Running other docker apps in Umbrel

I’m running other Docker apps side-by-side with my Umbrel node, and so far, it’s been working perfectly. I wanted to share this with the community, so people can take “advantage” of their PI’s for other purposes than just using Umbrel.

There’s a downside though: You’re expanding the attack vectors on your Umbrel node. Depending on what you run, and if you expose ports to the Internet or not, you’ll have a WAY BIGGER attack surface, which is NOT A GOOD IDEA. . If you like living on the edge, proceed reading.

I’m just sharing my configuration so people can understand how this can be done, but always keep the warning above in mind. I would NEVER for example run an NGINX server with port 80 exposed to the internet, as any zero-day bug in NGINX can pose a serious threat to your umbrel wallet.

But, anyways, you can absolutely run other docker apps in your umbrel node. The “virtue” of Docker is that you can isolate your apps from the umbrel stack, so no network complexity!

I run pi-hole, visualizer, portainer, netstats, and the no-ip update client in the Pi.

The steps to do this are:

  1. Create a “docker-compose.yaml” ( put it in your home directory, /home/umbrel ). I even went for the sure one and created a specific sub-net .
version: "3.8"

    services:

      pihole:
        container_name: pihole
        image: pihole/pihole:latest
        ports:
          - "53:53/tcp"
          - "53:53/udp"
          - "67:67/udp"
          - "7777:80/tcp"
        environment:
          TZ: 'America/Santiago'
          WEBPASSWORD: 'betazoide'
          PIHOLE_DNS_: '1.1.1.1;1.0.0.1'
          ServerIP: '192.168.1.147'  # replace with your umbrel.local IP. May work also if you comment this line out
    #      WEB_PORT: '7777'
        volumes:
          - './pihole/etc-pihole/:/etc/pihole/'
          - './pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
        cap_add:
          - NET_ADMIN
        restart: always
        hostname: pihole
        networks:
          containers:
            ipv4_address: 172.20.0.3

      portainer:
        container_name: portainer
        image: portainer/portainer-ce:latest
        restart: always
        ports:
          - 9000:9000
        volumes:
          - '/var/run/docker.sock:/var/run/docker.sock'
          - './portainer_data:/data'
        hostname: portainer
        environment:
          logo: 'https://www.docker.com/sites/all/themes/docker/assets/images/brand-full.svg'
        networks:
          containers:
            ipv4_address: 172.20.0.4

      no-ip:
        container_name: no-ip
        image: aanousakis/no-ip
        restart: always
        environment:
          USERNAME: 'YOUR_USERNAME@gmail.com'
          PASSWORD: 'YOUR_PASSWORD'
          DOMAINS: 'YOUR_DNS_NAME.ddns.net'
          INTERVAL: '5'
        hostname: noip
        networks:
          containers:
            ipv4_address: 172.20.0.5

      netdata:
        image: netdata/netdata:latest
        container_name: netdata
        ports:
          - 19999:19999
        volumes:
          - /home/umbrel/netdata:/etc/netdata
        restart: always
        hostname: netstat
        networks:
          containers:
            ipv4_address: 172.20.0.7

    networks:
      containers:
        ipam:
          config:
            - subnet: 172.20.0.0/24

After saving that file, create a service to start it up “AFTER” umbrel has booted up completely ( because otherwise when umbrel starts it’s docker services it will kill yours ).

  1. Create a file to startup your services. I called it “pihole.sh”, located in /home/umbrel

cd /home/umbrel
docker-compose up -d

  1. Create a file named /etc/systemd/system/pihole.service, with the following content:
# PiHole Startup Service
# Installed at /etc/systemd/system/pihole.service

[Unit]
Description=PiHole+Portainer Startup Service
Wants=network-online.target
After=network-online.target
Wants=docker.service
After=docker.service
Requires=umbrel-startup.service
After=umbrel-startup.service
StartLimitInterval=0 # This prevents us hitting restart rate limits and ensures we keep restarting indefinitely.

[Service]
WorkingDirectory=/home/umbrel
Type=forking
TimeoutStartSec=infinity
TimeoutStopSec=16min
ExecStart=/bin/bash /home/umbrel/pihole.sh
ExecStop=docker-compose down 
User=root
Group=root
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=PiHole-Portainer startup
RemainAfterExit=yes
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Then “sudo systemctl enable pihole”.

That’s it! As you can see in the service startup, your docker services “depends” on the finishing of the startup of the umbrel-startup, so if you restart your PI, bare in mind that the pi-hole will take some time to be online, and you’ll lose DNS access momentarily if you’re routing everything through the Pi-hole for DNS resolution.

Now for example you can browse to : umbrel.local:19999 for netstats, umbrel.local:9000 for portainer, and umbrel.local:7777/admin ( which is a redirect not to clash with umbrel’s port 80 )

Let me know how it went!

6 Likes

I run Portainer with Umbrel so I can get this admin screen:

From that screen, I can login directly to my Bitcoin or lnd node super easy.

1 Like

Note: this cannot be achieved by installing the Portainer plugin on Umbrel.