kent
KENTARETORVIK
Consultant @ Aztek Cloud Develop

Self host Meshcentral with docker, traefik and mongodb

One of my friends (non-tech dude) have a signage side hustle where he have screens + android devices that shows localized ads. He is trying to transition from a paid signage service that is eating too much of his revenue to use other, preferable free options. I've been impressed by how has solved this problem so far by using google drive as file delivery, google apps script for logic and a free apk as signage software. But these android boxes aren't necessarily the most reliable, so he need a way to remotely access these devices. TeamViewer was used earlier, but that was still somewhat expensive.

After talking to him I offered to look for a free alternative and found Meshcentral, an open source, multi-platform, self-hosted program for remote device management. Perfect.

The problem

I have a VPS running so I told him will try to set it up and just have it running there for him.

  1. Meshcentral needs to run in docker
  2. Meshcentral needs to be behind my existing Traefik reverse proxy
  3. Need to be able to connect to devices (obviously)

I will not go into detail, but just provide the solution. The only preq is docker/docker-compose.

Taefik setup

I USE VERSION 2.0 BECAUSE THIS CONFIG IS A COUPLE YEARS OLD AND ICBA TO UPDATE IT TO THE NEWEST VERSION

This is a plain Traefik config with docker-compose with https upgrade and automatic certification generation via letsencrypt.

1# docker-compose-traefik.yml
2version: "3"
3services:
4     traefik:
5          image: traefik:v2.0
6          restart: always
7          container_name: traefik
8          ports:
9               - "80:80" # http
10               - "443:443" # https
11          command:
12               ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
13               - --providers.docker=true # Set docker as the provider for traefik
14               - --providers.docker.exposedbydefault=false # You need to whitelist containers that will be exposed to traefik
15               - --providers.file.filename=/dynamic.yaml # Referring to the https upgrade middleware file
16               - --providers.docker.network=web # Use the docker network web for communication between traefik and containser
17               ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
18               - --entrypoints.web.address=:80 # Define an entrypoint for port :80 named web (this can be whatever)
19               - --entrypoints.web-secured.address=:443 # Define an entrypoint for https on port :443 named web-secured (this can be whatever)
20               ## Certificate Settings (Let's Encrypt) -  https://docs.traefik.io/https/acme/#configuration-examples ##
21               - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
22               - --certificatesresolvers.mytlschallenge.acme.email=YOUREMAILHERE # Your email
23               - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json
24          volumes:
25               - ./letsencrypt:/letsencrypt # Volume for certs (TLS)
26               - /var/run/docker.sock:/var/run/docker.sock # Volume for docker admin
27               - ./dynamic.yaml:/dynamic.yaml # Volume for dynamic conf file, **ref: line 14
28          networks:
29               - web # Tell the container that it has access to this network
30
31networks:
32     web:
33          external: true
1# dynamic.yml
2# Middleware for redirect to https
3http:
4     middlewares:
5          redirect:
6               redirectScheme:
7                    scheme: https

To run traefik in the background run the command docker-compose -f docker-compose-traefik.yml up -d

Meshcentral set up

Everything you need to set up meshcentral in docker is in this MeshCentral repo. If you follow this, you will have a running meshcentral, but not behind a reverse proxy.

Since we are not autogenerating the config, this is what we will create the minimum folder structure we need for meshcentral.

| - meshcentral/        # this folder contains the persistent data
  | - data/config.json  # MeshCentral config file
| - docker-compose-meshcentral.yml # Compose file
| - .env

We do not really need the .env file, we can inline it inside the compose file. But I like to seperate the concerns. The only function the .env file is to initiate the database.

