DarkShadow93 2 Posted May 26, 2021 Share Posted May 26, 2021 (edited) I want to Install Emby on a Cloud Server as to not host it in my network due to my areas restrictions. Edited May 26, 2021 by DarkShadow93 ReAdded Content Link to comment Share on other sites More sharing options...
Solution Luke 37008 Posted May 26, 2021 Solution Share Posted May 26, 2021 Hi, we don't have any linode specific instructions but you should be able to install one of our Linux packages depending on which distro you're running. Link to comment Share on other sites More sharing options...
LiamThomso 0 Posted October 14, 2021 Share Posted October 14, 2021 it would be interesting to hear the opinion of people who have already tried this method Link to comment Share on other sites More sharing options...
CassTG 98 Posted October 17, 2021 Share Posted October 17, 2021 On 14/10/2021 at 20:10, LiamThomso said: it would be interesting to hear the opinion of people who have already tried this method I host mine in the cloud with a European provider, never used Linode as to me they are overpriced for the resources you get, however i have a cloud instance with 4 Epyc Cores, 16gb Ram, NVME storage and 2.5G Network (peak), this is Ubuntu minimal with everything running in docker containers and it for the most part works like a dream. Obviously though if you plan on hardware decoding, then look for an intel based system with Quicksync capabilities. Link to comment Share on other sites More sharing options...
helendarack 0 Posted October 22, 2021 Share Posted October 22, 2021 do you have any links for me to be able to do this too? Link to comment Share on other sites More sharing options...
CassTG 98 Posted October 22, 2021 Share Posted October 22, 2021 (edited) To be fair there probably is many guides out there but ill give you a summary 1 - Domain Make life easier down the road by purchasing a domain name, i recommend OVH as they sell them dirt cheap. 2- VPS Choose a decent vps provider, cheapest is not always best. but if in Europe a cheap option to test if it works for you is Hetzner. 3- Choose Distro Once you have your distro selected (i recommend Debian 11 minimal) the VPS provider will give you a IP address, go back to the company you brought the domain name from and make sure you set the following records: A - xx.xx.xx.xx (where xx's = your ip address from vps A - emby.xx.xx.xx.xx (these are subdomains which if you are using docker you will need as many as you like i.e 1 for portainer manager, 1 for issue logging, 1 for other clients) Think of what you wish to use and do and create these subdomains up front as it can take a while to propagate through the dns servers 3 - Update the server Using as SSH client (terminal on mac is built in Powershell on windows works also), log in with the Uname and Password that was issued to you when setting up the vps. ssh username@xx.xx.xx.xx Then Run sudo apt update && apt upgrade Confirm Yes. Now if the vps is located in a different timezone to you you can adjust the default timezone, the format is Area/Location, so fo UK you would type: timedatectl set-timezone Europe/London Now things i like to make sure are installed as default before i do anything include: Nano - Easy file editor Zip - obvious unzip - obvious wget - obtain items from http links curl - similar to above vnstat - monitor BW usage in real time ufw - uncomplicated firewall fail2ban - Intrusion prevention system This command will get you going sudo apt install nano wget curl zip unzip vnstat ufw fail2ban 4 - Get docker Installed (debian 11) This is the easy bit they have separate guides for Debian and Ubuntu so as i use Debian the commands here will work if you choose Debian 11. If you choose Ubuntu do not select version above 20.04 (the 21v wont work with there ubuntu instruction unless you hack it up abit) Copy this whole block first into terminal and press enter, if asked a question answer yes (y) sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg \ lsb-release Then curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg Then copy this whole block and paste and press enter echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null Then update sudo apt-get update And finally run the install sudo apt-get install docker-ce docker-ce-cli containerd.io Okay so so far you have docker running now lets add an easy webui to manage the docker front end. I use Portainer as it is simple to use, to do this you will be visiting a site called Docker Hub, this is a good central point to find dockers that interest you and each docker usually has a setup guide, can seem daunting at first but after you have messed about with it its easy Now there are various ways of creating a docker, i am old school so the following is the way i like to do it, however many will say Docker Compose is a better way, both work so learn which ever you want So lets get portainer setup first time, below is an example i use however once i have setup SWAG Docker, i will recreate this first docker Copy and paste this into your terminal ssh session docker run -d \ --name=portainer \ --hostname=Portainer \ -e TZ=Europe/London \ --restart=always \ -p 9000:9000 \ -e PUID=0 \ -e PGID=0 \ -v /var/run/docker.sock:/var/run/docker.sock \ -v portainer_data:/data \ portainer/portainer-ce:latest --name - This is the name of the docker and how it is referred to by the system but more