TrueNAS-Compose

Setting Up TrueNAS Before Using Docker Stacks

Before you use this Docker stacks, make sure you have completed the following steps to properly configure TrueNAS:

• Step 1: Install TrueNAS Community Edition - Follow the official instructions from the TrueNAS website to install it on your hardware.
• Step 2: Extend Session Timeout - Increase the session timeout duration to prevent TrueNAS from logging you out prematurely:
  1. Navigate to "System > Advanced Settings > Access" in the TrueNAS interface.
  2. Click "Configure".
  3. Change the "Session Timeout" default value from "300" to: # This increases the session timeout from '5 minutes' to 1 hour *

  3600

  * For extra security, revert the session timeout back to 300 seconds after completing the configuration process!

  4. Click "Save".
• Step 3: Configure Console - Ensure that access to your TrueNAS console requires a username and password:
  1. Navigate to "System > Advanced Settings > Console" in the TrueNAS interface.
  2. Click "Configure".
  3. Uncheck "Show Text Console without Password Prompt".
  4. Click "Save".
• Step 4: Configure Location - Ensure that your regional settings are properly configured:
  1. Navigate to "System > General Settings > Location" in the TrueNAS interface.
  2. Click "Settings".
  3. Change the default settings to match your regional settings and formats.
  4. Click "Save".
  5. If needed, change the date/time settings in your TrueNAS system's BIOS to match your local date/time. # Correct date/time is crucial for logs and network services to work properly
• Step 5: Configure Network - Ensure that your network settings are properly configured:
  1. Navigate to "Network > Interfaces" in the TrueNAS interface.
  2. Click on the "Edit" button of your network interface to access the interface settings.
  3. Uncheck "DHCP".
  4. Uncheck "Autoconfigure IPv6".
  5. Set the "MTU" to:

  1500

  6. Set your TrueNAS IP address in the "Aliases" section, in most cases:

  192.168.1.1/24

  7. Click "Save".
  8. Click on "Test Changes" and confirm.
  9. Access the IP address you set up for TrueNAS and login again to confirm the changes, in most cases:

  https://192.168.1.1

  10. Click on "Go To Network Settings", followed by "Save Changes" and "Save" to confirm.
  11. Navigate to "Network > Interfaces" in the TrueNAS interface.
  12. Click on the "Edit" button of your network interface to access the interface settings.
  13. Delete your TrueNAS IP address from the "Aliases" section.
  14. Click "Save". # Don't click on the 'Test Changes' button
  15. Click on the "Add" button to add a new network interface.
  16. Select "Bridge" from the "Type" dropdown menu to create a virtual Switch.
  17. Type "br0" in the "Name" field.
  18. Type "vSwitch" in the "Description" field.
  19. Uncheck "DHCP".
  20. Uncheck "Autoconfigure IPv6".
  21. Select your network interface (e.g.: eno1, eth0, etc...) from the "Bridge Members" dropdown menu.
  22. Check "Enable Learning".
  23. Set the "MTU" to:

  1500

  24. Set your TrueNAS IP address in the "Aliases" section, in most cases:

  192.168.1.1/24

  25. Click "Save".
  26. Click on "Test Changes" and confirm.
  27. Click on "Save Changes", followed by "Save" to confirm.
  28. Navigate to "Network > Global Configuration > Settings" in the TrueNAS interface.
  29. Replace "local" in the "Domain" field with your Top Level Domain name (e.g.: example.com) if you own one.
  30. Add the following nameservers to the "DNS Servers":

  1.1.1.2

  1.0.0.2

  31. Add your router's IP address to the "Default Gateway", in most cases:

  192.168.1.254

  32. Click "Save".
  33. Navigate to "System > General Settings > GUI > Settings" in the TrueNAS interface.
  34. Choose your TrueNAS IP address in "Web Interface IPv4 Address", in most cases:

  192.168.1.1

  35. Change your TrueNAS HTTP port in "Web Interface HTTP Port" from 80 to:

  81

  36. Change your TrueNAS HTTPS port in "Web Interface HTTPS Port" from 443 to:

  444

  37. Check "Web Interface HTTP -> HTTPS Redirect".
  38. Check "Show Console Messages".
  39. Uncheck "Usage collection".
  40. Click "Save".
  41. Navigate to "System > Advanced Settings > Sysctl" in the TrueNAS interface.
  42. Add the following "Variable=Value" pairs: # Don't copy the '=' sign in between the Variables and their Values

  net.ipv6.conf.all.disable_ipv6=1

  net.ipv4.ip_forward=1

  NOTE: Always select "SYSCTL" from the "Type" dropdown menu.

