Skip to content

Instantly share code, notes, and snippets.

@ItsIgnacioPortal

ItsIgnacioPortal/install-fireflyiii-rpi3-docker-docker-compose-ssl.md

Forked from josephbadow/install-fireflyiii-rpi3-docker-docker-compose-ssl.md
Last active June 8, 2020 22:57
Show Gist options
  • Save ItsIgnacioPortal/90387b8208c0d518f83ff974d453ca8a to your computer and use it in GitHub Desktop.
Save ItsIgnacioPortal/90387b8208c0d518f83ff974d453ca8a to your computer and use it in GitHub Desktop.
Download ZIP
(UP2DATE) Install Firefly on a Raspberry Pi 3 with Docker, Docker Compose and a self-signed certificate
Raw
install-fireflyiii-rpi3-docker-docker-compose-ssl.md

I'm running a dockerized Firefly III on a Raspberry 3 in my local network. With the help of an additional nginx Container and a self-signed SSL Certificate I was able to set up https.

Maybe somebody will find this guide helpfull, it took me a couple of tries to get it right.

Install Docker on the Raspberry

Simply follow the official documentation at https://docs.docker.com/install/linux/docker-ce/debian/#install-using-the-convenience-script. You'll need to run the script if you are using the default Raspberry OS: Raspbian.

Install Docker Compose using Python PIP

Use Pythons package manager PIP to install Docker Compose, details can be found on docker.com as well: https://docs.docker.com/compose/install/#install-using-pip. Before you can follow the guide you'll need to install python-pip.

sudo apt-get install python3-pip

Test Firefly III with Docker Compose

Follow the official Guide at https://docs.firefly-iii.org/installation/docker#docker-hub-with-automatic-updates-via-docker-compose to install Firefly III on your Pi and test if you can access it at http://hostname-of-pi. You can check your host name with hostname and modify it with sudo raspi-config. Mine is called raspberry01 and therefore I access it via http://raspberry01.

Generate a new SSL certificate

With openssl you can easily create the required SSL certificate. The certificate will be valid for 365 days.

openssl req -x509 -newkey rsa:2048 -keyout raspberry01.key -out raspberry01.crt -days 365 -nodes

Creating the key on the Raspberry might take a moment. You will be asked for additional information that will be parsed into the certificate but the only important one is the Common Name. You should enter the hostname of your Raspberry here. The others can be skipped with return.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:raspberry01
Email Address []:

The command created two files (raspberry01.key, raspberry01.crt) that we need to copy to our docker environment.

Further explanation and options to create a certificate can be read about in this stackoverflow post: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl.

Prepare nginx configuration

Next to my /opt/docker/firefly/docker-compose.yml file I created a new folder conf.d. I moved the newly created certificate and key to this folder and created a new configuration file (raspberry01.conf) for nginx.

server {
  listen 80; 
  #redirect all http traffic to https
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  ssl_certificate /etc/nginx/conf.d/raspberry01.crt;
  ssl_certificate_key /etc/nginx/conf.d/raspberry01.key;
  location / {
    proxy_pass http://172.24.0.1:80;
    proxy_set_header        Host                    $host;
    proxy_set_header        X-Real-IP               $remote_addr;
    proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Host        $server_name;
    proxy_set_header        X-Forwarded-Proto       $scheme;
    proxy_set_header        X-Forwarded-Ssl         on;
    proxy_set_header        Upgrade                 $http_upgrade;
    proxy_set_header        Connection              "upgrade";
  }
}

The proxy_pass IP is the Gateway address of my Firefly Docker network. You can check yours by running

docker network inspect firefly_firefly_iii_net

I copied the proxy_set_header options from another issue (#2579) and cannot say if all of them are relevant.

Now you should have a somewhat similar file and folder structure:

    |-- /opt/docker/firefly
        |-- docker-compose.yml
        |-- conf.d
            |-- raspberry01.conf
            |-- raspberry01.crt
            |-- raspberry01.key

Modify docker-compose.yml and .env files

I added the official nginx image as additional service to the docker-compose.yml file. Adding it to the existing firefly_iii_net network, exposing port 443 and mounting the local folder conf.d read-only into the container.

[...]
  nginx_proxy:
    image: nginx:latest
    networks:
      - firefly_iii_net
    ports:
      - "443:443"
    volumes:
      - /opt/docker/firefly/conf.d:/etc/nginx/conf.d:ro
[...]

In the .env file you need to set APP_URL and TRUSTED_PROXIES.

[...]
# This variable must match your installation's external address but keep in mind that
# it's only used on the command line as a fallback value.
APP_URL=https://raspberry01

# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
# Set it to ** and reverse proxies work just fine.
TRUSTED_PROXIES=**
[...]

(Re)start your containers and access your Firefly App via https

docker-compose -f /opt/docker/firefly/docker-compse.yml up -d

The first start will download the newly added nginx image which will delay everything for a moment. Access https://hostname-of-pi and accept the browser warning. You created the certificate yourself, it was not signed by an official certificate authority, therefore you are warned by the browser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment