-
Notifications
You must be signed in to change notification settings - Fork 8
/
synology-with-docker.html
290 lines (289 loc) · 13.5 KB
/
synology-with-docker.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
<!--
title: Synology with Docker
description: Guide to setting up Foundry on Synology's DSM 7.2 using Felddy's foundryvtt container.
published: true
date: 2023-12-15T20:31:07.777Z
tags: hosting, self-hosting, synology, docker
editor: ckeditor
dateCreated: 2023-12-15T18:47:27.997Z
-->
<blockquote>
<p><strong>IMPORTANT: </strong>As of 12/11/2023, the Docker version used by Synology has reached end-of-life, but is due to be updated with DSM 7.2.2.</p>
</blockquote>
<h1>Setting up Foundry VTT on your Synology NAS using Container Manager (Docker)</h1>
<p>This is the Synology guide for those of us that are more comfortable interacting with Docker using a UI! If you're comfortable managing everything through the command line, use the <a href="https://foundryvtt.wiki/en/setup/hosting/Synology">other guide</a>.</p>
<p>Please note that Synology ransomware attacks are on the rise, so <strong>secure your NAS</strong>, <strong>use strong passwords</strong>, <strong>use HTTPS</strong>, and <strong>turn off Synology QuickConnect</strong> under Control Panel > External Access.</p>
<blockquote>
<p><strong>Note:</strong> This is a first draft of this guide, so if you run into issues or find things that need updating, send a note to hightouch on Discord. I'll try to add screenshots at some point in the future.</p>
</blockquote>
<h4>Assumptions for this guide</h4>
<ul>
<li>You have Synology DSM 7.2 installed (latest version as of 12/2023 when this guide was written).</li>
<li>You are using the default Foundry port: <code>:30000</code>.</li>
<li>You own a custom domain name, which is a prerequisite for HTTPS/SSL. For this example we'll use <code>foundryonsynology.info</code>.</li>
<li>You will be using HTTPS/SSL.</li>
<li>You have created <a href="https://drfrankenstein.co.uk/step-2-setting-up-a-restricted-docker-user-and-obtaining-ids/">an admin user</a> that does not use the default “admin” login name.</li>
<li>You will be using a Foundry login for your container, not the temporary download links (<a href="https://foundryvtt.wiki/en/setup/hosting/Synology#get-a-temporary-foundry-vtt-linuxnodejs-download-url">example of that setup here</a>).</li>
</ul>
<h4>Prerequisites</h4>
<ul>
<li>Foundry VTT license and login name/password on-hand.</li>
<li>A custom domain name. <a href="https://porkbun.com/">Porkbun</a> is a great option if you need a provider!</li>
<li><a href="https://www.synology.com/en-us/dsm/feature/docker">Synology Container Manager</a> (Docker) is installed through Package Center.</li>
<li>A limited access admin user and the PUID and PGID to use in Docker (<a href="https://drfrankenstein.co.uk/step-2-setting-up-a-restricted-docker-user-and-obtaining-ids/">guide here</a>).</li>
</ul>
<p> </p>
<h2>1. Create your data folders</h2>
<p>Wherever you store your Docker container folders, create a new Foundry data folder. This guide assumes this folder is set up under <code>home/docker/foundry</code>.</p>
<p> </p>
<h2>2. Open up ports on your router</h2>
<p>Set up port forwarding via your router (and modem depending on your provider) to your NAS. This guide assumes you will be using the default port <code>:30000</code>. Here's a decent <a href="https://nordvpn.com/blog/open-ports-on-router/">guide</a> from NordVPN with a wide range of router examples.</p>
<ol>
<li>Forward port <code>:30000</code> to the internal IP address of your Synology.</li>
<li><i>[Required if you are using Synology's Let's Encrypt implementation for certificates] </i>Forward port <code>:80</code> to your NAS so that Synology can auto-renew this certificate with Let's Encrypt.</li>
</ol>
<p> </p>
<h2>3. Get your certificates</h2>
<p>Download your certificate from your domain registrar, or use <a href="https://kb.synology.com/en-my/DSM/tutorial/How_to_enable_HTTPS_and_create_a_certificate_signing_request_on_your_Synology_NAS">Synology's Let's Encrypt</a> setup. If you use a registrar, this is usually found under the DNS section under your custom domain.</p>
