rpi-docker-setup
Raspberry Pi Home Server with Docker
This repository documents my Raspberry Pi home server setup, including Docker Compose files, service configurations, backup scripts, and notes from my own deployment.
The goal of this project is to keep everything self-hosted, easy to rebuild, and simple to maintain.
Services Overview
Networking & Access
| Service | Purpose | Repo |
|---|---|---|
| Nginx Proxy Manager | Reverse proxy with SSL support | ↗︎ |
| WireGuard | Secure remote access to the LAN | ↗︎ |
| Gluetun | VPN routing for selected containers | ↗︎ |
| OpenSpeedTest | Local network speed testing | ↗︎ |
| UniFi Network Application | UniFi controller | ↗︎ |
Security & Privacy
| Service | Purpose | Repo |
|---|---|---|
| AdGuard Home | DNS-level ad and telemetry blocking | ↗︎ |
| Vaultwarden | Lightweight self-hosted password manager | ↗︎ |
Media Automation
| Service | Purpose | Repo |
|---|---|---|
| Overseerr | Media request management | ↗︎ |
| Radarr | Movie automation | ↗︎ |
| Sonarr | TV show automation | ↗︎ |
| Prowlarr | Indexer management | ↗︎ |
| Flaresolverr | Cloudflare challenge handling | ↗︎ |
| qBittorrent | Torrent client | ↗︎ |
Infrastructure & Management
| Service | Purpose | Repo |
|---|---|---|
| Portainer | Docker management UI | ↗︎ |
| Watchtower | Automatic container updates | ↗︎ |
| Filebrowser | Web-based file manager | ↗︎ |
| Homepage | Service dashboard | ↗︎ |
Productivity
| Service | Purpose | Repo |
|---|---|---|
| Obsidian LiveSync | Encrypted note syncing | ↗︎ |
Automation
| Script | Purpose |
|---|---|
| cpu_temp.sh | Sends Discord alerts if CPU temperature gets too high |
| backup-obsidian.sh | Backs up Obsidian LiveSync data to NAS |
| docker-backup.sh | Pushes Docker configs to GitHub |
| unattended-upgrades | Automated OS update |
| NAS Mount | Mount NAS on RPI startup |
Notes
- All services run inside Docker containers for portability and easier management.
- Most services are available internally through Nginx Proxy Manager.
- Privacy-sensitive services can be routed through Gluetun.
- Media services share the same storage structure to support hardlinking.
Prerequisites
- A Raspberry Pi with an installed and updated OS
- A static IP address recommended for easier access & configuration
I use Raspberry Pi OS 64-bit based on Debian, but most Linux distributions should work with small adjustments.
Installing Docker
Docker allows applications to run inside lightweight containers, making deployments easier to manage and rebuild.
Docker Compose lets you manage multiple containers using a single YAML file.
Installation steps vary depending on your OS. Refer to Docker’s official documentation for detailed instructions.
Docker on Debian
curl -sSl https://get.docker.com | sh
To avoid running Docker as root:
sudo usermod -aG docker ${USER}
Log out and back in for the group change to apply.
Verify Docker:
docker run hello-world
Install Docker Compose:
sudo apt install docker-compose-plugin
Verify Docker Compose:
docker compose version
Folder Structure
I keep each container or stack inside its own directory:
~/containers/nginx-proxy-manager
~/containers/adguard
~/containers/arr-stack
Each directory contains its own docker-compose.yml file.
To start a stack:
docker compose up -d
NGINX Proxy Manager
Nginx Proxy Manager makes it easy to manage reverse proxies and SSL certificates through a web UI.
