Cloud VPS on Linode

[DarkShadow93 2]

I want to Install Emby on a Cloud Server as to not host it in my network due to my areas restrictions.

Edited May 26, 2021 by DarkShadow93
ReAdded Content

[Luke 37012]

Hi, we don't have any linode specific instructions but you should be able to install one of our Linux packages depending on which distro you're running.

[LiamThomso 0]

it would be interesting to hear the opinion of people who have already tried this method

[CassTG 98]

On 14/10/2021 at 20:10, LiamThomso said:

it would be interesting to hear the opinion of people who have already tried this method

I host mine in the cloud with a European provider, never used Linode as to me they are overpriced for the resources you get, however i have a cloud instance with 4 Epyc Cores, 16gb Ram, NVME storage and 2.5G Network (peak), this is Ubuntu minimal with everything running in docker containers and it for the most part works like a dream. Obviously though if you plan on hardware decoding, then look for an intel based system with Quicksync capabilities.

[helendarack 0]

do you have any links for me to be able to do this too?

[CassTG 98]

To be fair there probably is many guides out there but ill give you a summary

 

1 - Domain

Make life easier down the road by purchasing a domain name, i recommend OVH as they sell them dirt cheap.

2- VPS

Choose a decent vps provider, cheapest is not always best. but if in Europe a cheap option to test if it works for you is Hetzner. 

3- Choose Distro 

Once you have your distro selected (i recommend Debian 11 minimal) the VPS provider will give you a IP address, go back to the company you brought the domain name from and make sure you set the following records:

• A - xx.xx.xx.xx (where xx's = your ip address from vps
• A - emby.xx.xx.xx.xx (these are subdomains which if you are using docker you will need as many as you like i.e 1 for portainer manager, 1 for issue logging, 1 for other clients)
• Think of what you wish to use and do and create these subdomains up front as it can take a while to propagate through the dns servers

3 - Update the server

Using as SSH client (terminal on mac is built in Powershell on windows works also), log in with the Uname and Password that was issued to you when setting up the vps.

ssh username@xx.xx.xx.xx

Then Run

sudo apt update && apt upgrade

Confirm Yes.

Now if the vps is located in a different timezone to you you can adjust the default timezone, the format is Area/Location, so fo UK you would type:

timedatectl set-timezone Europe/London

Now things i like to make sure are installed as default before i do anything include:

• Nano - Easy file editor
• Zip - obvious
• unzip - obvious
• wget - obtain items from http links
• curl - similar to above
• vnstat - monitor BW usage in real time
• ufw - uncomplicated firewall
• fail2ban - Intrusion prevention system

This command will get you going

sudo apt install nano wget curl zip unzip vnstat ufw fail2ban

 

4 - Get docker Installed (debian 11)

This is the easy bit they have separate guides for Debian and Ubuntu so as i use Debian the commands here will work if you choose Debian 11. If you choose Ubuntu do not select version above 20.04 (the 21v wont work with there ubuntu instruction unless you hack it up abit)

Copy this whole block first into terminal and press enter, if asked a question answer yes (y)

sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

Then

 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Then copy this whole block and paste and press enter

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Then update

sudo apt-get update

And finally run the install

sudo apt-get install docker-ce docker-ce-cli containerd.io

 

Okay so so far you have docker running now lets add an easy webui to manage the docker front end.

I use Portainer as it is simple to use, to do this you will be visiting a site called Docker Hub, this is a good central point to find dockers that interest you and each docker usually has a setup guide, can seem daunting at first but after you have messed about with it its easy

Now there are various ways of creating a docker, i am old school so the following is the way i like to do it, however many will say Docker Compose is a better way, both work so learn which ever you want

So lets get portainer setup first time, below is an example i use however once i have setup SWAG Docker, i will recreate this first docker

Copy and paste this into your terminal ssh session

docker run -d \
 --name=portainer \
 --hostname=Portainer \
 -e TZ=Europe/London \
 --restart=always \
 -p 9000:9000 \
 -e PUID=0 \
 -e PGID=0 \
 -v /var/run/docker.sock:/var/run/docker.sock \
 -v portainer_data:/data \
 portainer/portainer-ce:latest