<h4>Set a reminder 📆</h4>
<ol>
<li>Before you start, go to your preferred calendar and <strong>set a recurring 90 day calendar reminder</strong> to replace your Foundry and/or Synology certificates.</li>
<li>Make a note that you'll need to replace certificates in <strong>Control Center > Security > Certificate</strong> (<i>if you aren't using Synology's implementation</i>) <i><strong>and</strong></i> your Foundry Config folder (<code>home/docker/foundry/Config</code>).</li>
</ol>
<h4>Using domain registrar certificates</h4>
<ol>
<li>Download the certificates from your registrar.</li>
<li>Open <strong>Control Panel > Security > Certificate</strong>.</li>
<li>Click the <strong>Add</strong> button then <strong>Add a new certificate</strong>.</li>
<li>Add the name “Foundry” to the description field, then choose <strong>Import certificate</strong>.</li>
<li>Upload your certificate files into the next step and complete registration.</li>
</ol>
<h4>Using Synology's Let's Encrypt certificates</h4>
<ol>
<li>Open <strong>Control Panel > Security > Certificate</strong></li>
<li>Click the <strong>Add</strong> button then <strong>Add a new certificate</strong>.</li>
<li>Add the name “Foundry” to the description field, then choose <strong>Get a certificate from Let's Encrypt</strong></li>
<li>Enter your domain name, email, and any subdomains you might be using.</li>
<li>Complete registration.</li>
<li>Select the newly added certificate after it finishes validating with Let's Encrypt, choose <strong>Action > Export certificate</strong> to download your certificate files.</li>
</ol>
<h4>Add your certificates to the Foundry data folder</h4>
<ol>
<li>Under your Foundry data folder (<code>/home/docker/foundry</code> in our example), create a new <code>/Config</code> folder</li>
<li>Upload the certificate files you downloaded into the <code>/Config</code> folder.</li>
</ol>
<p> </p>
<h2>4. Set up the Docker container</h2>
<ol>
<li>Install <a href="https://www.synology.com/en-us/dsm/feature/docker">Synology Container Manager</a> (Docker) is through Package Center if you haven't already.</li>
<li>Under <strong>Container</strong> press the <strong>Create</strong> button.</li>
<li>Under the <strong>Image</strong> dropdown, chose <strong>Add Image</strong> and search for “foundryvtt”</li>
<li>In this example we're using <strong>felddy/foundryvtt</strong>. Choose that image and download, then select the <strong>latest</strong> tag.</li>
<li>Name your container “foundry”</li>
<li>Check <strong>Enable auto-restart</strong>. <i>Do not enable “Set up web portal via Web station”.</i></li>
<li>Continue to <strong>Advanced Settings</strong>
<ol>
<li>Set <strong>Port Settings</strong> to <code>30000</code> / <code>30000</code> / <code>TCP</code></li>
<li>Under <strong>Volume Settings</strong>, choose <strong>+ Add Folder</strong>, then add the Foundry data folder you created earlier (<code>/home/docker/foundry</code>). Give it the alias <code>/data</code>, and leave <strong>Read/Write</strong> access.</li>
<li>Under <strong>Environment</strong>, <i>add</i> the following settings to the default fields added:</li>
</ol>
</li>
</ol>
<figure class="table">
<table>
<thead>
<tr>
<th>Variable name</th>
<th>Example value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>PUID</td>
<td>1000</td>
<td><i>The PUID for your docker user (</i><a href="https://drfrankenstein.co.uk/step-2-setting-up-a-restricted-docker-user-and-obtaining-ids/"><i>guide here</i></a><i>)</i></td>
</tr>
<tr>
<td>PGID</td>
<td>1000</td>
<td><i>The PGID for your docker user (</i><a href="https://drfrankenstein.co.uk/step-2-setting-up-a-restricted-docker-user-and-obtaining-ids/"><i>guide here</i></a><i>)</i></td>
</tr>
<tr>
<td>FOUNDRY_USERNAME</td>
<td>foundryonsynology</td>
<td><i>Your Foundry username, not email</i></td>
</tr>
<tr>
<td>FOUNDRY_PASSWORD</td>
<td>Foundry-On-Synology7.2</td>
<td><i>Your Foundry password</i></td>
</tr>
<tr>
<td>FOUNDRY_ADMIN_KEY</td>
<td>Let.Me.In.To.Foundry</td>
<td><i>The admin section login password you want to use in Foundry</i></td>
</tr>
<tr>
<td>FOUNDRY_LICENSE_KEY</td>
<td>1234-5678-9012-3456-7890</td>
<td><i>Your Foundry license key</i></td>