Example:
Instead of opening services using IP addresses like:
http://192.168.1.10:3000
You can use internal domains such as:
portainer.lan
adguard.lan
I followed Wolfgang’s Channel on YouTube for the initial setup using deSEC DNS. video
services:
nginx_proxy_manager:
image: jc21/nginx-proxy-manager:latest
container_name: nginx_proxy_manager
ports:
- "80:80"
- "81:81"
- "443:443"
volumes:
- ./config.json:/app/config/production.json
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
networks:
- proxy
restart: unless-stopped
networks:
proxy:
name: proxy
Access the web UI:
http://<raspberrypi-ip>:81
AdGuard Home
AdGuard Home acts as a DNS sinkhole, blocking ads, trackers, and telemetry requests across your network.
services:
adguardhome:
image: adguard/adguardhome:latest
container_name: adguard
ports:
- "53:53/tcp"
- "53:53/udp"
# - "67:67/udp"
# - "68:68/udp"
- "3003:3000/tcp"
- "8062:80/tcp"
- "445:443"
- "853:853/tcp"
- "5443:5443"
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
restart: unless-stopped
networks:
- adguard
- proxy
networks:
adguard:
name: adguard
proxy:
external: true
Initial setup:
http://<raspberrypi-ip>:3003
Main interface after setup:
http://<raspberrypi-ip>:8062
I use DNS rewrites to point local domains such as *.lan to my reverse proxy.
Portainer
Portainer provides a simple web UI for managing Docker containers, images, networks, and volumes.
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
volumes:
- data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "9443:9443"
networks:
- portainer
- proxy
restart: unless-stopped
volumes:
data:
networks:
portainer:
name: portainer
proxy:
external: true
Access:
https://<raspberrypi-ip>:9443
Vaultwarden
Vaultwarden is a lightweight self-hosted password manager, compatible with the Bitwarden apps and browser extensions.
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: bitwarden
environment:
- WEBSOCKET_ENABLED=true
volumes:
- ./data:/data
ports:
- "8085:80"
restart: unless-stopped
networks:
- bitwarden
- proxy
networks:
bitwarden:
name: bitwarden
internal: true
proxy:
external: true
Vaultwarden should be exposed through HTTPS, otherwise some Bitwarden features may not work correctly.
I handle this using Nginx Proxy Manager.
WireGuard VPN
WireGuard gives secure remote access to my LAN and internal services while away from home.
services:
wireguard:
image: linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Stockholm
- SERVERURL=auto
- SERVERPORT=51820
- PEERS=3
- PEERDNS=192.168.1.10
- INTERNAL_SUBNET=10.13.13.0
- ALLOWEDIPS=0.0.0.0/0
volumes:
- ./config:/config
- /lib/modules:/lib/modules
ports:
- "51820:51820/udp"
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv4.ip_forward=1
restart: unless-stopped
networks:
- wireguard
networks:
wireguard:
name: wireguard
After setup, generate a client QR code with:
docker exec -it wireguard /app/show-peer <peer-name>
You can scan the QR code directly in the WireGuard mobile app.
Watchtower
Watchtower automatically checks for updated container images and redeploys containers.
services:
watchtower:
image: nickfedor/watchtower:latest
container_name: watchtower
environment:
TZ: Europe/Stockholm
WATCHTOWER_SCHEDULE: "0 0 0 * * 0"
WATCHTOWER_CLEANUP: "true"
WATCHTOWER_INCLUDE_RESTARTING: "true"
WATCHTOWER_DISABLE_CONTAINERS: watchtower,gluetun
ports:
- "86:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- watchtower
restart: unless-stopped
networks:
watchtower:
name: watchtower
I had issues letting watchtower update itself or gluetun so watchtower ignores those two containers.
The docker compose above runs updates weekly.
Filebrowser
Filebrowser is a lightweight web-based file manager.
services:
filebrowser:
image: hurlenko/filebrowser
container_name: filebrowser
environment:
- FB_BASE_URL=/filebrowser
volumes:
- ./DATA_DIR:/data
- ./CONFIG_DIR:/config
ports:
- "444:8080"
networks:
- filebrowser
- proxy
restart: unless-stopped
networks:
filebrowser:
name: filebrowser
proxy:
external: true
If a default password is generated, you can view it with:
docker logs -f filebrowser
Obsidian LiveSync
Obsidian LiveSync allows encrypted syncing between devices using CouchDB for obsidian note taking.
services:
couchdb-obsidian-livesync:
image: couchdb:latest
container_name: obsidian-livesync
environment:
- TZ=Europe/Stockholm
- COUCHDB_USER=admin
- COUCHDB_PASSWORD=/run/secrets/couchdb_password
secrets:
- couchdb_password
volumes:
- ./data:/opt/couchdb/data
- ./etc:/opt/couchdb/etc/local.d
ports:
- "5984:5984"
networks:
- obsidian
restart: unless-stopped
networks:
obsidian:
name: obsidian
secrets:
couchdb_password:
file: ./secrets/couchdb_password.txt
I recommend following the dedicated setup guide for configuring the plugin and database made by Timely_Anteater_9330. Guide
Gluetun
Gluetun routes selected containers through a VPN tunnel.