• --name - This is the name of the docker and how it is referred to by the system but more importantly behind a proxy server for SSl
• TZ - Timezone set this to your preferred location
• -v - These are mounted volumes, the second one is where you persistant datais kept, so you can destroy and redeploy the container and your existing data is retained otherwise you would have to start setup of that container all again
• PUID/PGID - this is the user applied to the docker = 0 is root user, and some dockers wont start correctly if set like this as a security measure, if you have a different username in your main server you can find these details by typing -

  id xxxxxxx 

  where xxxxxx is your username i.e admin/ubuntu/johndoe, normally if it is the first username the values will be 1000/1000
• -p 9000:9000 this is called a port map. The first value is the port a person will type in the address bar, the second value relates to the port thats open in the portainer container itself, logic behind this is that you may have many dockers where the container port is 443. This way you could say make the first value 8443, 7443,6443 etc. This is only relevant if you choose not to get free ssl as the proxy will handle most of the traffic
• The last line tells Docker which container to pull 

 

You should get a success message so time to see if it worked, so visit http://yourdomain.com:9000

As you have no SSL certs yet note the link is http and we add port 9000 you should be presented with portainer login page

• Add a new admin account and password and click next
• Select Attach local environment (not exact wording but usually the left most box) to connect portainer to your local docker environment

If all has gone well you will see the following:

 

Click on that big box with the docker logo to access your main config page

Then click on the Containers section

 

This page is where you manage all you containers, you can start stop delete or change settings

Anyways to make things easier we will now make a quick network change

5 - Docker Networks

• In the left hand menu click Networks
• Click Add Network
• Enter a name for network i.e - My-Network
• Driver = Bridge
• Subnet = 172.20.0.0/16
• Gateway = 172.20.0.1
• Scroll to bottom and click add network

 

The reason for this is working with proxy's like Swag is a lot easier where you have all containers within a unique network, it reduces the amount of work later on, Swag will just direct traffic to the docker name and port and comes with pre-configured setups to go.

Okay so lets move portainer to the new network, so go back to the main container page (menu in left hand side) above and do the following:

• Click on the blue portainer link next to the green running icon
• Scroll too bottom
• Click join a network
• Select your network name you created in step 5
• Select Join network
• Wait a few seconds and it will appear underneath in both your network and bridge network
• Now click Leave Network next to BRIDGE

Step 6 - Emby and Swag

Okay so lets install Emby docker

Visit docker hub again and type EMBY in the search box, there are many versions including EMBY's own version. Now i will be honest here i tend to stick to Linuxserver.io containers as they are rock solid, updated frequently and just never had an issues with them, i will use them as number 1 choice for a container and then if they do not have one i work down the list

Now below is a base config but you will need to change to suit your hardware

Full details are available here for configuration options - linuxserver/emby - Docker Image | Docker Hub

As an example heres mine (im running on AMD EPYC so there is no hardware passthrough config for IGPU (intel) or GPU but added the igpu flag back in

 

docker run -d \
  --name=emby \
  --net=my-network \
  --ip=172.20.0.4 \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -p 8096:8096 \
  -p 8920:8920 \
  -v emby_data:/config \
  -v /Mount:/Rclone \
  --device /dev/dri:/dev/dri \
  --restart unless-stopped \
  ghcr.io/linuxserver/emby:version-4.6.7.0

• Name - Obvious leave as is
• net = enter your network name you created in previous step
• ip= set a fix ip, just a tidy ocd thing this would follow the network you set up above with just the last section changing for each docker you create
• ID = as above
• tz = as above
• Ports 8096 and 8920 are the ports required by emby
• emby_data - persistant data storage (real location via ssh is /var/lib/docker/volumes/emby-data/_data)
• v /Mount - This is where you store your media on the server and /Rclone is how it will appear in Emby when browsing for folders to add. Now if you are storing your media on the server in lets say /home/myusername/media you would change the first part to /home/myusername/media:

Now if you are storing your media remotely, say on Google Drive or One rive, you will need to install something like RCLONE and follow their guides (pretty simple to be fair but beyond the scope of this quick start guide)

• --device - this is the passthrough of igpu in this example, they give you options for gpus in the link i posted above, this can be removed if your vps is running AMD non igpu cpu etc

Paste the block into ssh terminal and you should get success.

If you refresh your portainer CONTAINER page it should now show Emby as Started if all went well.

So visit yourdomainname.com:8096 and hopefully you will now have Emby setup page showing.

