # Edit alerts nano /opt/speedbits/netdata-client/netdata/health.d/cpu_usage.conf # Edit streaming nano /opt/speedbits/netdata-client/netdata/stream.conf Troubleshooting Container Not Starting docker logs netdata docker ps -a | grep netdata Missing Metrics Verify host mounts: docker exec netdata ls /host/proc Check Docker socket: docker exec netdata ls /var/run/docker.sock Verify container capabilities Docker Containers Not Showing Verify Docker socket access Check Docker daemon is running Restart Netdata container Alerts Not Working Verify Apprise is running and accessible Check health_alarm_notify.conf configuration Test alert thresholds Check Netdata logs for errors Production Considerations Access Method: Use Traefik mode for production (trusted SSL) Authentication: Add Basic Auth protection (critical!) Network Security: Restrict access via firewall or VPN Resource Usage: ~50MB RAM, minimal CPU impact Data Retention: Configure appropriate retention period Alerting: Configure multiple notification channels for redundancy Streaming: Use director for multi-server environments Integration with Infinity Tools Netdata complements Infinity Tools by providing: Real-time monitoring of all Infinity Tools applications Docker container monitoring for infrastructure System resource monitoring Alert integration with Apprise Recommended Monitoring: All Infinity Tools application containers System resources (CPU, RAM, disk) Network traffic Docker daemon health API & Automation REST API Netdata provides REST API for metrics access API documentation available in web interface Useful for automation and integration Export metrics to external systems Exporting Data Export graphs as images Export metrics as JSON/CSV Integrate with external monitoring systems Next Steps Netdata is now operational. Use it to: Monitor all Infinity Tools applications Track Docker container health Monitor system resources in real-time Set up alert notifications Analyze performance trends For advanced features, API usage, custom collectors, and development guides, refer to the official Netdata documentation . 18: Netdata Director - Multi-Server Monitoring Hub Netdata Director is a parent-child streaming architecture that enables centralized monitoring of multiple servers. The Director (parent) receives metrics streams from child nodes, providing a unified dashboard, centralized alerting, and long-term historical data retention for all monitored infrastructure. ⚠️ LICENSE REQUIREMENT: Netdata Director is a Pro+ feature requiring a license. Community Netdata provides single-server monitoring only. For advanced features, API documentation, and streaming configuration, see the official Netdata documentation . Prerequisites ✅ Pro+ License - Required for Director functionality ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., monitoring.example.com ✅ Optional: Apprise installed (Chapter 5) for alert notifications ✅ Multiple servers - Director is designed for 2+ server environments Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Netdata Director → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-netdata-director.sh --install Architecture Parent-Child Streaming Director (Parent): Central dashboard server receiving streams Child Nodes: Regular Netdata installations streaming to Director Stream API Key: Authentication token for child-to-parent connection Unidirectional: Metrics flow child → parent only Container netdata-director - Director instance (netdata/netdata:latest) netdata-director-ssl-proxy - Nginx SSL proxy (standalone HTTPS mode only) Data Persistence Config: /opt/speedbits/netdata-director/netdata/ Lib: /opt/speedbits/netdata-director/netdata/lib/ (metrics database) Cache: /opt/speedbits/netdata-director/netdata/cache/ API Key: /opt/speedbits/netdata-director/stream-api-key.txt Deployment Modes Traefik Mode (Default) Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://monitoring.example.com Security headers configured Requires: Traefik running, DNS A record configured Standalone Mode Direct access with HTTP or HTTPS (self-signed): HTTP: http://SERVER_IP:19999 HTTPS: https://SERVER_IP:19999 (self-signed cert via nginx proxy) Default port: 19999 (configurable) Stream API Key Generation 32-character random key generated during installation Saved in stream-api-key.txt Used for child node authentication Must be kept secret Usage Child nodes use this key to authenticate when streaming metrics: Configured in child node's stream.conf Director validates key before accepting streams Multiple children can use same key (or separate keys per child) Streaming Configuration Director Configuration File: /opt/speedbits/netdata-director/netdata/stream.conf [stream] enabled = no # Director doesn't stream to anyone [$STREAM_API_KEY] enabled = yes default memory mode = dbengine health enabled by default = auto default postpone alarms on connect seconds = 60 default history = 3600 allow from = * Child Node Configuration Configured during child node installation: Director hostname/IP Director port (default: 19999) Stream API key Access Methods Traefik Mode https://monitoring.example.com Direct web access after DNS propagation and SSL certificate generation (30-60 seconds). Standalone Mode HTTP: http://SERVER_IP:19999 HTTPS: https://SERVER_IP:19999 Security Configuration Access Security ✅ Traefik mode uses Let's Encrypt SSL (production-ready) ✅ Standalone HTTPS uses self-signed certificates ✅ Security headers configured ⚠️ NO default authentication - Dashboard is publicly accessible ⚠️ Basic Auth incompatible - Blocks child node streaming Authentication Limitations ⚠️ CRITICAL: Basic Auth cannot be used with Director because: Child nodes use HTTP API to stream metrics Basic Auth blocks unauthenticated API requests Child nodes cannot authenticate via Basic Auth Result: Child nodes cannot connect Security Alternatives Firewall Rules: Restrict access to trusted IPs only VPN Access: Access Director via WireGuard VPN Netdata Cloud: Use official Netdata Cloud service Network Isolation: Keep Director on private network Stream API Key Security API key provides authentication for child nodes Keep key secret (only share with trusted servers) Director validates key before accepting streams Can use separate keys per child node (advanced) Alert Configuration Apprise Integration If Apprise is enabled, Director sends alerts for ALL child nodes: Centralized alert management Alerts include server hostname Single notification channel for all servers Config file: health_alarm_notify.conf Alert Flow Child node detects issue Alert sent to Director Director forwards to Apprise Apprise sends to configured channels Data Retention Retention Periods High-resolution: 1 hour (1-second granularity) Mid-resolution: 1 day (1-minute granularity) Low-resolution: 30 days (15-minute granularity) Storage Metrics stored in dbengine mode Configurable retention in netdata.conf Storage scales with number of child nodes Child Node Connection Connection Process Install Netdata on child server (Chapter 17) Enable streaming during installation Provide Director hostname/IP Provide Director port (default: 19999) Provide Stream API key Child node connects automatically Connection Verification Wait 1-2 minutes for connection to establish Check Director dashboard dropdown for child node Verify metrics appearing in Director Check Director logs: docker logs netdata-director Troubleshooting Child Nodes Not Connecting Verify API key is correct Check network connectivity (firewall rules) Verify Director port is accessible Check child node logs for connection errors Check Director logs: docker logs netdata-director Streaming Issues Verify stream.conf configuration Check API key matches between child and parent Verify Director is accepting connections Check network connectivity Production Considerations Access Method: Use Traefik mode for production (trusted SSL) Security: Implement firewall rules or VPN access (cannot use Basic Auth) Network: Ensure Director is accessible from all child nodes Storage: Plan storage capacity based on number of child nodes API Key Management: Use separate keys per child for enhanced security Monitoring: Monitor Director itself (resource usage, connectivity) Advanced Configuration Multiple API Keys Create separate API keys for different child nodes: # In stream.conf, add multiple sections: [api-key-1] enabled = yes allow from = 192.168.1.10 [api-key-2] enabled = yes allow from = 192.168.1.20 IP Restrictions Restrict which IPs can connect: [$STREAM_API_KEY] enabled = yes allow from = 192.168.1.0/24 # Only allow from this subnet Integration with Infinity Tools Netdata Director complements Infinity Tools by providing: Centralized monitoring of all Infinity Tools servers Unified alerting for entire infrastructure Historical data retention for capacity planning Cross-server performance comparison Next Steps Netdata Director is now operational. Use it to: Connect child nodes from all your servers Monitor entire infrastructure from one dashboard Set up centralized alerting Analyze performance trends across servers Plan capacity based on historical data For advanced features, streaming configuration, API usage, and development guides, refer to the official Netdata documentation . 