Need help with Server install via docker on a Raspberry Pi

[doobes]

So, I've gone through the process defined here: https://github.com/zadam/trilium/wiki/Apache-proxy-setup (which could be a lot more helpful BTW) (Used this as a "guide" for the "missing" parts https://discourse.joplinapp.org/t/guide-for-joplin-server-on-raspberry-pi/14702.

I get to the end and when I enter:

sudo systemctl enable trilium.service

I get this:

Unit /lib/systemd/system/trilium.service is added as a dependency to a non-existent unit local.target.

This is my trilium.service file:

`[Unit]
Description=Trilium Server
Requires=docker.service
After=docker.service

[Service]
Restart=always
ExecStart=/usr/bin/docker start -a trilium
ExecStop=/usr/bin/docker stop -t 2 trilium

[Install]
WantedBy=local.target

my /etc/apache2/sites-available/mywebsitehere.com.conf looks like

<VirtualHost *:80>
    ServerName http://mywebsitehere.com
    RewriteEngine on
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
<VirtualHost *:443>
    ServerName https://mywebsitehere.com
    RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
    AllowEncodedSlashes NoDecode
    ProxyPass / http://localhost:8080/ nocanon
    ProxyPassReverse / http://localhost:8080/
    SSLCertificateFile /etc/letsencrypt/live/mywebsitehere.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mywebsitehere.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

`
And of course noting works.

I managed to get the server working without the Apache part, but I want to access this from outside my home network.

Any guidance would be greatly appreciated.

chris

[doobes]

IS ANYONE HOME?

I've gone through this about 5 times. There are a myriad of "typos" in the instructions.

Is there a succinct (and complete) directive on how to set the server up with Apache, with certs, etc, etc?

https://github.com/zadam/trilium/wiki/Apache-proxy-setup is NOT it.....

[meichthys]

Tbh, I think the vast majority of folks are using docker which greatly simplifies running the server. For this reason the manual setup instructions have likely been neglected.

[doobes]

I'm attempting to use the Docker install.

Still looking for better documentation

[zerebos]

I have some alternate Docker docs here but nothing specific to RPi or Apache

[sigaloid]

Would highly recommend Caddy, I use it to deploy Trilium at a large scale and it works great (I have never once thought about certificates).

I'll drop my own personal config:

site.com {
	reverse_proxy localhost:8080
}

Yep, it's that easy. As long as the Caddy service runs as root and the DNS A records point to the machine's IP, caddy will handle certificate renewals. I've ran trilium.cc for two and a half years using Caddy and retrieved over 4000 certificates (96% renewals/staging, 4% customers) with Caddy and it handled them all perfectly without me doing a single thing.

[doobes]

Ok,

I'm game for anything at this juncture.

Sequence?

Docker first with Caddy deployed as a Docker container?

Then how is Trilium installed?

cheers

[sigaloid]

Set up Caddy before or after, just make sure it's running as a systemd service. Then, you run the docker container just like the wiki has you do it, but you can also use a custom docker-compose from there if you'd like. Then start it and have it listen at 127.0.0.1:8080.

[doobes]

Well,

I've gone through the entire process again for the umteenth time.

The Apache stuff works now. I can go to my website and see the Apache Default page.

I've created the container via:

sudo docker pull zadam/trilium:latest

sudo docker create --name trilium -t -p 127.0.0.1:8080:8080 -v /mnt/trilium:/home/node/trilium-data zadam/trilium:latest

/lib/systemd/system/trilium.service is:

`
[Unit]
Description=Trilium Server
Requires=docker.service
After=docker.service

[Service]
Restart=always
ExecStart=/usr/bin/docker start -a trilium
ExecStop=/usr/bin/docker stop -t 2 trilium

[Install]
WantedBy=local.target
`
I run:

sudo systemctl daemon-reload

then

sudo systemctl enable trilium.service

I get:

Unit /lib/systemd/system/trilium.service is added as a dependency to a non-existent unit local.target.

Any suggestions would be appreciated.