  43. Your Sysctl should look like this: # Variables and Values have different fields

  Var                                     Value          Enabled          Description
  net.ipv6.conf.all.disable_ipv6          1              Yes
  net.ipv4.ip_forward                     1              Yes

  44. Click "Save".
• Step 6: Create ZFS Pools - You'll need to create at least one ZFS pool to store your System/Apps data:
  1. Navigate to "Storage" in the TrueNAS interface.
  2. Click on the "Create Pool" button near the top right.
  3. Type "tank" on the "Name" field. # This is the default name used in ZFS documentation and in this guide
  4. Check "Encryption" (optional). # You'll need to download and securely store your encryption key, losing it may result in 'PERMANENT DATA LOSS' *

  Pool-level Encryption is Not Recommended
  
  TrueNAS 22.12.3 or later forces encryption for all child datasets and zvols within an encrypted root or parent dataset that are using the TrueNAS UI. However, datasets created outside of the UI, such as those created programmatically or manually via shell access, might not inherit encryption unless properly configured. For more granular control and awareness, we do not recommend users configure pool-level encryption of the root dataset. Instead, create an unencrypted pool and populate it with encrypted or unencrypted child datasets, as needed.
  
  Source: https://www.truenas.com/docs/scale/scaleuireference/storage/poolcreatewizardscreens/#pool-creation-wizard

  * To download your Encryption Keys: Navigate to 'Datasets' in the TrueNAS interface, select each encrypted pool and click the 'Export Key' button in the 'ZFS Encryption' section!

  5. If encryption is enabled, confirm that "Encryption is for users storing sensitive data" and click "I Understand".
  6. Click "Next".
  7. Select your pool "Layout". # Use at least a Mirror configuration and prioritize low-latency, high-performance storage (e.g.: Optane, NVMe) for your System/Apps pool
  8. Choose the appropriate "Disk Size".
  9. Check "Treat Disk Size as Minimun".
  10. Set the "Width". # Use at least two disks per VDEV to ensure redundancy
  11. Set the "Number of VDEVs". # More VDEVs result in higher IOPS, which are especially important for your System/Apps pool
  12. Click "Save And Go To Review".
  13. Click on the "Create Pool" button to create your System/Apps pool.
  14. Confirm that "The contents of all added disks will be erased" and click "Continue".
  15. If needed, refer to the official TrueNAS documentation for detailed guidance on pool creation and best practices. # Or watch this video: https://youtu.be/ykhaXo6m-04

  Sample Pool Setup (based on the reference system used for this guide):

  Boot
  
  Name: boot-pool
  Disks: 2 SSD
  Layout: 1 x Mirror

  System / Apps
  
  Name: tank
  Disks: 7 Optane
  Layout: 3 x Mirror + Spare

  Media / Downloads
  
  Name: morpheus
  Disks: 2 HDD + 2 NVMe
  Layout: 1 x Mirror + Metadata/Small Blocks (NVMe Mirror)

  Data / Games
  
  Name: trinity
  Disks: 4 SSD + 2 NVMe
  Layout: 1 x RAIDZ1 + Metadata/Small Blocks (NVMe Mirror)

  Backups
  
  Name: neo
  Disks: 8 SSD
  Layout: 1 x RAIDZ2

  NOTE: TrueNAS automatically creates a scheduled data integrity check (scrub) for each pool that runs, by default, every Sunday at 12:00 AM.