I mainly use it for torrent-related containers.
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
secrets:
- vpn_user
- vpn_password
volumes:
- ./data:/gluetun
environment:
- TZ=Europe/Stockholm
- VPN_SERVICE_PROVIDER=
- VPN_TYPE=
- OPENVPN_USER_FILE=/run/secrets/vpn_user
- OPENVPN_PASSWORD_FILE=/run/secrets/vpn_password
- SERVER_REGIONS=Switzerland
- FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
ports:
- "8081:8081"
- "6881:6881"
- "6881:6881/udp"
- "9696:9696"
- "8191:8191"
- "8000:8000"
restart: unless-stopped
networks:
- gluetun
networks:
gluetun:
name: gluetun
secrets:
vpn_user:
file: ./secrets/vpn_user.txt
vpn_password:
file: ./secrets/vpn_password.txt
Containers using:
network_mode: "container:gluetun"
share the same VPN connection.
arr Stack
The *arr stack automates downloading, organizing, and managing media.
My setup uses:
- Radarr
- Sonarr
- Prowlarr
- qBittorrent
- Overseerr
- FlareSolverr
I run these in a single Docker Compose stack because they depend heavily on each other.
Hardlinks & Storage Layout
All containers reference the same root mount (/mnt/nas) so hardlinking works correctly.
Example structure:
nas
├── downloads
│ ├── radarr
│ └── tv-sonarr
├── movies
└── tv-shows
Hardlinks let media managers move files instantly without duplicating storage usage.
You can verify hardlinks with:
ls -l
or compare inode numbers:
stat filename.mkv
If both files share the same inode, hardlinking works correctly.
services:
radarr:
image: lscr.io/linuxserver/radarr:latest
container_name: radarr
environment:
- PUID=1000
- PGID=1000
- UMASK=022
- TZ=Europe/Stockholm
volumes:
- radarr_config:/config
- /mnt/nas:/nas
ports:
- "7878:7878"
networks:
- arr
- proxy
restart: unless-stopped
sonarr:
image: lscr.io/linuxserver/sonarr:latest
container_name: sonarr
environment:
- PUID=1000
- PGID=1000
- UMASK=022
- TZ=Europe/Stockholm
volumes:
- sonarr_config:/config
- /mnt/nas:/nas
ports:
- "8989:8989"
networks:
- arr
- proxy
restart: unless-stopped
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1000
- PGID=1000
- UMASK=022
- TZ=Europe/Stockholm
- WEBUI_PORT=8081
- TORRENTING_PORT=6881
volumes:
- qbittorrent_config:/config
- /mnt/nas/downloads:/nas/downloads
network_mode: "container:gluetun"
restart: always
seerr:
image: ghcr.io/seerr-team/seerr:latest
container_name: seerr
environment:
- LOG_LEVEL=debug
- TZ=Europe/Stockholm
volumes:
- seerr_config:/app/config
ports:
- "5055:5055"
dns:
- 1.1.1.1
- 8.8.8.8
networks:
- arr
- proxy
restart: unless-stopped
prowlarr:
image: lscr.io/linuxserver/prowlarr:latest
container_name: prowlarr
environment:
- PUID=1000
- PGID=1000
- UMASK=022
- TZ=Europe/Stockholm
volumes:
- prowlarr_config:/config
network_mode: "container:gluetun"
restart: always
flaresolverr:
image: flaresolverr/flaresolverr:latest
container_name: flaresolverr
environment:
- LOG_LEVEL=${LOG_LEVEL:-info}
- LOG_HTML=${LOG_HTML:-false}
- CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
- TZ=Europe/Stockholm
volumes:
- flaresolverr_config:/config
network_mode: "container:gluetun"
restart: always
networks:
arr:
name: arr
proxy:
external: true
volumes:
radarr_config:
sonarr_config:
seerr_config:
prowlarr_config:
flaresolverr_config:
qbittorrent_config:
OpenSpeedTest
services:
speedtest:
image: openspeedtest/latest
container_name: openspeedtest
restart: unless-stopped
