I’m running other Docker apps side-by-side with my Umbrel node, and so far, it’s been working perfectly. I wanted to share this with the community, so people can take “advantage” of their PI’s for other purposes than just using Umbrel.
There’s a downside though: You’re expanding the attack vectors on your Umbrel node. Depending on what you run, and if you expose ports to the Internet or not, you’ll have a WAY BIGGER attack surface, which is NOT A GOOD IDEA. . If you like living on the edge, proceed reading.
I’m just sharing my configuration so people can understand how this can be done, but always keep the warning above in mind. I would NEVER for example run an NGINX server with port 80 exposed to the internet, as any zero-day bug in NGINX can pose a serious threat to your umbrel wallet.
But, anyways, you can absolutely run other docker apps in your umbrel node. The “virtue” of Docker is that you can isolate your apps from the umbrel stack, so no network complexity!
I run pi-hole, visualizer, portainer, netstats, and the no-ip update client in the Pi.
The steps to do this are:
- Create a “docker-compose.yaml” ( put it in your home directory, /home/umbrel ). I even went for the sure one and created a specific sub-net .
version: "3.8" services: pihole: container_name: pihole image: pihole/pihole:latest ports: - "53:53/tcp" - "53:53/udp" - "67:67/udp" - "7777:80/tcp" environment: TZ: 'America/Santiago' WEBPASSWORD: 'betazoide' PIHOLE_DNS_: '1.1.1.1;1.0.0.1' ServerIP: '192.168.1.147' # replace with your umbrel.local IP. May work also if you comment this line out # WEB_PORT: '7777' volumes: - './pihole/etc-pihole/:/etc/pihole/' - './pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/' cap_add: - NET_ADMIN restart: always hostname: pihole networks: containers: ipv4_address: 172.20.0.3 portainer: container_name: portainer image: portainer/portainer-ce:latest restart: always ports: - 9000:9000 volumes: - '/var/run/docker.sock:/var/run/docker.sock' - './portainer_data:/data' hostname: portainer environment: logo: 'https://www.docker.com/sites/all/themes/docker/assets/images/brand-full.svg' networks: containers: ipv4_address: 172.20.0.4 no-ip: container_name: no-ip image: aanousakis/no-ip restart: always environment: USERNAME: 'YOUR_USERNAME@gmail.com' PASSWORD: 'YOUR_PASSWORD' DOMAINS: 'YOUR_DNS_NAME.ddns.net' INTERVAL: '5' hostname: noip networks: containers: ipv4_address: 172.20.0.5 netdata: image: netdata/netdata:latest container_name: netdata ports: - 19999:19999 volumes: - /home/umbrel/netdata:/etc/netdata restart: always hostname: netstat networks: containers: ipv4_address: 172.20.0.7 networks: containers: ipam: config: - subnet: 172.20.0.0/24
After saving that file, create a service to start it up “AFTER” umbrel has booted up completely ( because otherwise when umbrel starts it’s docker services it will kill yours ).
- Create a file to startup your services. I called it “pihole.sh”, located in /home/umbrel
cd /home/umbrel
docker-compose up -d
- Create a file named /etc/systemd/system/pihole.service, with the following content:
# PiHole Startup Service # Installed at /etc/systemd/system/pihole.service [Unit] Description=PiHole+Portainer Startup Service Wants=network-online.target After=network-online.target Wants=docker.service After=docker.service Requires=umbrel-startup.service After=umbrel-startup.service StartLimitInterval=0 # This prevents us hitting restart rate limits and ensures we keep restarting indefinitely. [Service] WorkingDirectory=/home/umbrel Type=forking TimeoutStartSec=infinity TimeoutStopSec=16min ExecStart=/bin/bash /home/umbrel/pihole.sh ExecStop=docker-compose down User=root Group=root StandardOutput=syslog StandardError=syslog SyslogIdentifier=PiHole-Portainer startup RemainAfterExit=yes Restart=always RestartSec=10 [Install] WantedBy=multi-user.target
Then “sudo systemctl enable pihole”.
That’s it! As you can see in the service startup, your docker services “depends” on the finishing of the startup of the umbrel-startup, so if you restart your PI, bare in mind that the pi-hole will take some time to be online, and you’ll lose DNS access momentarily if you’re routing everything through the Pi-hole for DNS resolution.
Now for example you can browse to : umbrel.local:19999 for netstats, umbrel.local:9000 for portainer, and umbrel.local:7777/admin ( which is a redirect not to clash with umbrel’s port 80 )
Let me know how it went!