7 - Security

So far everything is running unsecured so heres a rough guide to securing the two containers, remember those subdomains you created at the beginning? Good because we need them now

So in this example you created these subdomains - manage.yourdomain.com and emby.yourdomain.com

Lets add a simple to use Proxy/Nginx/SSL container by Linuxserver.io - linuxserver/swag - Docker Image | Docker Hub

Now first off to avoid the LETSENCRYPT issue where the expired cert has nuked the app on certain TV's and devices we are going to use ZEROSSL which is also free for ACME ssl request

So first signup for an account at ZeroSSL IT's free and quick to create an account

 

	docker run -d \
   --name=swag \
   --cap-add=NET_ADMIN \
   --net=my-network \
   --ip=172.20.0.5 \
   -e VALIDATION=http \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Europe/London \
   -e URL=yourdomain.com \
   -e CERTPROVIDER=zerossl \
   -e SUBDOMAINS=manage,emby \
   -e EMAIL='zerosslaccount@whoever.com' \
   -e ONLY_SUBDOMAINS=true \
   -p 443:443 \
   -v swag_data:/data \
   -v /var/lib/docker/volumes/swag_data:/config \
   -v /var/lib/docker/volumes/emby_data/_data/logs:/config/log/emby:ro \
   -v /var/log:/config/log/server:ro \
   --restart unless-stopped \
   linuxserver/swag:version-1.27.0

Key points to note:

• Net - Change to the network you created
• Ip - give it a fixed IP as above thats not in use already (last section)
• URl = is your main domain name you created in step 1
• Certprovider = Makes sure the docker uses ZeroSSL not Letsencrypt
• Validation http = this is how it will obtain the certs, at the moment you should have no firewall running so http will be fine. DNS is an option but that requires setting up API's so for now stay with http
• Subdomains = add all the subdomains you created in step one, seperated by a comma and without the main part of the domainname
• Email = The email you used to signup and login to ZEROSSL
• Only SUBDomains = If you are only going to use the subdomains set to true if you want the main domain included then set to false
• Now the volumes are as before, the 3rd volume is used for fail2ban within this container as when setup it will monitor emby logs for bruteforce login attacks, the fourth volume i added in as i have Authelia also protecting my site and those logs are stored in the main servers log file, you can leave this for now or delete

Copy the above block once you have modified it with your details and paste again into SSH Terminal / Powershell and press enter

If all goes well you should see no errors

So go back to PORTAINER container page and refresh the page, the SWAG docker should now appear and be running if you click the first icon to the righ (piece of paper) you can see what logs are being written live. What you are looking for here is success notice and the last line is SERVER READY

If you have any errors then you need to check that your sub and domain names are correct, your zerossl email is correct etc

If you have made an error then you can just tick the box next to SWAG and click remove (do not click remove persistant volumes in next window)

And follow the steps above again

8 - Success - Lets set up Swag to secure your sites

Okay so your swag setup correctly and obtained the certs now a few tweaks to make

• Once again visit the container page but this time click on the fourth icon >_
• Click connect

This opens a ssh connection to inside the docker. Now lets get to the place we need to do all the work

cd /config/nginx/proxy-confs

Press Enter

ls

will list all the preset configs done for major apps, we are interested in 2 at this point - Portainer and Emby, at the moment they all show as sample as this means they are not active so lets create an active version, copy 1 line at a time and press enter after each one

cp emby.subdomain.conf.sample emby.subdomain.conf
cp portainer.subdomain.conf.sample portainer.subdomain.conf

Remember the network you created above for simplicity down the line? Well this is the reason why, we only need to edit one word in each file for a basic setup

This process is the same for all files

nano emby.subdomain.conf

The file will open so look for the following:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name emby.*;

Now the only piece you need to change is the bit before the full stop. Above it is set to emby. If you called your subdomain part as emby, there is nothing to change here. But lets say you wanted the link to your emby instance to be media.yourdomain.com you would change that block as follows:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name media.*;

 

Once you have checked and changed the domain name press the following to save

• CTRL o - This writes the file
• CTRL x - exits the editor

Do the same for Portainer - follow the steps above and change the name to match your subdomain so in our example change section portainer.*; to manage.*;

Now if you have done this correct:

• Click CONTAINER in left hand menu
• click the select box next to swag and click restart

If the container restarted fine now we can check if it worked so we will test with PORTAINER First

Open a new tab in your browser and enter manage.yourdomain.com the page should load without a port number and show it's secured with SSL.