19: WireGuard - VPN Infrastructure WireGuard is a modern VPN protocol using ChaCha20 encryption and Curve25519 key exchange. This installation uses WG-Easy (WireGuard-UI) for web-based client management, providing a user-friendly interface for VPN administration while maintaining WireGuard's performance and security benefits. For protocol specifications, advanced configuration, and technical documentation, see the official WireGuard documentation . Prerequisites ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Linux kernel 5.6+ - WireGuard kernel module support ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., vpn.example.com ✅ Firewall access - Ability to open UDP port Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → WireGuard → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install # With domain (Traefik mode) export WG_DOMAIN="vpn.example.com" export WG_USE_TRAEFIK="true" sudo -E bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install # Custom networks export VPN_NETWORK_BASE="192.168.100" export HOST_NETWORK_BASE="192.168.101" export WG_VPN_PORT="51820" sudo -E bash /opt/InfinityTools/Solutions/setup-wireguard.sh --install Architecture Containers wireguard - WG-Easy (WireGuard-UI) container (ngoduykhanh/wireguard-ui:latest) wireguard-https - Nginx SSL proxy (standalone HTTPS mode only) Network Architecture VPN Network: Default 10.13.13.0/24 (configurable) WireGuard server: 10.13.13.1 Admin client: 10.13.13.2 Client IPs: 10.13.13.3+ (auto-assigned) Host Network: Default 10.13.14.0/24 (configurable) Host services IP: 10.13.14.1 Accessible via VPN for host service access Data Persistence Data: /opt/speedbits/wireguard/data/ (WG-Easy database, client configs) Configs: /opt/speedbits/wireguard/wg_confs/ (WireGuard config files) SSL: /opt/speedbits/wireguard/ssl/ (standalone mode certificates) Password: /opt/speedbits/wireguard/web-password.txt Host Integration Kernel Module: WireGuard kernel module loaded on host Systemd Service: wireguard-host-network.service for host network persistence Network Interface: wg-host dummy interface for host network iptables Rules: NAT and forwarding rules for VPN ↔ Host network Deployment Modes Traefik Mode Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://vpn.example.com Security headers configured Requires: Traefik running, DNS A record configured Standalone Mode (Default) Direct access with HTTPS (self-signed): HTTPS: https://SERVER_IP:8445 (self-signed cert via nginx proxy) Default web UI port: 8445 (configurable) VPN port: 51820 UDP (configurable) No domain required Installation Process Configuration Steps Network Configuration: VPN network base (default: 10.13.13) and Host network base (default: 10.13.14) DNS Configuration: Auto-detected from server's /etc/resolv.conf SSL Mode Selection: Choose Traefik or Standalone VPN Port: UDP port for VPN connections (default: 51820) Server Endpoint: Public IP or domain name for client connections Kernel Module: WireGuard kernel module installed and loaded Systemd Service: Host network service created and enabled What Gets Created Directory: /opt/speedbits/wireguard Containers: wireguard , wireguard-https (standalone mode) Docker Compose: /opt/speedbits/wireguard/docker-compose.yml Systemd Service: /etc/systemd/system/wireguard-host-network.service Host Scripts: host-network-setup.sh , host-network-cleanup.sh Access Methods Traefik Mode https://vpn.example.com Direct web access after DNS propagation and SSL certificate generation (30-60 seconds). Standalone Mode https://SERVER_IP:8445 Accept self-signed certificate warning (Advanced → Proceed). Authentication Web UI Credentials Username: admin (fixed) Password: Randomly generated (20 characters) Storage: /opt/speedbits/wireguard/web-password.txt Hash: bcrypt hash stored in container environment VPN Client Authentication Each client gets unique public/private key pair Server validates client public key No username/password required for VPN connection Keys generated cryptographically secure Network Configuration VPN Network (10.13.13.0/24) Purpose: WireGuard clients and Docker services Server IP: 10.13.13.1 Client IPs: 10.13.13.3+ (auto-assigned) Routing: Clients can access Docker containers via container names Host Network (10.13.14.0/24) Purpose: Access host services via VPN Host IP: 10.13.14.1 Interface: wg-host dummy interface Routing: NAT and forwarding rules configured iptables Rules # NAT for VPN → Host network iptables -t nat -A POSTROUTING -s 10.13.13.0/24 -d 10.13.14.0/24 -j MASQUERADE # Forwarding rules iptables -A FORWARD -s 10.13.13.0/24 -d 10.13.14.0/24 -j ACCEPT iptables -A FORWARD -s 10.13.14.0/24 -d 10.13.13.0/24 -j ACCEPT Environment Variables WireGuard Container WGUI_USERNAME - Web UI