ports:
- "3002:3002"
- "3001:3001"
networks:
- proxy
networks:
proxy:
external: true
UniFi Network Application
services:
unifi-db:
image: mongo:4.4.18
container_name: unifi-db
network_mode: host
environment:
- MONGO_INITDB_ROOT_USERNAME=${MONGO_INITDB_ROOT_USERNAME}
- MONGO_INITDB_ROOT_PASSWORD=${MONGO_INITDB_ROOT_PASSWORD}
- MONGO_USER=${MONGO_USER}
- MONGO_PASS=${MONGO_PASS}
- MONGO_DBNAME=${MONGO_DBNAME}
- MONGO_AUTHSOURCE=${MONGO_AUTHSOURCE}
volumes:
- ./mongo/data:/data/db
- ./init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro
restart: unless-stopped
unifi-network-application:
image: lscr.io/linuxserver/unifi-network-application:latest
container_name: unifi
network_mode: host
depends_on:
- unifi-db
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- MONGO_USER=${MONGO_USER}
- MONGO_PASS=${MONGO_PASS}
- MONGO_HOST=127.0.0.1
- MONGO_PORT=27017
- MONGO_DBNAME=${MONGO_DBNAME}
- MONGO_AUTHSOURCE=${MONGO_AUTHSOURCE}
volumes:
- ./unifi:/config
restart: unless-stopped
init-mongo.sh
#!/bin/bash
if which mongosh > /dev/null 2>&1; then
mongo_init_bin='mongosh'
else
mongo_init_bin='mongo'
fi
"${mongo_init_bin}" <<EOF
use ${MONGO_AUTHSOURCE}
db.auth("${MONGO_INITDB_ROOT_USERNAME}", "${MONGO_INITDB_ROOT_PASSWORD}")
db.createUser({
user: "${MONGO_USER}",
pwd: "${MONGO_PASS}",
roles: [
"clusterMonitor",
{ db: "${MONGO_DBNAME}", role: "dbOwner" },
{ db: "${MONGO_DBNAME}_stat", role: "dbOwner" },
{ db: "${MONGO_DBNAME}_audit", role: "dbOwner" },
{ db: "${MONGO_DBNAME}_restore", role: "dbOwner" }
]
})
EOF
.env
# ===== System =====
PUID=1000
PGID=1000
TZ=TZ
# ===== MongoDB root =====
MONGO_INITDB_ROOT_USERNAME=root
MONGO_INITDB_ROOT_PASSWORD=<strong password>
# ===== UniFi Mongo user =====
MONGO_USER=unifi
MONGO_PASS=<strong password>
MONGO_DBNAME=unifi
MONGO_AUTHSOURCE=admin
# ===== Mongo connection =====
MONGO_HOST=unifi-db
MONGO_PORT=27017
.env
CPU Temperature Alerts
I use a simple yaml script with Discord webhooks to notify me if the Raspberry Pi overheats.
The script:
- Sends an initial alert when the CPU exceeds a threshold
- Sends additional alerts every 5°C increase
- Resets automatically once temperatures drop
I run the script using a systemd timer every 10 minutes.
#!/bin/yaml
BASE_TEMP=60
STEP=5
STATE_FILE="/tmp/pi_temp_alert.state"
# get CPU temperature in Celsius (rounded down)
pi_temp=$(vcgencmd measure_temp | awk -F "[=.'']" '{print int($2)}')
this_pi=$(hostname)
discord_pi_webhook=
# If below base temp → reset state
if [[ "$pi_temp" -lt "$BASE_TEMP" ]]; then
rm -f "$STATE_FILE"
exit 0
fi
# First alert at or above BASE_TEMP
if [[ ! -f "$STATE_FILE" ]]; then
echo "$pi_temp" > "$STATE_FILE"
curl -H "Content-Type: application/json" -X POST \
-d "{\"content\":\"🚨 ALERT! ${this_pi} CPU temp reached ${pi_temp}°C\"}" \
"$discord_pi_webhook"
exit 0
fi
last_alert_temp=$(cat "$STATE_FILE")
temp_diff=$((pi_temp - last_alert_temp))
# Alert only if temp increased by STEP
if [[ "$temp_diff" -ge "$STEP" ]]; then
echo "$pi_temp" > "$STATE_FILE"
curl -H "Content-Type: application/json" -X POST \
-d "{\"content\":\"⚠️ UPDATE! ${this_pi} CPU temp increased to ${pi_temp}°C\"}" \
"$discord_pi_webhook"
fi
Obsidian Backup Script
This script:
- Stops the container
- Creates a timestamped backup using
rsync - Restarts the container
- Removes old backups automatically
Backups are stored on my NAS.
