Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to setup Firefly III in 10 min with NGINX and auto-renewal SSL

I would like to tell how to setup Firefly III with auto-renewal SSL in docker-compose.

We will use jwilder.

This is NGINX which will be follow all containers and issue Let's encrypt certificates for them.

  1. Prepare server or rent VPS. I use hostens VPS, you can use my referral link, plus google some promotional code and it will be very cheap and good VPS.

I use Ubuntu 18.04.

You also need the domain name with А DNS record pointed to your server.

  1. Install docker and docker-compose

  2. Create folder nginx-proxy and docker-compose.yml inside this folder

mkdir nginx-proxy
cd nginx-proxy
vim docker-compose.yml
docker-compose.yml
version: '3'
services:
  nginx-proxy:
    image: jwilder/nginx-proxy:alpine
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./current/public:/usr/share/nginx/html
      - ./certs:/etc/nginx/certs:ro
      - ./vhost:/etc/nginx/vhost.d
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./pass:/etc/nginx/htpasswd:ro
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    restart: always
    environment:
      NGINX_PROXY_CONTAINER: nginx-proxy
      NGINX_DOCKER_GEN_CONTAINER: nginx-proxy
    volumes:
      - ./certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./vhost:/etc/nginx/vhost.d
      - ./current/public:/usr/share/nginx/html
networks:
  default:
    external:
      name: nginx-proxy
  1. Create external network first and than you can start this docker-compose
docker network create nginx-proxy
docker-compose up -d
  1. Return to your home folder and create firefly-iii folder. And docker-compose.yml in it. Please, check official docker-compose.yml file
cd
mkdir firefly-iii
cd firefly-iii
vim docker-compose.yml
docker-compose.yml
--- 
networks:
  default:
    external:
      name: nginx-proxy
      
services:

  firefly_iii_app: 
    image: jc5x/firefly-iii:latest
    restart: unless-stopped
    depends_on:
      - firefly_iii_db
    expose: 
      - 80
    env_file: .env
    volumes: 
      - 
        source: firefly_iii_export
        target: /var/www/firefly-iii/storage/export
        type: volume
      - 
        source: firefly_iii_upload
        target: /var/www/firefly-iii/storage/upload
        type: volume
        
  firefly_iii_db: 
    image: "postgres:10"
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=pass
      - POSTGRES_DB=homestead
      - POSTGRES_USER=firefly
    volumes: 
      - firefly_iii_db:/var/lib/postgresql/data
  
  firefly_iii_cron:
    image: alpine
    command: sh -c "echo \"0 3 * * * wget https://your_domain/cron/run/token\" | crontab - && crond -f -L /dev/stdout"
version: "3.2"

volumes: 
  firefly_iii_db: ~
  firefly_iii_export: ~
  firefly_iii_upload: ~

Reference: official documentation about Firefly III in docker and cron.

Please replace:

pass with strong password,

your_domain with your domain and

token with your token (see the link to cron docs above).

  1. Create .env file and edit it accordingly to your setup. Please, check official .env file
vim .env
.env
VIRTUAL_HOST=your_domain
LETSENCRYPT_HOST=your_domain
LETSENCRYPT_EMAIL=info@your_domain

# You can leave this on "local". If you change it to production most console commands will ask for extra confirmation.
# Never set it to "testing".
APP_ENV=local

# Set to true if you want to see debug information in error screens.
APP_DEBUG=false

# This should be your email address
SITE_OWNER=info@your_domain

# The encryption key for your sessions. Keep this very secure.
# If you generate a new one existing data must be considered LOST.
# Change it to a string of exactly 32 chars or use command `php artisan key:generate` to generate it
APP_KEY=some32chars


# Change this value to your preferred time zone.
# Example: Europe/Amsterdam
TZ=Europe/Amsterdam

# This variable must match your installation's external address but keep in mind that
# it's only used on the command line as a fallback value.
APP_URL=your_domain

# TRUSTED_PROXIES is a useful variable when using Docker and/or a reverse proxy.
# Set it to ** and reverse proxies work just fine.
TRUSTED_PROXIES=**

# The log channel defines where your log entries go to.
# 'daily' is the default logging mode giving you 5 daily rotated log files in /storage/logs/.
# Several other options exist. You can use 'single' for one big fat error log (not recommended).
# Also available are 'syslog', 'errorlog' and 'stdout' which will log to the system itself.
LOG_CHANNEL=daily

# Log level. You can set this from least severe to most severe:
# debug, info, notice, warning, error, critical, alert, emergency
# If you set it to debug your logs will grow large, and fast. If you set it to emergency probably
# nothing will get logged, ever.
APP_LOG_LEVEL=notice

# Database credentials. Make sure the database exists. I recommend a dedicated user for Firefly III
# For other database types, please see the FAQ: http://firefly-iii.readthedocs.io/en/latest/support/faq.html
DB_CONNECTION=pgsql
#FF_DB_CONNECTION=pgsql
# If you use DOCKER COMPOSE, change this variable to "firefly_iii_db"
DB_HOST=firefly_iii_db
DB_PORT=5432
DB_DATABASE=homestead
DB_USERNAME=firefly
DB_PASSWORD=pass