• Step 7: Configure Auto TRIM (optional) - Enable Auto TRIM on NVMe/SSD pools to optimize performance and extend the lifespan of your drives: # Optane and HDDs do not use the TRIM command
  1. Navigate to "Storage" in the TrueNAS interface.
  2. Click "Edit Auto TRIM" on the "ZFS Health" widget of your NVMe/SSD pool.
  3. Check "Auto TRIM".
  4. Click "Save".
  5. Repeat steps 2-4 for each NVMe/SSD pool in your system.

  WARNING: Some older or lower-quality SSD firmware may mishandle TRIM commands, potentially leading to data loss! # https://github.com/torvalds/linux/blob/master/drivers/ata/libata-core.c#L4288

• Step 8: Configure Apps' Pool - You'll need to configure your Apps' pool to store your Apps data:
  1. Navigate to "Apps > Configuration > Choose Pool" in the TrueNAS interface.
  2. Select your TrueNAS Apps' pool name from the list, in most cases:

  tank

  3. Click "Choose" to save.
• Step 9: Install NVIDIA Drivers (optional) - If you have a NVIDIA GPU make sure you install the NVIDIA drivers/runtime:
  1. Navigate to "Apps > Configuration > Settings" in the TrueNAS interface.
  2. Check "Install NVIDIA Drivers"
  3. Click "Save".
• Step 10: Configure S.M.A.R.T. Tests - Ensure that you create periodic S.M.A.R.T. tests of your Disks:
  1. Navigate to "Data Protection > Periodic S.M.A.R.T. Tests" in the TrueNAS interface.
  2. Click "Add".
  3. Check "All Disks".
  4. Select "SHORT" from the "Type" dropdown menu.
  5. Select "Weekly (0 0 * * sun) On Sundays at 00:00 (12:00 AM)" from the "Schedule" dropdown menu. # Or change it to meet your needs
  6. Click "Save".
• Step 11: Configure ZFS Snapshots - Ensure that you create periodic snapshots of your Apps' pool:
  1. Navigate to "Data Protection > Periodic Snapshot Tasks" in the TrueNAS interface.
  2. Click "Add".
  3. Select your TrueNAS Apps' pool name from the "Dataset" dropdown menu, in most cases:

  tank

  4. Check "Recursive".
  5. Uncheck "Allow Taking Empty Snapshots".
  6. Keep the "Schedule" settings at their default values. # Or change them to meet your needs
  7. Click "Save".
  8. In the future, configure periodic snapshot tasks on the datasets associated with your Docker volumes instead.

  WARNING: Deleting data from your pools won't free up space unless you also delete the associated ZFS snapshots!

• Step 12: Configure ZFS Replication (optional) - If you have more than one pool, you can back up your Apps' pool to a different pool:
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Type "cli" and press Enter.
  3. Copy and paste the following command into the TrueNAS CLI: # Replace 'backups' with your Backups' pool name

  storage dataset create name=backups/tank share_type=APPS

  4. Type "exit" and press Enter.
  5. Navigate to "Data Protection > Replication Tasks" in the TrueNAS interface.
  6. Click "Add".
  7. Select your source location: # Replace 'tank' with your Apps' pool name

  Source Location: On this System

  Source: /mnt/tank

  8. Select your target location: # Replace 'backups' with your Backups' pool name

  Target Location: On this System

  Target: /mnt/backups/tank

  9. Check "Recursive".
  10. Type "tank_backup" in the "Task Name" field.
  11. Click "Next".
  12. Keep the "Schedule" settings at their default values. # Or change them to meet your needs
  13. Click "Save".
  14. Click on the "Edit" button of your new replication task.
  15. Search for "Destination Dataset Read-only Policy" and change it from "SET" to: # This will preserve your Apps' pool permissions