Thanks

[doobes]

This is the entire process (other that OS setup and drive mapping) that I'm on right now.

sudo apt-get update
sudo apt-get upgrade -y

sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

sudo apt-get install apache2 -y

sudo apt-get install snapd -y
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --apache

sudo docker pull zadam/trilium:latest
 
sudo docker create --name trilium -t -p 127.0.0.1:8080:8080 -v /mnt/trilium:/home/node/trilium-data zadam/trilium:latest

sudo certbot --apache

a2enmod ssl
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_wstunnel

sudo nano /etc/apache2/sites-available/www.mytrilium.com.conf

<VirtualHost *:80>
    ServerName www.mytrilium.com
	RewriteEngine on
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
<VirtualHost *:443>
    ServerName https://www.mytrilium.com
    RewriteEngine On
	RewriteCond %{HTTP:Connection} Upgrade [NC]
	RewriteCond %{HTTP:Upgrade} websocket [NC]
	RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
    AllowEncodedSlashes NoDecode
    ProxyPass / http://localhost:8080/ nocanon
    ProxyPassReverse / http://localhost:8080/
    SSLCertificateFile /etc/letsencrypt/live/www.mytrilium.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.mytrilium.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

sudo a2ensite www.mytrilium.com.conf
sudo systemctl reload apache2

sudo nano /lib/systemd/system/trilium.service

[Unit]
Description=Trilium Server
Requires=docker.service
After=docker.service

[Service]
Restart=always
ExecStart=/usr/bin/docker start -a trilium
ExecStop=/usr/bin/docker stop -t 2 trilium
	
[Install]
WantedBy=local.target

sudo systemctl daemon-reload
sudo systemctl enable trilium.service
sudo systemctl start trilium.service

[Br0kenSilos]

I'm a little behind on the conversation here and I do not run on a Pi. Instead I run an Ubuntu 22.04 server in a vm for my docker box. I may be way off base at the end of this overly long day. But one thing I am trying to understand looking at your config.. Why are you setting up Apache and using the Trilium docker container. With the container you should not need Apache on the host.

Also, where are you wanting to access the install from? LAN only, or LAN + WAN?

This is my entire docker-compose.yml file

#version: '3.3'
services:
trilium:
ports:
- '8290:8080'
volumes:
- ./trilium-data:/home/node/trilium-data
container_name: trilium
image: 'zadam/trilium:latest'
restart: unless-stopped

[doobes]

Ok,

Thanks for responding.

I want to be able to sync from LAN and WAN.

I just tested this.

OS setup, drive mapping, etc

Install docker

Then

sudo docker pull zadam/trilium:latest

sudo docker create --name trilium -t -p 127.0.0.1:8080:8080 -v ~/trilium-data:/home/node/trilium-data zadam/trilium:latest

and then:

sudo a2enmod ssl

This is the entire sequence:

What am I missing?

Does exactly the same thing if I use a docker-compose.yml file.

The server is working locally though, so that's a plus.

cheers,

[Br0kenSilos]

I'm still trying to understand the need for Apache. I do not have Apache installed on my host. Just the docker container using the config I posted above. The host VM runs on a machine behind my firewall and is accessible via IP address.

For example: http://192.168.1.25:8290

This is where I would start if I were in your shoes. See if you can get to it just at the IP address. Dont worry about the certs, or the fqdn or any of that. At first just try to get to it via plain old http and the address and port you used.

Beyond that, things get a bit more complex. And I am not saying I am doing this the best way and this is one of those things that there many different ways to go about it. But it works well for me. For instance I have a fully qualified domain. Lets call it notes.example.com. I run run a pfSense firewall and use Acme certificates and HAPROXY within the pfSense firewall. I use Acme to get certificates from LetsEncrypt for the fqdn of notes.example.com. Then, also in my pfsense box, I use HAPROXY to serve up the https://notes.example.com site. My internal DNS pointer points notes.example.com to the pfSense firewall LAN address. This allows LAN access to the server using the fqdn.

For WAN access to Trilium, I use a CloudFlare tunnel. This allows access to the machine without the need to poke a hole in the firewall itself. Cloudflare handles the DNS for WAN access to my machine via their tunnel. This has the added effect of providing a little extra protection from attack. To further it, I lock down WAN access to my notes.example.com to only being allowed from certain IP address (work, family houses etc) using Cloudflare access rules. IF I am somewhere else other than those allowed IP addresses, I can get access to my site using Cloudflare's email authentication.

This took a while to get setup and tested as you might imagine. And I am not saying you need to do all of this. Only trying to show you some of what is possible.

I also meant to point out that.. Normally I just use the webUI. HOWEVER, Using an fqdn the way I do, allows the desktop app on my laptop to sync up regardless of if I am on the LAN or the WAN. Obviously the DNS entries for the notes.example.com domain point to different IP addresses depending on if it the internal LAN DNS server or the WAN DNS server.