importantly behind a proxy server for SSl TZ - Timezone set this to your preferred location -v - These are mounted volumes, the second one is where you persistant datais kept, so you can destroy and redeploy the container and your existing data is retained otherwise you would have to start setup of that container all again PUID/PGID - this is the user applied to the docker = 0 is root user, and some dockers wont start correctly if set like this as a security measure, if you have a different username in your main server you can find these details by typing - id xxxxxxx where xxxxxx is your username i.e admin/ubuntu/johndoe, normally if it is the first username the values will be 1000/1000 -p 9000:9000 this is called a port map. The first value is the port a person will type in the address bar, the second value relates to the port thats open in the portainer container itself, logic behind this is that you may have many dockers where the container port is 443. This way you could say make the first value 8443, 7443,6443 etc. This is only relevant if you choose not to get free ssl as the proxy will handle most of the traffic The last line tells Docker which container to pull You should get a success message so time to see if it worked, so visit http://yourdomain.com:9000 As you have no SSL certs yet note the link is http and we add port 9000 you should be presented with portainer login page Add a new admin account and password and click next Select Attach local environment (not exact wording but usually the left most box) to connect portainer to your local docker environment If all has gone well you will see the following: Click on that big box with the docker logo to access your main config page Then click on the Containers section This page is where you manage all you containers, you can start stop delete or change settings Anyways to make things easier we will now make a quick network change 5 - Docker Networks In the left hand menu click Networks Click Add Network Enter a name for network i.e - My-Network Driver = Bridge Subnet = 172.20.0.0/16 Gateway = 172.20.0.1 Scroll to bottom and click add network The reason for this is working with proxy's like Swag is a lot easier where you have all containers within a unique network, it reduces the amount of work later on, Swag will just direct traffic to the docker name and port and comes with pre-configured setups to go. Okay so lets move portainer to the new network, so go back to the main container page (menu in left hand side) above and do the following: Click on the blue portainer link next to the green running icon Scroll too bottom Click join a network Select your network name you created in step 5 Select Join network Wait a few seconds and it will appear underneath in both your network and bridge network Now click Leave Network next to BRIDGE Step 6 - Emby and Swag Okay so lets install Emby docker Visit docker hub again and type EMBY in the search box, there are many versions including EMBY's own version. Now i will be honest here i tend to stick to Linuxserver.io containers as they are rock solid, updated frequently and just never had an issues with them, i will use them as number 1 choice for a container and then if they do not have one i work down the list Now below is a base config but you will need to change to suit your hardware Full details are available here for configuration options - linuxserver/emby - Docker Image | Docker Hub As an example heres mine (im running on AMD EPYC so there is no hardware passthrough config for IGPU (intel) or GPU but added the igpu flag back in docker run -d \ --name=emby \ --net=my-network \ --ip=172.20.0.4 \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Europe/London \ -p 8096:8096 \ -p 8920:8920 \ -v emby_data:/config \ -v /Mount:/Rclone \ --device /dev/dri:/dev/dri \ --restart unless-stopped \ ghcr.io/linuxserver/emby:version-4.6.7.0 Name - Obvious leave as is net = enter your network name you created in previous step ip= set a fix ip, just a tidy ocd thing this would follow the network you set up above with just the last section changing for each docker you create ID = as above tz = as above Ports 8096 and 8920 are the ports required by emby emby_data - persistant data storage (real location via ssh is /var/lib/docker/volumes/emby-data/_data) v /Mount - This is where you store your media on the server and /Rclone is how it will appear in Emby when browsing for folders to add. Now if you are storing your media on the server in lets say /home/myusername/media you would change the first part to /home/myusername/media: Now if you are storing your media remotely, say on Google Drive or One rive, you will need to install something like RCLONE and follow their guides (pretty simple to be fair but beyond the scope of this quick start guide) --device - this is the passthrough of igpu in this example, they give you options for gpus in the link i posted above, this can be removed if your vps is running AMD non igpu cpu etc Paste the block into ssh terminal and you should get success. If you refresh your portainer CONTAINER page it should now show Emby as Started if all went well. So visit yourdomainname.com:8096 and hopefully you will now have Emby setup page showing. 