Self host Meshcentral with docker, traefik and mongodb
One of my friends (non-tech dude) have a signage side hustle where he have screens + android devices that shows localized ads. He is trying to transition from a paid signage service that is eating too much of his revenue to use other, preferable free options. I've been impressed by how has solved this problem so far by using google drive as file delivery, google apps script for logic and a free apk as signage software. But these android boxes aren't necessarily the most reliable, so he need a way to remotely access these devices. TeamViewer was used earlier, but that was still somewhat expensive.
After talking to him I offered to look for a free alternative and found Meshcentral, an open source, multi-platform, self-hosted program for remote device management. Perfect.
The problem
I have a VPS running so I told him will try to set it up and just have it running there for him.
- Meshcentral needs to run in docker
- Meshcentral needs to be behind my existing Traefik reverse proxy
- Need to be able to connect to devices (obviously)
I will not go into detail, but just provide the solution. The only preq is docker/docker-compose.
Taefik setup
I USE VERSION 2.0 BECAUSE THIS CONFIG IS A COUPLE YEARS OLD AND ICBA TO UPDATE IT TO THE NEWEST VERSION
This is a plain Traefik config with docker-compose with https upgrade and automatic certification generation via letsencrypt.
1# docker-compose-traefik.yml 2version: "3" 3services: 4 traefik: 5 image: traefik:v2.0 6 restart: always 7 container_name: traefik 8 ports: 9 - "80:80" # http 10 - "443:443" # https 11 command: 12 ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ## 13 - --providers.docker=true # Set docker as the provider for traefik 14 - --providers.docker.exposedbydefault=false # You need to whitelist containers that will be exposed to traefik 15 - --providers.file.filename=/dynamic.yaml # Referring to the https upgrade middleware file 16 - --providers.docker.network=web # Use the docker network web for communication between traefik and containser 17 ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ## 18 - --entrypoints.web.address=:80 # Define an entrypoint for port :80 named web (this can be whatever) 19 - --entrypoints.web-secured.address=:443 # Define an entrypoint for https on port :443 named web-secured (this can be whatever) 20 ## Certificate Settings (Let's Encrypt) - https://docs.traefik.io/https/acme/#configuration-examples ## 21 - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true 22 - --certificatesresolvers.mytlschallenge.acme.email=YOUREMAILHERE # Your email 23 - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json 24 volumes: 25 - ./letsencrypt:/letsencrypt # Volume for certs (TLS) 26 - /var/run/docker.sock:/var/run/docker.sock # Volume for docker admin 27 - ./dynamic.yaml:/dynamic.yaml # Volume for dynamic conf file, **ref: line 14 28 networks: 29 - web # Tell the container that it has access to this network 30 31networks: 32 web: 33 external: true
1# dynamic.yml 2# Middleware for redirect to https 3http: 4 middlewares: 5 redirect: 6 redirectScheme: 7 scheme: https
To run traefik in the background run the command docker-compose -f docker-compose-traefik.yml up -d
Meshcentral set up
Everything you need to set up meshcentral in docker is in this MeshCentral repo. If you follow this, you will have a running meshcentral, but not behind a reverse proxy.
Since we are not autogenerating the config, this is what we will create the minimum folder structure we need for meshcentral.
| - meshcentral/ # this folder contains the persistent data
| - data/config.json # MeshCentral config file
| - docker-compose-meshcentral.yml # Compose file
| - .env
We do not really need the .env file, we can inline it inside the compose file. But I like to seperate the concerns. The only function the .env file is to initiate the database.
