OpenVPN, rTorrent and Flood Docker Compose Configuration

0_README.md

The Setup

This is a docker-compose file for a simple, secure torrent setup. It includes rTorrent (a torrent client), flood (a web interface for rTorrent), OpenVPN (to tunnel traffic through your ISP) and a simple iptables firewall to allow rTorrent to only access the internet through a VPN.

To run everything, put your open vpn configuration file in ./vpn.ovpn and the other configuration files from this gist in a directory then go to that directory and run

docker-compose up

Now flood can be accessed by visiting localhost:3000.

🎉

docker-compose.yml

version: '3.4'

services:
  # This service sets up a firewall which only allows traffic to the docker
  # network and the specified destination (ip, port protocol). See its repo for
  # more information: https://github.com/0xcaff/docker-simple-firewall
  firewall:
    image: quay.io/0xcaff/simple-firewall:latest

    # Needed by the image to setup the fireall.
    cap_add:
      - net_admin

    # The DNS servers which are used through the VPN.
    dns:
      - 8.8.8.8
      - 8.8.4.4

    environment:
      # The only address, port and protocol combination allowed through the
      # firewall. This should be the address, port and protocol of the VPN
      # service.
      ALLOW_IP_ADDRESS: 178.60.78.125
      ALLOW_PORT: 1194
      ALLOW_PROTO: udp

      # TCP connections will be accepted at this port once the firewall is
      # configured.
      FIREWALL_READY_SIGNAL_PORT: 60000

    # The only traffic allowed out of this container is traffic to this network
    # and traffic to the specified ip address.
    networks:
      - local

  # A service which creates an openvpn tunnel. Check out its repo for more
  # information: https://github.com/0xcaff/docker-openvpn-client
  vpn:
    image: quay.io/0xcaff/openvpn-client:latest

    # Needed for OpenVPN to work.
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun

    # Share the network stack of the firewall client container. When this
    # container binds ports, they can be reached through the "firewall" service.
    network_mode: service:firewall

    volumes:
      # This is the wait-for script from https://github.com/Eficode/wait-for. It
      # is used to ensure that the VPN only starts after the firewall is
      # configured. This is done so if the VPN tries to connect to a non-allowed
      # address the failure is fast.
      - ./wait-for/wait-for:/wait-for

      # The VPN configuration file.
      - ./vpn.ovpn:/vpn/config/config.ovpn

    # Start openvpn after the firewall is done.
    command: "/wait-for localhost:60000 -- openvpn --config /vpn/config/config.ovpn"

  # A service with the rtorrent torrent client. See the repository for more
  # information: https://github.com/0xcaff/docker-rtorrent
  rtorrent:
    image: 0xcaff/rtorrent:latest

    # Share the network stack of the firewall client container. When this
    # container binds ports, they can be reached through the "firewall" service.
    network_mode: service:firewall

    # SCGI is exposed on port 5000.

    volumes:
      # rTorrent configuration file.
      - ./rtorrent.rc:/rtorrent/.rtorrent.rc

      # rTorrent persistant state.
      - downloaded:/rtorrent/downloaded
      - session:/rtorrent/.rtorrent.session

      # This is the wait-for script from https://github.com/Eficode/wait-for. It
      # is used to ensure that the rtorrent starts only after the firewall is
      # initialized.
      - ./wait-for/wait-for:/wait-for

    # Waits for the firewall to be set up before running rtorrent. The VPN may
    # or may not be ready but no traffic will be leaked because of the firewall.
    entrypoint: "/bin/sh"
    command: "/wait-for localhost:60000 -- rtorrent"

  # A service containing flood, a web interface for rtorrent.
  flood:
    image: 0xcaff/flood
    depends_on:
      - rtorrent

    environment:
      # Configuration for flood. Check out this file for all possible
      # configuration options:
      # https://github.com/jfurrow/flood/blob/master/config.docker.js
      #
      # The host and port the rTorrent SCGI API can be reached at.
      RTORRENT_SCGI_HOST: firewall
      RTORRENT_SCGI_PORT: 5000

    volumes:
      - flood:/data

    # Expose the flood web interface port.
    ports:
      - 3000:3000

    # The firewall destination (vpn, firewall, rtorrent) is only accessible
    # through the local network.
    networks:
      - local

volumes:
  downloaded:
    driver: local

  session:
    driver: local

  flood:
    driver: local

networks:
  # A network for connecting local services.
  local:

rtorrent.rc

directory = ~/downloaded
session = ~/.rtorrent.session

system.daemon.set = true
scgi_port = 0.0.0.0:5000

This error seems to be caused by the wait-for script missing. Clone https://github.com/Eficode/wait-for into your working directory before running docker-compose up.

So far I've gotten everything up and running, technically, but once I register with Flood that container crashes. Logs suggest errors with npm / node / flood. I'm still new to docker; I'm not even sure if one can update node / npm / flood in an existing container. Is this compose still viable for new installations?

This script hangs and does not continue after the line that says flood server starting on port 3000. The flood login does come up through the host browser but that's about it. I did clone the wait-for directory as mentioned in a previous post which did solve some initial issues in getting the script going.

Any ideas? I am running fedora 33.