Our docker-compose setup for kanboard
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
missytake 73aa657be8 commands need quotes 2 months ago
README.md wrote a guide to setup a user account. 1 year ago
backup.sh commands need quotes 2 months ago
brand-logo.png added normal logo again 1 year ago
client-setup.md fixed broken link 1 year ago
config.php enabling STARTTLS for email notifications 1 year ago
docker-compose.yml expose port only to localhost 3 months ago
traefik.toml initial commit 1 year ago

README.md

Install Kanboard

Reading the Install Instructions

Reading the Install Instructions I realized that we can setup kanboard with docker-compose, thereby having already a nice documented setup. But we would need to modify the docker-compose template at b9a457fc03/docker-compose.yml a bit for our purpose:

All the plugins can apparently be installed in the web interface.

Creating the VM

First I created a DNS entry for todo.0x90.space, with the ip address 94.130.31.55.

Then I destroyed and undefined the docker VM and deleted the bildungsstreik DNS record pointing towards it, to use it for this service. I also deleted the entries in the internal KVM network:

tech@lilith:~$ sudo virsh destroy docker
Domain docker destroyed

tech@lilith:~$ sudo virsh undefine docker
Domain docker has been undefined

tech@lilith:~$ sudo virsh net-update intern delete ip-dhcp-host "<host mac='52:54:00:d6:33:7' name='docker' ip='192.168.73.7'/>" --config
Updated network intern persistent config
tech@lilith:~/serverconf$ sudo virsh net-update intern delete ip-dhcp-host "<host name='docker' ip='2a01:4f8:10b:2e62::7'/>" --parent-index 1 --config --live
Updated network intern persistent config and live state

I realized to late that there is a script for this, but I basically did the same steps manually.

Then I tried to create the new VM:

tech@lilith:~/serverconf$ cat create-public.sh
#!/bin/sh
echo -n 'Hostname: '
read hostname
echo -n 'IP: '
read ip

ip_hex=$(printf %x $ip)
virsh net-update intern add-last ip-dhcp-host "<host mac='52:54:00:d6:33:$ip_hex' name='$hostname' ip='192.168.73.$ip' />" --config --live
virsh net-update intern add-last ip-dhcp-host "<host name='$hostname' ip='2a01:4f8:10b:2e62::$ip_hex' />" --parent-index 1 --config --live
sudo cp -f /var/lib/libvirt/images/public.qcow2 /var/lib/libvirt/images/$hostname.qcow2
virt-install --name $hostname --import --vcpus 1 --ram 2048 --disk /var/lib/libvirt/images/$hostname.qcow2 --network "network=intern,mac=52:54:00:d6:33:$ip_hex" --graphics none --noautoconsole --os-variant debian9
virsh autostart $hostname
tech@lilith:~/serverconf$ ./create-public.sh
Hostname: kanboard
IP: 7
error: failed to connect to the hypervisor
error: error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout
expired, or the network connection was broken.

^C
tech@lilith:~/serverconf$ sudo ./create-public.sh                                                                                                                                                                  
Hostname: kanboard
IP: 7
error: Failed to update network intern
error: Requested operation is not valid: there is an existing dhcp host entry in network 'intern' that matches "<host mac='52:54:00:d6:33:7' name='kanboard' ip='192.168.73.7'/>"

Updated network intern persistent config and live state

Starting install...
ERROR    error from service: ListActivatableNames: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start kanboard
otherwise, please restart your installation.
error: failed to get domain 'kanboard'
error: Domain not found: no domain with matching name 'kanboard'

As this failed, I decided to restart libvirt on lilith, as this is not uncommon after such a long uptime: sudo service libvirtd restart. After that, the domain creation went fine. I could perfectly login with ssh tech@todo.0x90.space -p 42022 -i .ssh/id_rsa.

Then I executed these (optimizable) commands to install docker and docker-compose on the machine:

sudo apt update
sudo apt upgrade -y  # this triggered a grub update. I kept the current configuration and installed it to /dev/vda.
sudo apt install -y curl
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo apt-get install -y \
     apt-transport-https \
     ca-certificates \
     gnupg2 \
     software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"
sudo apt update
sudo apt install -y docker-ce
sudo usermod -aG docker tech

Then I had to logout and login again to update the group changes.