7 - Security So far everything is running unsecured so heres a rough guide to securing the two containers, remember those subdomains you created at the beginning? Good because we need them now So in this example you created these subdomains - manage.yourdomain.com and emby.yourdomain.com Lets add a simple to use Proxy/Nginx/SSL container by Linuxserver.io - linuxserver/swag - Docker Image | Docker Hub Now first off to avoid the LETSENCRYPT issue where the expired cert has nuked the app on certain TV's and devices we are going to use ZEROSSL which is also free for ACME ssl request So first signup for an account at ZeroSSL IT's free and quick to create an account docker run -d \ --name=swag \ --cap-add=NET_ADMIN \ --net=my-network \ --ip=172.20.0.5 \ -e VALIDATION=http \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Europe/London \ -e URL=yourdomain.com \ -e CERTPROVIDER=zerossl \ -e SUBDOMAINS=manage,emby \ -e EMAIL='zerosslaccount@whoever.com' \ -e ONLY_SUBDOMAINS=true \ -p 443:443 \ -v swag_data:/data \ -v /var/lib/docker/volumes/swag_data:/config \ -v /var/lib/docker/volumes/emby_data/_data/logs:/config/log/emby:ro \ -v /var/log:/config/log/server:ro \ --restart unless-stopped \ linuxserver/swag:version-1.27.0 Key points to note: Net - Change to the network you created Ip - give it a fixed IP as above thats not in use already (last section) URl = is your main domain name you created in step 1 Certprovider = Makes sure the docker uses ZeroSSL not Letsencrypt Validation http = this is how it will obtain the certs, at the moment you should have no firewall running so http will be fine. DNS is an option but that requires setting up API's so for now stay with http Subdomains = add all the subdomains you created in step one, seperated by a comma and without the main part of the domainname Email = The email you used to signup and login to ZEROSSL Only SUBDomains = If you are only going to use the subdomains set to true if you want the main domain included then set to false Now the volumes are as before, the 3rd volume is used for fail2ban within this container as when setup it will monitor emby logs for bruteforce login attacks, the fourth volume i added in as i have Authelia also protecting my site and those logs are stored in the main servers log file, you can leave this for now or delete Copy the above block once you have modified it with your details and paste again into SSH Terminal / Powershell and press enter If all goes well you should see no errors So go back to PORTAINER container page and refresh the page, the SWAG docker should now appear and be running if you click the first icon to the righ (piece of paper) you can see what logs are being written live. What you are looking for here is success notice and the last line is SERVER READY If you have any errors then you need to check that your sub and domain names are correct, your zerossl email is correct etc If you have made an error then you can just tick the box next to SWAG and click remove (do not click remove persistant volumes in next window) And follow the steps above again 8 - Success - Lets set up Swag to secure your sites Okay so your swag setup correctly and obtained the certs now a few tweaks to make Once again visit the container page but this time click on the fourth icon >_ Click connect This opens a ssh connection to inside the docker. Now lets get to the place we need to do all the work cd /config/nginx/proxy-confs Press Enter ls will list all the preset configs done for major apps, we are interested in 2 at this point - Portainer and Emby, at the moment they all show as sample as this means they are not active so lets create an active version, copy 1 line at a time and press enter after each one cp emby.subdomain.conf.sample emby.subdomain.conf cp portainer.subdomain.conf.sample portainer.subdomain.conf Remember the network you created above for simplicity down the line? Well this is the reason why, we only need to edit one word in each file for a basic setup This process is the same for all files nano emby.subdomain.conf The file will open so look for the following: server { listen 443 ssl; listen [::]:443 ssl; server_name emby.*; Now the only piece you need to change is the bit before the full stop. Above it is set to emby. If you called your subdomain part as emby, there is nothing to change here. But lets say you wanted the link to your emby instance to be media.yourdomain.com you would change that block as follows: server { listen 443 ssl; listen [::]:443 ssl; server_name media.*; Once you have checked and changed the domain name press the following to save CTRL o - This writes the file CTRL x - exits the editor Do the same for Portainer - follow the steps above and change the name to match your subdomain so in our example change section portainer.*; to manage.