 

9 - Success - Emby ssl Tweaks

Now Emby wont quite be setup right for emby connect so we need to make a change this is explained in the SWAG config file you edited in the above step

Makes the changes as explained above in Emby and then you should be able to visit emby.yourdomain.com and receive the ssl cert and in dashboard WAN name and port should show as emby.yourdomain.com:443

10- Tidy Up

Now you have ssl setup and proxy is working, we need to make a cpl of changes to the existing dockers. If we no longer need the insecure public ports published then lets get rid of them

• Go back to Containers main page in portainer LH menu
• Do one at a time, so select the box to the left of portainer.
• Click remove 
• DO NOT tick remove persistant volumes

Portainer page will now throw an error as obviously it does not exist, copy the same text below into your main SSH terminal (with your ammendments obviously)

docker run -d \
 --name=portainer \
 --hostname=Portainer \
 -e TZ=Europe/London \
 --restart=always \
 -e PUID=0 \
 -e PGID=0 \
 -v /var/run/docker.sock:/var/run/docker.sock \
 -v portainer_data:/data \
 portainer/portainer-ce:latest

We have only removed the -P 9000:9000 line as it's no longer needed as we are accessing via the proxy on port 443

You will notice when you copy this and hit enter in terminal it will be near instant as the image is already downloaded

Go back to our browser and type - manage.yourdomain.com and you should be greated with the secure portainer page

 

Repeat this for the EMBY container and this time copy and paste the following (with your ammendments obviously)

docker run -d \
  --name=emby \
  --net=my-network \
  --ip=172.20.0.4 \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -v emby_data:/config \
  -v /Mount:/Rclone \
  --device /dev/dri:/dev/dri \
  --restart unless-stopped \
  ghcr.io/linuxserver/emby:version-4.6.7.0

Emby can only be accessed via SSL now

In future if ya add more dockers you can go straight to leaving the ports out of the setup process if you have done the following

• Created a subdomain at your domain name provider
• Edited the relevant proxy-conf as per above with the subdomain updated
• restarted swag
•  

YOU DO NOT HAVE TO DO ANYTHING TO THE SWAG DOCKER - no need to redo this container

2022 Update

If you remove the ports for emby as mentioned above, and seem to suffer some buffering issues, add the ports back in, some clients even though they were connected via ssl and proxy had horrendous buffering issues until these ports were reopened, don't ask me why as i don't understand the logic myself, but re-opening the ports the buffering instantly vanished) Obviously if you have applied firewall tweaks below then make sure the ports are reopened in UFW

11 - Firewalls & Fail2ban

In your main SSH Terminal at a minimum turn the firewall on. If all your dockers run through SWAG on port 443 then you only need to add a cpl of ports to the IN firewall

So you can follow these steps, press enter after each line

 

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in 22/tcp
sudo ufw allow in 80/tcp
sudo ufw allow in 443/tcp
sudo ufw enable

confirm yes as you may be interrupted

Now, technically you could get away with port 22/tcp only which is your ssh port (i would change it from default but thats a different guide you can follow)

Reason i say that is as it stands Docker kind of bypasses your firewall when you publish a port (hence why we removed the direct access), now you can adjust UFW which i would do once you have a better idea of the system by following this guide here - ufw-docker/README.md at master · chaifeng/ufw-docker · GitHub as this secures the server a little bit more

However as you are not running web servers on your main server as they are in docker then no harm will come, but you can test with just port 22 as you should have no issues, if the Swag docker has an issue renewing the certs then add the 80 and 443 ports as a test

Now you can add any other docker you want to build up your arsenal of tools to maximise the use of the server

For info, this may not be the best way, but thats the great thing with Linux there are many ways to achieve the same thing, and i have deployed docker setups like this time and time again without any issues each time improving security and performance.

Ultimately just try it because its bloody good fun and can become quite addictive and enjoyable, and if it goes wrong, then just roll back, delete or reinstall your vps

 

Edited May 9, 2022 by CassTG
Updated Docker versions and Emby port info

[CassTG 98]

Okay for some reason if duplicated the above and i can't edit it anymore, so scroll down to half way where it starts again lol

[CassTG 98]

MODS - This is the second post today that immediately locks out any editing.

Are you able to tidy the post up by deleting the incomplete first part, It starts at Number 1) again half way through

[Luke 37012]

@Abobader

[Abobader 2941]

1 hour ago, CassTG said:

MODS - This is the second post today that immediately locks out any editing.

Are you able to tidy the post up by deleting the incomplete first part, It starts at Number 1) again half way through

Please see this link:

https://emby.media/community/index.php?/topic/71552-folder-mis-identified-as-tv-series-how-to-undo/&do=findComment&comment=1080660