username (default: admin) WGUI_PASSWORD - Web UI password (randomly generated) WGUI_SERVER_INTERFACE_ADDRESSES - Server IP/CIDR (e.g., 10.13.13.1/24) WGUI_SERVER_LISTEN_PORT - VPN UDP port (default: 51820) WGUI_DEFAULT_CLIENT_ALLOWED_IPS - Default allowed IPs for clients WGUI_DEFAULT_CLIENT_USE_SERVER_DNS - Use server DNS (default: true) WGUI_MANAGE_START - Auto-start WireGuard (default: true) WGUI_MANAGE_RESTART - Auto-restart WireGuard (default: true) SESSION_SECRET - Session encryption key (randomly generated) Client Management Web UI Features Add/remove clients via web interface Generate QR codes for mobile devices Download .conf files for desktop clients Enable/disable clients individually View connection statistics Monitor traffic usage Client Configuration Clients are created via web UI. Each client gets: Unique public/private key pair Auto-assigned IP address Pre-configured AllowedIPs (VPN + Host networks) Server endpoint and public key Security Configuration Encryption Cipher: ChaCha20 (symmetric encryption) Key Exchange: Curve25519 (elliptic curve) Hash: BLAKE2s Handshake: Noise protocol framework Access Security ✅ Traefik mode uses Let's Encrypt SSL (production-ready) ✅ Standalone HTTPS uses self-signed certificates (acceptable for internal use) ✅ Security headers configured (X-Frame-Options, CSP, etc.) ✅ Random password generation (20 characters) ✅ Unique keys per client Container Security Requires NET_ADMIN and SYS_MODULE capabilities IP forwarding enabled Kernel module access for WireGuard Host network access for routing Firewall Configuration Required Ports UDP 51820 (or custom VPN port) - VPN connections (MUST be open) TCP 8445 (standalone mode) - Web UI (optional, can be closed after VPN setup) TCP 443 (Traefik mode) - Web UI via Traefik Firewall Best Practices # Open VPN port (REQUIRED) sudo ufw allow 51820/udp # Close other public ports (access via VPN instead) sudo ufw delete allow 8443 # Webmin sudo ufw delete allow 8444 # Apprise sudo ufw delete allow 8445 # WireGuard web UI Systemd Service Host Network Service Service: wireguard-host-network.service Creates wg-host dummy interface Configures host network IP (10.13.14.1) Sets up routing and iptables rules Persists across reboots Service Management # Check status systemctl status wireguard-host-network.service # Restart service sudo systemctl restart wireguard-host-network.service # View logs journalctl -u wireguard-host-network.service Troubleshooting VPN Connection Issues Verify firewall: sudo ufw status | grep 51820 Check server endpoint accessibility Verify client config (AllowedIPs, endpoint, keys) Check WireGuard logs: docker logs wireguard Test UDP connectivity: nc -u -v SERVER_IP 51820 Host Network Issues Check systemd service: systemctl status wireguard-host-network.service Verify interface: ip addr show wg-host Check routing: ip route show | grep 10.13.14 Verify iptables rules: iptables -t nat -L -n -v Web UI Issues Check container status: docker ps | grep wireguard View logs: docker logs wireguard Verify password: cat /opt/speedbits/wireguard/web-password.txt Test API: curl -u admin:PASSWORD http://localhost:5000/api/sessions Production Considerations Access Method: Use Traefik mode for production (trusted SSL) Firewall: Open only VPN port, close other public ports Password Management: Store web UI password securely Client Management: Regularly review and disable unused clients Monitoring: Monitor VPN connections and traffic Backup: Backup client configurations and keys Updates: Re-run install script periodically for updates Integration with Infinity Tools WireGuard complements Infinity Tools by providing: Secure remote access to all Infinity Tools applications Access to Docker services without exposing ports publicly Access to host services (Webmin, Apprise) securely Centralized VPN management via web interface Recommended Setup: Open only VPN port (UDP 51820) publicly Close other public ports (Webmin, Apprise, etc.) Access all services via VPN Use VPN network (10.13.13.x) for Docker services Use Host network (10.13.14.1) for host services Advanced Configuration Custom Networks Configure custom network ranges: export VPN_NETWORK_BASE="192.168.100" export HOST_NETWORK_BASE="192.168.101" sudo -E bash setup-wireguard.sh --install Custom VPN Port export WG_VPN_PORT="51821" sudo -E bash setup-wireguard.sh --install Custom DNS export VPN_DNS="8.8.8.8,8.8.4.4" sudo -E bash setup-wireguard.sh --install Client Configuration Export Via Web UI Download .conf file for desktop clients Scan QR code for mobile clients View client details (IP, public key, etc.) Via Command Line # View admin client config sudo bash setup-wireguard.sh --show-config # Client configs stored in ls /opt/speedbits/wireguard/data/peer_*/peer.conf Next Steps WireGuard is now operational. Use it to: Create VPN clients for all your devices Access Infinity Tools applications securely Access host services without exposing ports Manage clients via web interface Monitor VPN connections and traffic For advanced features, protocol specifications, and development guides, refer to the official WireGuard documentation . 