*; Now if you have done this correct: Click CONTAINER in left hand menu click the select box next to swag and click restart If the container restarted fine now we can check if it worked so we will test with PORTAINER First Open a new tab in your browser and enter manage.yourdomain.com the page should load without a port number and show it's secured with SSL. 9 - Success - Emby ssl Tweaks Now Emby wont quite be setup right for emby connect so we need to make a change this is explained in the SWAG config file you edited in the above step Makes the changes as explained above in Emby and then you should be able to visit emby.yourdomain.com and receive the ssl cert and in dashboard WAN name and port should show as emby.yourdomain.com:443 10- Tidy Up Now you have ssl setup and proxy is working, we need to make a cpl of changes to the existing dockers. If we no longer need the insecure public ports published then lets get rid of them Go back to Containers main page in portainer LH menu Do one at a time, so select the box to the left of portainer. Click remove DO NOT tick remove persistant volumes Portainer page will now throw an error as obviously it does not exist, copy the same text below into your main SSH terminal (with your ammendments obviously) docker run -d \ --name=portainer \ --hostname=Portainer \ -e TZ=Europe/London \ --restart=always \ -e PUID=0 \ -e PGID=0 \ -v /var/run/docker.sock:/var/run/docker.sock \ -v portainer_data:/data \ portainer/portainer-ce:latest We have only removed the -P 9000:9000 line as it's no longer needed as we are accessing via the proxy on port 443 You will notice when you copy this and hit enter in terminal it will be near instant as the image is already downloaded Go back to our browser and type - manage.yourdomain.com and you should be greated with the secure portainer page Repeat this for the EMBY container and this time copy and paste the following (with your ammendments obviously) docker run -d \ --name=emby \ --net=my-network \ --ip=172.20.0.4 \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Europe/London \ -v emby_data:/config \ -v /Mount:/Rclone \ --device /dev/dri:/dev/dri \ --restart unless-stopped \ ghcr.io/linuxserver/emby:version-4.6.7.0 Emby can only be accessed via SSL now In future if ya add more dockers you can go straight to leaving the ports out of the setup process if you have done the following Created a subdomain at your domain name provider Edited the relevant proxy-conf as per above with the subdomain updated restarted swag YOU DO NOT HAVE TO DO ANYTHING TO THE SWAG DOCKER - no need to redo this container 2022 Update If you remove the ports for emby as mentioned above, and seem to suffer some buffering issues, add the ports back in, some clients even though they were connected via ssl and proxy had horrendous buffering issues until these ports were reopened, don't ask me why as i don't understand the logic myself, but re-opening the ports the buffering instantly vanished) Obviously if you have applied firewall tweaks below then make sure the ports are reopened in UFW 11 - Firewalls & Fail2ban In your main SSH Terminal at a minimum turn the firewall on. If all your dockers run through SWAG on port 443 then you only need to add a cpl of ports to the IN firewall So you can follow these steps, press enter after each line sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow in 22/tcp sudo ufw allow in 80/tcp sudo ufw allow in 443/tcp sudo ufw enable confirm yes as you may be interrupted Now, technically you could get away with port 22/tcp only which is your ssh port (i would change it from default but thats a different guide you can follow) Reason i say that is as it stands Docker kind of bypasses your firewall when you publish a port (hence why we removed the direct access), now you can adjust UFW which i would do once you have a better idea of the system by following this guide here - ufw-docker/README.md at master · chaifeng/ufw-docker · GitHub as this secures the server a little bit more However as you are not running web servers on your main server as they are in docker then no harm will come, but you can test with just port 22 as you should have no issues, if the Swag docker has an issue renewing the certs then add the 80 and 443 ports as a test Now you can add any other docker you want to build up your arsenal of tools to maximise the use of the server For info, this may not be the best way, but thats the great thing with Linux there are many ways to achieve the same thing, and i have deployed docker setups like this time and time again without any issues each time improving security and performance. Ultimately just try it because its bloody good fun and can become quite addictive and enjoyable, and if it goes wrong, then just roll back, delete or reinstall your vps Edited May 9, 2022 by CassTG Updated Docker versions and Emby port info 2 Link to comment Share on other sites More sharing options...
CassTG 98 Posted October 22, 2021 Share Posted October 22, 2021 Okay for some reason if duplicated the above and i can't edit it anymore, so scroll down to half way where it starts again lol Link to comment Share on other sites More sharing options...
CassTG 98 Posted October 22, 2021 Share Posted October 22, 2021 MODS - This is the second post today that immediately locks out any editing. Are you able to tidy the post up by deleting the incomplete first part, It starts at Number 1) again half way through Link to comment Share on other sites More sharing options...
Luke 37008 Posted October 22, 2021 Share Posted October 22, 2021 @Abobader Link to comment Share on other sites More sharing options...
Abobader 2941 Posted October 22, 2021 Share Posted October 22, 2021 1 hour ago, CassTG said: MODS - This is the second post today that immediately locks out any editing. Are you able to tidy the post up by deleting the incomplete first part, It starts at Number 1) again half way through Please see this link: https://emby.media/community/index.php?/topic/71552-folder-mis-identified-as-tv-series-how-to-undo/&do=findComment&comment=1080660 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now