1# .env 2NODE_ENV=production 3 4# initial mongodb-variables 5MONGO_INITDB_ROOT_USERNAME=mongodbadmin 6MONGO_INITDB_ROOT_PASSWORD=mongodbpasswd
1// meshcentral/data/config.json 2{ 3 "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json", 4 "settings": { 5 "plugins": { "enabled": false }, 6 "mongoDb": "mongodb://USERNAME:PASSWORD@mongodb:27017", 7 "_WANonly": true, 8 "_LANonly": true, 9 "_sessionKey": "WHATEVER PASSORD", 10 "TLSOffload": true, // Since we are generating cert with traefik we tell meshcentral to not se TLS 11 "SelfUpdate": false, 12 "AllowFraming": false, 13 "WebRTC": false, 14 "Cert": "mesh.example.com", // <-- Change: This is the same as the hostname for 15 "Port": 4430, 16 "AliasPort": 443, 17 "RedirPort": 800, 18 "_redirAliasPort": 80, 19 "TlsOffload": "111.22.333.444" // <-- Change: IP of your server / VPS 20 }, 21 "domains": { 22 "": { 23 "_title": "Title1", 24 "_title2": "Title 2", 25 "minify": true, 26 "NewAccounts": true, 27 "localSessionRecording": false, 28 "_userNameIsEmail": true, 29 "certUrl": "mesh.example.com", // <-- Change, same as Cert in settings 30 "agentConfig": ["webSocketMaskOverride=1"] // This is what enables websockets for remote access 31 } 32 } 33}
1# docker-compose-meshcentral.yml 2version: "3" 3 4networks: 5 meshcentral-tier: 6 driver: bridge 7 web: 8 external: true 9 10services: 11 mongodb: 12 restart: always 13 container_name: mongodb 14 image: mongo:latest 15 env_file: 16 - .env 17 volumes: 18 # mongodb data-directory - A must for data persistence 19 - ./meshcentral/mongodb_data:/data/db 20 networks: 21 - meshcentral-tier 22 23 meshcentral: 24 restart: always 25 container_name: meshcentral 26 # use the official meshcentral container 27 image: ghcr.io/ylianst/meshcentral:latest 28 depends_on: 29 - mongodb 30 ports: 31 - 8086:4430 32 volumes: # The volumes will be created automaticly if they do not exists. The only directory that should exist when installing fresh is is meshcentral/data 33 # config.json and other important files live here. A must for data persistence 34 - ./meshcentral/data:/opt/meshcentral/meshcentral-data 35 # where file uploads for users live 36 - ./meshcentral/user_files:/opt/meshcentral/meshcentral-files 37 # location for the meshcentral-backups - this should be mounted to an external storage 38 - ./meshcentral/backup:/opt/meshcentral/meshcentral-backup 39 # location for site customization files 40 - ./meshcentral/web:/opt/meshcentral/meshcentral-web 41 labels: 42 - "traefik.enable=true" # Tells Traefik to proxy this container 43 - "traefik.http.routers.mesh-web.rule=Host(`mesh.kentare.no`)" # Domain name for http rule 44 - "traefik.http.routers.mesh-web.entrypoints=web" # Define the entrypoint for http 45 - "traefik.http.routers.mesh-web.middlewares=redirect@file" # This is the middleware to redirect to https 46 - "traefik.http.routers.mesh-secured.rule=Host(`mesh.kentare.no`)" # Domain name for https rule 47 - "traefik.http.routers.mesh-secured.entrypoints=web-secured" # Define the entrypoint for https 48 - "traefik.http.routers.mesh-secured.service=mesh-secured" # Define new service named mesh secured on the route 49 - "traefik.http.services.mesh-secured.loadbalancer.server.port=4430" # Tell traefik explicitly to use port 4430, traefik did not do this automatically in this case. 50 - "traefik.http.routers.mesh-secured.tls.certresolver=mytlschallenge" # How to create certs 51 52 networks: 53 - meshcentral-tier 54 - web
How to run
- Clone or fork this repo: https://github.com/kentare/meshcentral-mongodb-docker-traefik
- Edit in this order:
.env
,docker-compose-traefik.yml
,docker-compose-meshcentral.yml
, andmeshcentral/data/config.json
- Run traefik
docker-compose -f docker-compose-traefik.yml up -d
- Run MeshCentral
docker-compose -f docker-compose-meshcentral up -d
- Go to
mesh.example.com
(replace with your url) and create a user. The first user you create will have admin access.
Do you need to know more about Meshcentral you can download the user guide or you can visit the MeshCentral website.
Conclusion
I connected successfully to my laptop from my PC and the remote access is running smoothly. I will also set up a meshcentral server to use myself to help family members when they need IT support from me.
- Meshcentral needs to run in docker ✔️
- Meshcentral needs to be behind my existing Traefik reverse proxy ✔️
- Need to be able to connect to devices (obviously) ✔️