20: Warpgate - SSH Bastion Host Warpgate is a modern SSH/RDP bastion host providing centralized access control, session recording, and web-based management. It acts as a gateway for all SSH connections, reducing the attack surface by eliminating direct server access. For protocol specifications, advanced configuration, and technical documentation, see the official Warpgate documentation . Prerequisites ✅ Docker installed (Chapter 3) ✅ Docker Compose (Chapter 3) ✅ Optional: Traefik installed (Chapter 4) for HTTPS with Let's Encrypt ✅ Optional: Domain configured (Chapter 4.5), e.g., warpgate.example.com ✅ Firewall access - Ability to open port 2222 (SSH bastion) Installation via Infinity Tools Menu Installation 📱 APPLICATIONS → Warpgate → Install CLI Installation sudo bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install # With domain (Traefik mode) export WARPGATE_DOMAIN="warpgate.example.com" export WG_USE_TRAEFIK="true" sudo -E bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install # Standalone mode export WG_USE_TRAEFIK="false" export WG_PORT="8888" sudo -E bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install # With domain argument sudo bash /opt/InfinityTools/Solutions/setup-warpgate.sh --install warpgate.example.com Architecture Container warpgate - Warpgate container (ghcr.io/warp-tech/warpgate:latest) Ports 2222 - SSH bastion port (exposed directly, TCP) 8888 - Web interface port (via Traefik or standalone, HTTPS) Data Persistence Data: /opt/speedbits/warpgate/data/ (configuration, database) Config: /opt/speedbits/warpgate/data/warpgate.yaml (main configuration) Database: /opt/speedbits/warpgate/data/db/ (SQLite database) SSL: /opt/speedbits/warpgate/ssl/ (standalone mode certificates) Deployment Modes Traefik Mode (Default) Uses Traefik for SSL termination and domain routing: Automatic Let's Encrypt certificate provisioning Domain-based access: https://warpgate.example.com SSH bastion: ssh -p 2222 user@warpgate.example.com Requires: Traefik running, DNS A record configured Standalone Mode Direct access with HTTPS (self-signed): HTTPS: https://SERVER_IP:8888 (self-signed cert) SSH bastion: ssh -p 2222 user@SERVER_IP Default web UI port: 8888 (configurable) No domain required Installation Process Configuration Steps SSL Mode Selection: Choose Traefik or Standalone Domain Configuration: If Traefik, specify domain (e.g., warpgate.example.com) Port Configuration: If Standalone, specify web UI port (default: 8888) Container Creation: Warpgate container created and started Interactive Setup: Admin account creation via warpgate setup command What Gets Created Directory: /opt/speedbits/warpgate Container: warpgate Docker Compose: /opt/speedbits/warpgate/docker-compose.yml Configuration: /opt/speedbits/warpgate/data/warpgate.yaml Database: SQLite database in /opt/speedbits/warpgate/data/db/ Access Methods Traefik Mode # Web interface https://warpgate.example.com # SSH bastion ssh -p 2222 user@warpgate.example.com Direct web access after DNS propagation and SSL certificate generation (30-60 seconds). Standalone Mode # Web interface https://SERVER_IP:8888 # SSH bastion ssh -p 2222 user@SERVER_IP Accept self-signed certificate warning (Advanced → Proceed). Initial Setup Admin Account Creation After container creation, Warpgate runs interactive setup: docker run --rm -it \ -v /opt/speedbits/warpgate/data:/data \ ghcr.io/warp-tech/warpgate:latest \ setup Prompts: Admin username: Username for admin account Admin password: Password for admin account Confirm password: Password confirmation Configuration File After setup, configuration is stored in: /opt/speedbits/warpgate/data/warpgate.yaml File permissions: 600 (owner: uid 1000) Authentication Web Interface Authentication Username/password authentication Admin account created during setup Additional users created via web interface SSH Bastion Authentication Warpgate username/password authentication After authentication, user selects target Warpgate connects to target using configured credentials Target Configuration Adding Targets Targets are servers that users can connect to through Warpgate: Name: Friendly name for the target Host: IP address or hostname (use