# PostgreSQL supports SSL. You can configure it here.
PGSQL_SSL_MODE=prefer
PGSQL_SSL_ROOT_CERT=null
PGSQL_SSL_CERT=null
PGSQL_SSL_KEY=null
PGSQL_SSL_CRL_FILE=null

# If you're looking for performance improvements, you could install memcached.
CACHE_DRIVER=file
SESSION_DRIVER=file

# You can configure another file storage backend if you cannot use the local storage option.
# To set this up, fill in the following variables. The upload path is used to store uploaded
# files and the export path is to store exported data (before download).
SFTP_HOST=
SFTP_PORT=
SFTP_UPLOAD_PATH=
SFTP_EXPORT_PATH=

# SFTP uses either the username/password combination or the private key to authenticate.
SFTP_USERNAME=
SFTP_PASSWORD=
SFTP_PRIV_KEY=

# Cookie settings. Should not be necessary to change these.
COOKIE_PATH="/"
COOKIE_DOMAIN=
COOKIE_SECURE=false

# If you want Firefly III to mail you, update these settings
# For instructions, see: https://firefly-iii.readthedocs.io/en/latest/installation/mail.html
MAIL_DRIVER=log
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_FROM=changeme@example.com
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

# Other mail drivers:
MAILGUN_DOMAIN=
MAILGUN_SECRET=
MANDRILL_SECRET=
SPARKPOST_SECRET=

# Firefly III can send you the following messages
SEND_REGISTRATION_MAIL=true
SEND_ERROR_MESSAGE=true

# These messages contain (sensitive) transaction information:
SEND_REPORT_JOURNALS=true

# Set a Mapbox API key here (see mapbox.com) so there might be a map available at various places.
MAPBOX_API_KEY=

# Firefly III currently supports two provider for live Currency Exchange Rates:
# "fixer", and "ratesapi".
# RatesApi.IO (see https://ratesapi.io) is a FREE and OPEN SOURCE live currency exchange rates,
# built compatible with Fixer.IO, based on data published by European Central Bank, and doesn't require API key.
CER_PROVIDER=ratesapi

# If you have select "fixer" as default currency exchange rates,
# set a Fixer IO API key here (see https://fixer.io) to enable live currency exchange rates.
# Please note that this WILL ONLY WORK FOR PAID fixer.io accounts because they severely limited
# the free API up to the point where you might as well offer nothing.
FIXER_API_KEY=

# If you wish to track your own behavior over Firefly III, set a valid analytics tracker ID here.
ANALYTICS_ID=

# Firefly III has two options for user authentication. "eloquent" is the default,
# and "ldap" for LDAP servers.
# For full instructions on these settings please visit:
# https://firefly-iii.readthedocs.io/en/latest/installation/authentication.html
LOGIN_PROVIDER=eloquent

# LDAP connection configuration
# OpenLDAP, FreeIPA or ActiveDirectory
ADLDAP_CONNECTION_SCHEME=OpenLDAP
ADLDAP_AUTO_CONNECT=true

# LDAP connection settings
ADLDAP_CONTROLLERS=
ADLDAP_PORT=389
ADLDAP_TIMEOUT=5
ADLDAP_BASEDN=""
ADLDAP_FOLLOW_REFFERALS=false
ADLDAP_USE_SSL=false
ADLDAP_USE_TLS=false

ADLDAP_ADMIN_USERNAME=
ADLDAP_ADMIN_PASSWORD=

ADLDAP_ACCOUNT_PREFIX=
ADLDAP_ACCOUNT_SUFFIX=

# LDAP authentication settings.
ADLDAP_PASSWORD_SYNC=false
ADLDAP_LOGIN_FALLBACK=false

ADLDAP_DISCOVER_FIELD=distinguishedname
ADLDAP_AUTH_FIELD=distinguishedname

# Will allow SSO if your server provides an AUTH_USER field.
WINDOWS_SSO_DISCOVER=samaccountname
WINDOWS_SSO_KEY=AUTH_USER

# field to sync as local username.
ADLDAP_SYNC_FIELD=userprincipalname

# You can disable the X-Frame-Options header if it interfears with tools like
# Organizr. This is at your own risk.
DISABLE_FRAME_HEADER=false

# Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing.
APP_NAME=FireflyIII
ADLDAP_CONNECTION=default
BROADCAST_DRIVER=log
QUEUE_DRIVER=sync
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
CACHE_PREFIX=firefly
SEARCH_RESULT_LIMIT=50
PUSHER_KEY=
PUSHER_SECRET=
PUSHER_ID=
DEMO_USERNAME=
DEMO_PASSWORD=
IS_DOCKER=false
USE_ENCRYPTION=false
IS_SANDSTORM=false
IS_HEROKU=false
BUNQ_USE_SANDBOX=false
FFIII_LAYOUT=v1

Please note, that these environment variables

VIRTUAL_HOST=your_domain
LETSENCRYPT_HOST=your_domain
LETSENCRYPT_EMAIL=info@your_domain

required for jwilder.

firefly-iii and jwilder will work in the same network.