</tr>
<tr>
<td>FOUNDRY_HOSTNAME</td>
<td>foundryonsynology.info</td>
<td><i>Your custom domain name</i></td>
</tr>
<tr>
<td>FOUNDRY_SSL_CERT</td>
<td>cert.pem</td>
<td><i>The filename of the certificate you added to </i><code><i>/foundry/Config</i></code></td>
</tr>
<tr>
<td>FOUNDRY_SSL_KEY</td>
<td>privkey.pem</td>
<td><i>The filename of the private key file you added to </i><code><i>/foundry/Config</i></code></td>
</tr>
<tr>
<td>FOUNDRY_PROXY_SSL</td>
<td>true</td>
<td><i>Yes, you want to use SSL</i></td>
</tr>
<tr>
<td>FOUNDRY_PROXY_PORT</td>
<td>443</td>
<td>T<i>his requires the HTTPS port </i><code><i>443</i></code><i> , not our default </i><code><i>30000</i></code></td>
</tr>
<tr>
<td>FOUNDRY_LOCAL_HOSTNAME</td>
<td>foundryonsynology.info</td>
<td><i>Your custom domain name</i></td>
</tr>
</tbody>
</table>
</figure>
<p>Then start it up!</p>
<p> </p>
<h2>5. Set up a reverse proxy</h2>
<ol>
<li>Open <strong>Control Panel > Login Portal > Advanced</strong> on your NAS and open <strong>Reverse Proxy</strong>.</li>
<li><strong>Create</strong> a new reverse proxy, and remember to add the 5 entries under Custom Header.</li>
</ol>
<figure class="table">
<table>
<thead>
<tr>
<th>Tab</th>
<th>Field</th>
<th>Value</th>
<th> </th>
</tr>
</thead>
<tbody>
<tr>
<th><strong>General</strong></th>
<td>Reverse Proxy Name</td>
<td>Foundry</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td><strong>Source</strong></td>
<td> </td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>Protocol</td>
<td>HTTPS</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>Hostname</td>
<td>foundryonsynology.info</td>
<td><i>Your domain name</i></td>
</tr>
<tr>
<th> </th>
<td>Port</td>
<td>30000</td>
<td><i>The external port you're forwarding inbound from your router</i></td>
</tr>
<tr>
<th> </th>
<td>Enable HSTS</td>
<td>Checked/true</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>Access control profile</td>
<td>Not configured</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td><strong>Destination</strong></td>
<td> </td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>Protocol</td>
<td>HTTPS</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>Hostname</td>
<td>192.168.1.100</td>
<td><i>The internal IP address of your NAS, (Control Center > Info Center > Network)</i></td>
</tr>
<tr>
<th><strong>Custom Header</strong></th>
<td>Upgrade</td>
<td>$http_upgrade</td>
<td><i>Add these 5 custom entries</i></td>
</tr>
<tr>
<th> </th>
<td>Connection</td>
<td>“Upgrade”</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>Host</td>
<td>$host</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>X-Forwarded-For</td>
<td>$proxy_x_add_forwarded_for</td>
<td> </td>
</tr>
<tr>
<th> </th>
<td>X-Forwarded-Proto</td>
<td>$scheme</td>
<td> </td>
</tr>
</tbody>
</table>
</figure>
<p> </p>
<h2>6. Test your setup</h2>
<p>You should now be able to visit your Foundry instance from two locations. In our example, externally this is <code>https://foundryonsynology.info:30000</code>, and on our internal network at <code>https://192.168.1.100:30000</code>. <i>These are just the example addresses, yours will be different!</i></p>
<p> </p>
<h4>Help, no login panel is showing up!!</h4>
<p>If you see the Foundry screen, but there is no card with login information and you see an error in the console referencing <code>websockets</code>, that means your Reverse Proxy is not set up correctly.</p>
<p>Double check <strong>Web Station > Web Service </strong>and <strong>Web Portal</strong> and make sure there are <i><strong>not</strong></i> entries for your Docker container.</p>
<p>If there are, delete them then go back to your Foundry container in <strong>Container Manager > Container > foundry > Settings</strong> and make sure the <strong>Set up web portal via Web Station</strong> option is <i><strong>off</strong></i> and that you only see your <code>30000</code>/<code>30000</code>/<code>TCP</code> entry under <strong>Port Settings</strong>.</p>
<p> </p>
<h4>Other considerations</h4>
<ul>
<li>If you have Watchtower set up, you may want to <a href="https://containrrr.dev/watchtower/container-selection/">exclude Foundry</a>.</li>
</ul>
<p> </p>