localhost for same server) Port: SSH port (usually 22) Username: SSH username for the target Key-based auth: Optional SSH key configuration Same-Server Target For accessing the server where Warpgate runs: Host: localhost or 127.0.0.1 Port: 22 (or custom SSH port) Username: Server username User Management Web Interface Create users via web interface Assign access to specific targets Manage user permissions View user sessions User Access Control Users can only access targets they're granted access to Access can be granted/revoked per user per target Session recording available per user/target SSH Connection Flow Connection Process Client connects to Warpgate on port 2222 Warpgate authenticates user (username/password) Warpgate presents available targets User selects target Warpgate connects to target using configured credentials Session is established and optionally recorded SSH Command # Traefik mode ssh -p 2222 warpgate-user@warpgate.example.com # Standalone mode ssh -p 2222 warpgate-user@SERVER_IP Security Configuration Access Security ✅ Traefik mode uses Let's Encrypt SSL (production-ready) ✅ Standalone HTTPS uses self-signed certificates (acceptable for internal use) ✅ SSH bastion port (2222) exposed directly ✅ Direct SSH port (22) can be closed after Warpgate setup Firewall Best Practices # Open Warpgate SSH bastion port sudo ufw allow 2222/tcp # Close direct SSH access (after testing Warpgate) sudo ufw delete allow 22/tcp # Open web interface port (if standalone) sudo ufw allow 8888/tcp Container Security Runs as uid 1000 (non-root) Data directory mounted with proper permissions Configuration file secured (600 permissions) Environment Variables Standalone Mode WARPGATE_HTTP_LISTEN - HTTP listen address (default: 0.0.0.0:8888) WARPGATE_SSH_LISTEN - SSH listen address (default: 0.0.0.0:2222) Troubleshooting Web Interface Issues Check container status: docker ps | grep warpgate View logs: docker logs warpgate Verify configuration: cat /opt/speedbits/warpgate/data/warpgate.yaml Check file permissions: ls -la /opt/speedbits/warpgate/data/ SSH Connection Issues Verify firewall: sudo ufw status | grep 2222 Test connectivity: nc -v SERVER_IP 2222 Check user credentials in web interface Verify target configuration Check user access permissions Target Connection Failures Verify target host/IP is correct Check target SSH port Verify target username Test direct connection to target Check SSH key configuration (if using key-based auth) Production Considerations Access Method: Use Traefik mode for production (trusted SSL) Firewall: Close direct SSH port (22) after Warpgate verification User Management: Regularly review and remove unused users Session Recording: Enable for security auditing Monitoring: Monitor SSH sessions and access patterns Backup: Backup configuration and database regularly Updates: Re-run install script periodically for updates Integration with Infinity Tools Warpgate complements Infinity Tools by providing: Centralized SSH access management Secure gateway for all server access Session recording and auditing User access control Recommended Setup: Open only Warpgate SSH port (2222) publicly Close direct SSH port (22) after testing Use Traefik for web interface HTTPS Enable session recording for security Regularly audit user access Advanced Configuration Custom Ports # Custom web UI port (standalone) export WG_PORT="9999" sudo -E bash setup-warpgate.sh --install # SSH port is always 2222 (exposed directly) Configuration File Edit configuration directly: # Backup first cp /opt/speedbits/warpgate/data/warpgate.yaml /opt/speedbits/warpgate/data/warpgate.yaml.backup # Edit configuration nano /opt/speedbits/warpgate/data/warpgate.yaml # Restart container docker restart warpgate Session Recording Enabling Recording Session recording can be enabled per user or per target in the web interface. Recorded sessions are stored in the database and can be reviewed for security auditing. User Management Script Infinity Tools provides a helper script for creating system users: sudo bash /opt/InfinityTools/Infrastructure/add-warpgate-user.sh This script creates a warpgate system user with SSH key access. Edit the script to add your SSH public key before running. Next Steps Warpgate is now operational. Use it to: Add targets (servers) users can connect to Create users and assign access Connect via SSH through Warpgate Monitor sessions and access Close direct SSH access for better security For advanced features, API documentation, and development guides, refer to the official Warpgate documentation . Other Infinity Tools Features Covers other features (security and optimization) and deinstallation.