And in order to proxy firefly-iii jwilder need to see these three envs.

Other envs required for Firefly III itself.

Change pass to pass from firefly-iii docker-compose.yml

Change your_domain to your domain.

Change Europe/Amsterdam to your time zone.

Change some32chars to some random 32 chars, don't ask, just do it.

Reference: official .env example

  1. You can now start your Firefly III instance
docker-compose up -d

Just after this command jwilder will proxy Firefly III instance with your domain and auto issue SSL for you. It also will check expiration date for SSL cert and auto-renew it when necessary.

BONUS

  1. Update to the latest version of Firefly III in one command!

This command will connect your VPS via SSH, update your Firefly III and delete unused docker images.

ssh YOU_SERVER_USER@YOUR_SERVER_IP "cd firefly-iii && docker-compose stop firefly_iii_app && docker-compose rm && docker-compose pull firefly_iii_app && docker-compose up -d && docker images | grep "<none>" | awk '{print $3}' | xargs docker rmi"

  1. Backup Firefly-III database script
@adrianviegas

This comment has been minimized.

Copy link

adrianviegas commented Dec 6, 2019

While starting the docker for nginx-proxy, i get the following error

ERROR: Network nginx-proxy declared as external, but could not be found. Please create the network manually using docker network create nginx-proxy and try again.

I tried running the command given and it started; but after starting firefly i get 503 errors.

After some searching, this was in my /etc/nginx/conf.d/default.conf

server {
server_name _; # This is just an invalid value which will never trigger
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}

@optimistic5

This comment has been minimized.

Copy link
Owner Author

optimistic5 commented Dec 6, 2019

@adrianviegas

  1. cd to your nginx-proxy folder and check the logs
    docker-compose logs or docker-compose logs -f or docker-compose logs --tail=200
    check both logs of nginx-proxy and letsencrypt service.
  2. make sure you domain is resolve your public IP.
    dig YOUR_IP
  3. make sure your 80 and 443 ports are open to the internet.
    nmap -p 80,443 YOUR_IP
  4. Check status and logs of Firefly, maybe it is down or restarting.
  5. Find out the name of your nginx container and check the full nginx.conf
    docker exec -it nginx-proxy_nginx-proxy_1 nginx -T
    note the private ip of Firefly container.
  6. Try to rich your Firefly with local IP from one of the docker, you can use curl
    docker exec -it nginx-proxy_nginx-proxy_1 apk add curl
    docker exec -it nginx-proxy_nginx-proxy_1 curl PRIVATE_IP_OF_FIREFLY_CONTAINER:80
@AgentPurpleLord

This comment has been minimized.

Copy link

AgentPurpleLord commented Feb 12, 2020

Any reason I would be getting a 503 Service Temporarily Unavailable?

@optimistic5

This comment has been minimized.

Copy link
Owner Author

optimistic5 commented Feb 12, 2020

Any reason I would be getting a 503 Service Temporarily Unavailable?

Basically suggestions the same.
Please, check my answer above.

@nmosto

This comment has been minimized.

Copy link

nmosto commented Feb 16, 2020

Hi,
Would you explain what the token is for the docker-compose.yml file? The link you posted no longer works. I am not sure what to do at this step. Thank you for your time.

@optimistic5

This comment has been minimized.

Copy link
Owner Author

optimistic5 commented Feb 18, 2020

Hi,
Would you explain what the token is for the docker-compose.yml file? The link you posted no longer works. I am not sure what to do at this step. Thank you for your time.

I update links to official documentation, please check it.

@nmosto

This comment has been minimized.

Copy link

nmosto commented Feb 18, 2020

Thank you for the reply. I found the documentation but still do not understand. I am not familiar with /profile or where this command line token header is. Could you walk me through this step? Thank you.

Of course you must replace the URL with the URL of your own Firefly III installation. The value can be found on your /profile under the "Command line token" header. This will prevent others from spamming your cron job URL.

@optimistic5

This comment has been minimized.

Copy link
Owner Author

optimistic5 commented Feb 19, 2020

Thank you for the reply. I found the documentation but still do not understand. I am not familiar with /profile or where this command line token header is. Could you walk me through this step? Thank you.

Of course you must replace the URL with the URL of your own Firefly III installation. The value can be found on your /profile under the "Command line token" header. This will prevent others from spamming your cron job URL.

Just go to your firefly url and add /profile
your-firefly-url.com/profile
image

@marceldejongnl

This comment has been minimized.

Copy link

marceldejongnl commented May 26, 2020

Just go to your firefly url and add /profile
your-firefly-url.com/profile

But in the stage where you have to put the Token, the FireflyIII is not yet available

@optimistic5

This comment has been minimized.

Copy link
Owner Author

optimistic5 commented May 27, 2020

Just go to your firefly url and add /profile
your-firefly-url.com/profile

But in the stage where you have to put the Token, the FireflyIII is not yet available

Ok 😃
Start FireFly and then configure token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.