1# .env
2NODE_ENV=production
3
4# initial mongodb-variables
5MONGO_INITDB_ROOT_USERNAME=mongodbadmin
6MONGO_INITDB_ROOT_PASSWORD=mongodbpasswd
1// meshcentral/data/config.json
2{
3     "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
4     "settings": {
5          "plugins": { "enabled": false },
6          "mongoDb": "mongodb://USERNAME:PASSWORD@mongodb:27017",
7          "_WANonly": true,
8          "_LANonly": true,
9          "_sessionKey": "WHATEVER PASSORD",
10          "TLSOffload": true, // Since we are generating cert with traefik we tell meshcentral to not se TLS
11          "SelfUpdate": false,
12          "AllowFraming": false,
13          "WebRTC": false,
14          "Cert": "mesh.example.com", // <-- Change: This is the same as the hostname for
15          "Port": 4430,
16          "AliasPort": 443,
17          "RedirPort": 800,
18          "_redirAliasPort": 80,
19          "TlsOffload": "111.22.333.444" // <-- Change: IP of your server / VPS
20     },
21     "domains": {
22          "": {
23               "_title": "Title1",
24               "_title2": "Title 2",
25               "minify": true,
26               "NewAccounts": true,
27               "localSessionRecording": false,
28               "_userNameIsEmail": true,
29               "certUrl": "mesh.example.com", // <-- Change, same as Cert in settings
30               "agentConfig": ["webSocketMaskOverride=1"] // This is what enables websockets for remote access
31          }
32     }
33}
1# docker-compose-meshcentral.yml
2version: "3"
3
4networks:
5     meshcentral-tier:
6          driver: bridge
7     web:
8          external: true
9
10services:
11     mongodb:
12          restart: always
13          container_name: mongodb
14          image: mongo:latest
15          env_file:
16               - .env
17          volumes:
18               # mongodb data-directory - A must for data persistence
19               - ./meshcentral/mongodb_data:/data/db
20          networks:
21               - meshcentral-tier
22
23     meshcentral:
24          restart: always
25          container_name: meshcentral
26          # use the official meshcentral container
27          image: ghcr.io/ylianst/meshcentral:latest
28          depends_on:
29               - mongodb
30          ports:
31               - 8086:4430
32          volumes: # The volumes will be created automaticly if they do not exists. The only directory that should exist when installing fresh is is meshcentral/data
33               # config.json and other important files live here. A must for data persistence
34               - ./meshcentral/data:/opt/meshcentral/meshcentral-data
35               # where file uploads for users live
36               - ./meshcentral/user_files:/opt/meshcentral/meshcentral-files
37               # location for the meshcentral-backups - this should be mounted to an external storage
38               - ./meshcentral/backup:/opt/meshcentral/meshcentral-backup
39               # location for site customization files
40               - ./meshcentral/web:/opt/meshcentral/meshcentral-web
41          labels:
42               - "traefik.enable=true" # Tells Traefik to proxy this container
43               - "traefik.http.routers.mesh-web.rule=Host(`mesh.kentare.no`)" # Domain name for http rule
44               - "traefik.http.routers.mesh-web.entrypoints=web" # Define the entrypoint for http
45               - "traefik.http.routers.mesh-web.middlewares=redirect@file" # This is the  middleware to redirect to https
46               - "traefik.http.routers.mesh-secured.rule=Host(`mesh.kentare.no`)" # Domain name for  https rule
47               - "traefik.http.routers.mesh-secured.entrypoints=web-secured" # Define the entrypoint for https
48               - "traefik.http.routers.mesh-secured.service=mesh-secured" # Define new service named mesh secured on the route
49               - "traefik.http.services.mesh-secured.loadbalancer.server.port=4430" # Tell traefik explicitly to use port 4430, traefik did not do this automatically in this case.
50               - "traefik.http.routers.mesh-secured.tls.certresolver=mytlschallenge" # How to create certs
51
52          networks:
53               - meshcentral-tier
54               - web

How to run

  1. Clone or fork this repo: https://github.com/kentare/meshcentral-mongodb-docker-traefik
  2. Edit in this order: .env, docker-compose-traefik.yml, docker-compose-meshcentral.yml, and meshcentral/data/config.json
  3. Run traefik docker-compose -f docker-compose-traefik.yml up -d
  4. Run MeshCentral docker-compose -f docker-compose-meshcentral up -d
  5. Go to mesh.example.com (replace with your url) and create a user. The first user you create will have admin access.

Do you need to know more about Meshcentral you can download the user guide or you can visit the MeshCentral website.

Conclusion

I connected successfully to my laptop from my PC and the remote access is running smoothly. I will also set up a meshcentral server to use myself to help family members when they need IT support from me.

  1. Meshcentral needs to run in docker ✔️
  2. Meshcentral needs to be behind my existing Traefik reverse proxy ✔️
  3. Need to be able to connect to devices (obviously) ✔️