[doobes]

Ok

LAN server works.

WAN does not:

I've got a URL from afraiddns that points to my UDM SE.

On the UDM I've setup a port forwards for 443, 80 and 8080

Why did you map 8290 to 8080 BTW?

If I goto https://MYURL I get the Apache Default page:

If I go to my https://MYURL:8080, I get bupkis.

Yes, I've set up the config.ini file to point at the certs

If I try to load https://MYURL:8080 in Palemoon (an old browser) I'm told:

SSL received a record that exceeded the maximum permissible length. (Error code: SSL_ERROR_RX_RECORD_TOO_LONG)

And, the Trilium service doesn't restart when the pi is rebooted. I have to manually start it.

Cheers

[Br0kenSilos]

I see. Well, I have virtually no experience with Caddy at this point. I can try to recreate your environment to try to figure out the exact steps but with my current schedule that may have to wait until the weekend.. Caddy is on my todo list of things to learn/play with though.

I used port 8290 because I have a few docker things running on that VM and 8080 was already in use and sometimes I get a little contrary with ports. ;-). It works fine to change the port so long as you only change the port number on the left side of the :

I am going to avoid Caddy for the moment. Lets see if we can just get Trilium itself working.

So I am going to just focus on Trilium for the moment.. To be fair, I am doing a lot of this from memory and could be missing a step. If this doesnt work I will try to spin an instance up from scratch tomorrow (as time allows) and document the steps.

I first install docker and docker compose. Here are my steps for that.

#==== Update the host and install docker and docker compose====
sudo su -
apt update && apt upgrade -y
apt install apt-transport-https ca-certificates curl gnupg software-properties-common
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg

echo
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu
"$(. /etc/os-release && echo "$UBUNTU_CODENAME")" stable" |
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

apt update
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker-compose

#Modify your non-root user and add them to the docker group
usermod -aG docker dockerman #dockerman should be changed to the user name of your non-root user

#==== Install Trilium ====

Switch to your non-root user. For reference mine is named dockerman in the steps below

cd ~

Create the folder structure

mkdir -p ~/trilium/trilium-data/{backup,log,sessions}

Create a docker-compose.yml file then close and save it.

nano ~/trilium/docker-compose.yml

#== Begin Contents of the docker-compose.yml file ==
#version: '3.3'
services:
trilium:
ports:
- '8080:8080'
volumes:
- ./trilium-data:/home/node/trilium-data
container_name: trilium
image: 'zadam/trilium:latest'
restart: unless-stopped
#== End Contents of the docker-compose.yml file ==

== Start the Trilium container ==

cd ~/trilium
docker compose up -d

At this point if all went well and you dont have any services competing for port 8080 on your host, your Trilium instance should be accessible at http://IPADDRESS:8080

Also FWIW, I dont like managing docker networks form the command line and I usually cheat and install Portainer for that. But that is a whole other story and I do not think you will need it for this build.

[doobes]

Thanks for the info.

I've got a VPN into my home network, and I can access the server from outside through the VPN, which is ultimately what I wanted to do.

Let's consider this closed.

Thanks again.

[doobes]

LOL.

I got the WAN stuff working.

For completeness in reference to the sequence described above:

Stopped Apache2

Deleted /etc/apache2/sites-available/www.mytrilium.com.conf

Deleted /etc/apache2/sites-enabled/www.mytrilium.com.conf

sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf

Added the following between <VirtualHost *:443> and :

ProxyPreserveHost On
ProxyPass "/" http://localhost:8080 nocanon
ProxyPassReverse "/" http://localhost:8080

sudo apachectl -k graceful

And voila! It works.

[doobes]

More goodness.

The server was not restarting on reboot.

So I changed:

ExecStart=/usr/bin/docker start -a trilium

to:

ExecStart=/usr/bin/docker run --name %n trilium

and Voila!

It restarts.

cheers

[doobes]

Things have been going well for my server install. It works on all my portable devices and with all three of my desktop boxes.

However I noticed the dates on the files in the mounted folder are still a month ago.

So I went looking around, and unfortunately it's saving files locally even though I specifically called out the mounted folder in the config.

A little bit of spelunking around the web indicates I need to mount the folder from "within" the docker stratosphere, but I can't find a straightforward way of doing that.

Can someone more knowledgeable of docker than I please chime in?

Thanks!