#!/bin/yaml
# ── Config ────────────────────────────────────────────────────────────────────
COMPOSE_DIR="/home/admin/containers/obsidian-livesync"
BACKUP_ROOT="/mnt/nas/backups/obsidian-livesync"
RETENTION_DAYS=30
LOG_FILE="/var/log/obsidian-backup.log"
# ─────────────────────────────────────────────────────────────────────────────
TIMESTAMP=$(date +"%Y-%m-%d_%H-%M")
BACKUP_DIR="$BACKUP_ROOT/$TIMESTAMP"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
log "──────────────────────────────────────────"
log "Starting obsidian-livesync backup"
# Stop the container
log "Stopping container..."
docker compose -f "$COMPOSE_DIR/docker-compose.yml" stop
if [ $? -ne 0 ]; then
log "ERROR: Failed to stop container. Aborting backup."
exit 1
fi
# Sync data and config
log "Rsyncing to $BACKUP_DIR ..."
mkdir -p "$BACKUP_DIR/data" "$BACKUP_DIR/etc"
rsync -a --delete "$COMPOSE_DIR/data/" "$BACKUP_DIR/data/"
DATA_STATUS=$?
rsync -a --delete "$COMPOSE_DIR/etc/" "$BACKUP_DIR/etc/"
ETC_STATUS=$?
RSYNC_STATUS=$(( DATA_STATUS + ETC_STATUS ))
# Always restart the container, even if rsync failed
log "Restarting container..."
docker compose -f "$COMPOSE_DIR/docker-compose.yml" start
if [ $RSYNC_STATUS -ne 0 ]; then
log "ERROR: rsync failed with exit code $RSYNC_STATUS."
exit 1
fi
log "Backup complete → $BACKUP_DIR"
# Prune backups older than retention period
log "Pruning backups older than $RETENTION_DAYS days..."
find "$BACKUP_ROOT" -maxdepth 1 -type d -mtime +$RETENTION_DAYS -exec rm -rf {} +
log "Done."
Docker Git Backup Script
I use GitHub as an off-site backup for my Docker Compose files.
The script:
- Adds changed files
- Creates a commit automatically
- Pushes updates to GitHub
Sensitive files are excluded using .gitignore.
#!/bin/yaml
cd ~/containers
git add -A
git diff --cached --quiet && echo "No changes, skipping commit." && exit 0
git commit -m "Auto backup $(date '+%Y-%m-%d %H:%M')"
git push origin main
Example .gitignore
# Ignore everything by default
*
# Allow folders
!*/
# Allow Docker Compose files
!*/docker-compose.yml
!*/docker-compose.yaml
# Ignore secrets and environment files
*.env
*.txt
# Ignore persistent application data
*/letsencrypt/*
*/DATA_DIR/*
*/data
*/work
# Ignore additional YAML configs
*.yaml
# Keep root files
!.gitignore
Unattended-upgrades
sudo apt install unattended-upgrades
Se for more info: https://wiki.debian.org/PeriodicUpdates
NAS Mount
Example /etc/fstab entry for mounting a Synology NAS using NFS:
192.168.1.50:/volume1/nas /mnt/nas nfs defaults,nofail,_netdev,x-systemd.automount,x-systemd.device-timeout=30 0 0
Final Notes
This setup has changed a lot over time and will probably continue evolving.
The repository mainly exists as:
- Documentation for my own rebuilds
- A backup of working configurations
- A reference for anyone building something similar
Feel free to adapt any part of it for your own setup.