Create docker-compose setup

I cloned this repository to /opt/kanboard:

tech@docker:/opt$ sudo git clone https://git.links-tech.org/links-tech/kanboard
Cloning into 'kanboard'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 8 (delta 1), reused 0 (delta 0)
Unpacking objects: 100% (8/8), done.
tech@docker:/opt$ sudo chown -R tech:tech kanboard/
tech@docker:/opt$ cd kanboard/

I generated passwords for the DB into links-tech/kanboard/env and copied them to /opt/kanboard/.env.

To create the files necessary for traefik, I executed these commands:

touch acme.json
chmod 600 acme.json

Then I started the containers with docker-compose up -d, e voilà! I could login as ‘admin’ under https://todo.0x90.space.

Configuration

First I changed the admin password and save it under links-tech/kanboard/admin.

For E-Mail configuration, I manually created the config.php and added some values. I saved them in pass at links-tech/kanboard/config.php. I pulled the changes and restarted the containers to apply the effects:

git pull
docker-compose down --remove-orphans
docker-compose up -d

I sent an E-Mail invite to myself to test whether it works. It didn’t; neither did any of the other email configuration options. E-Mails don’t work for now.

Backup

I followed the serverconf/doc/backup-new.md guide to set up backups.

Data I want to backup:

  • /var/lib/docker/volumes/kanboard_kanboard_data
  • /var/lib/docker/volumes/kanboard_kb_database

The backup script needs root, otherwise it can’t read the docker volumes.

I created /root/.ssh/id_rsa without a passphrase. I added it to /home/tech/authorized_keys on cyberbackup, with the necessary restrictions. I created the /home/tech/repositories-borg/kanboard directory on cyberbackup. I added the ssh config like in the guide.

I installed borgbackup on the kanboard machine.

I created a borg repo with borg init backup:repositories.borg/kanboard --encryption=repokey and generated the password to links-tech/kanboard/backup.

I wrote the backup.sh script in this repo, git pulled it to the kanboard host, changed the permissions to 700 root:root and added the passphrase from pass.

Then I realized that the passphrase wasn’t generated with -n and contained escape characters; borg key change-passphrase didn’t work unfortunately. So I did this to fix it:

  • borg delete backup:repositories-borg/kanboard
  • regenerated the passphrase with pass generate links-tech/kanboard/backup 60 -n
  • borg init backup:repositories-borg/kanboard --encryption=repokey
  • added the new passphrase to the backup.sh script

Now I could run the script and confirm the success afterwards:

root@docker:/opt/kanboard# /opt/kanboard/backup.sh
Stopping kanboard_kanboard_1 ... done
Stopping kanboard_traefik_1  ... done
Starting kanboard ... done
Starting traefik  ... done
root@docker:/opt/kanboard# borg list backup:repositories-borg/kanboard
Enter passphrase for key ssh://backup/./repositories-borg/kanboard:
backup20190718                       Thu, 2019-07-18 15:37:23

Setting up incremental backups

I executed crontab -e as root and added the following line:

20 2 * * * /opt/kanboard/backup.sh

Restore

To restore, you can probably do something like this, but I didn’t test it yet:

# If the service is still running, stop it.
cd /opt/kanboard
docker-compose stop

# Remove the current data, so you get a clean overwrite with the restore.
rm -rf /var/lib/docker/volumes/kanboard_kanboard_data /var/lib/docker/volumes/kanboard_kb_database

# You need to go to / to restore it, because borg remembers the paths.
cd /

# Extract the backup. You can pass the password as environment variable:
 export BORG_PASSPHRASE='password'
borg extract backup:repositories-borg/kanboard::thebackupyouwant

# Now you can restart the service and check whether it works as expected.
cd /home/tech/gitea
docker-compose start

Install Plugins

To be able to install plugins, I added the following lines to the config.php (in this repository):

// Enable/disable plugin installation from the user interface:
define('PLUGIN_INSTALLER', true); // Default is true

Then I could install the following 3 plugins through the web interface:

  • Calendar
  • Moon
  • GitHub Webhook

I also wanted to install the GitHub frontend plugin, but it isn’t maintained anymore and not available from the web installer.