  IGNORE

  16. Click "Save".
  17. In the future, configure replication tasks on the datasets associated with your Docker volumes instead.
• Step 13: Create ZFS Datasets - You'll need to create datasets within your ZFS pools to organize and manage your data:
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Type "cli" and press Enter.
  3. Copy and paste the following commands into the TrueNAS CLI: # Replace 'tank' with your Apps' pool name

  storage dataset create name=tank/docker share_type=APPS

  storage dataset create name=tank/docker/dockge share_type=APPS

  storage dataset create name=tank/docker/dockge/stacks share_type=APPS

  storage dataset create name=tank/docker/dockge/data share_type=APPS

  storage dataset create name=tank/docker/notifications share_type=APPS

  storage dataset create name=tank/docker/notifications/diun share_type=APPS

  storage dataset create name=tank/docker/notifications/gotify share_type=APPS

  storage dataset create name=tank/kvm share_type=GENERIC

  4. Copy and paste the following commands into the TrueNAS CLI: # Replace 'tank' with your Media/Downloads' pool name (it can be your Apps' pool)

  storage dataset create name=tank/downloads share_type=APPS

  storage dataset create name=tank/media share_type=APPS

  storage dataset create name=tank/media/audiobooks share_type=APPS

  storage dataset create name=tank/media/books share_type=APPS

  storage dataset create name=tank/media/movies share_type=APPS

  storage dataset create name=tank/media/music share_type=APPS

  storage dataset create name=tank/media/podcasts share_type=APPS

  storage dataset create name=tank/media/tvseries share_type=APPS

  5. Copy and paste the following commands into the TrueNAS CLI: # Replace 'tank' with your Data/Games' pool name (it can be your Apps' pool)

  storage dataset create name=tank/data share_type=APPS

  storage dataset create name=tank/games share_type=APPS

  storage dataset create name=tank/games/eggs share_type=APPS

  storage dataset create name=tank/games/installers share_type=APPS

  storage dataset create name=tank/games/roms share_type=APPS

  storage dataset create name=tank/users share_type=SMB

  6. Type "exit" and press Enter.
• Step 14: Configure ZFS Record Sizes - Ensure that the record sizes are optimized for each dataset based on its specific workload: # Adjusting the 'recordsize' helps improve performance
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Copy and paste the following commands into the TrueNAS shell: # Replace 'tank' with your Apps' pool name

  sudo zfs set recordsize=16K tank/docker

  sudo zfs set recordsize=16K tank/kvm

  3. Copy and paste the following commands into the TrueNAS shell: # Replace 'tank' with your Media/Downloads' pool name

  sudo zfs set recordsize=16K tank/downloads

  sudo zfs set recordsize=1M tank/media

  4. Copy and paste the following commands into the TrueNAS shell: # Replace 'tank' with your Data/Games' pool name

  sudo zfs set recordsize=1M tank/data

  sudo zfs set recordsize=1M tank/games

  sudo zfs set recordsize=1M tank/users

  5. If needed, refer to the official OpenZFS documentation for detailed guidance on workload tuning. # https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Workload%20Tuning.html
• Step 15: Configure Permissions - Ensure that the permissions are configured to grant access to your ZFS datasets:
  1. Navigate to "Datasets" in the TrueNAS interface.
  2. Expand your Apps' pool tree and click on the "docker" dataset to select it.
  3. Navigate to "Permissions > Edit" to access the ACL Editor.
  4. Set the following "Access Control List": # This is the default ACL for Apps (which is applied when you set 'share_type=APPS' during dataset creation)

  owner@ - root                               Allow | Full Control
  group@ - root                               Allow | Modify
  Group - builtin_users                       Allow | Modify
  Group - builtin_administrators              Allow | Full Control
  User - apps                                 Allow | Modify

  5. Check "Apply permissions recursively" and confirm.
  6. Check "Apply permissions to child datasets".
  7. Click "Save Access Control List".
  8. Repeat steps 1-7 for the "media" and "downloads" datasets (instead of the "docker" dataset), which are located at the root of your Media/Downloads' pool.
  9. Repeat steps 1-7 for the "data" and "games" datasets (instead of the "docker" dataset), which are located at the root of your Data/Games' pool.
• Step 16: Configure Users - You'll need to create a user account to access and manage your TrueNAS system:
  1. Copy and paste the following command into your terminal (on your local computer): # Ed25519 is a public-key signature system, more secure than RSA

  ssh-keygen -t ed25519

  2. Press "Enter" to accept the default location:

  %USERPROFILE%\.ssh\id_ed25519 (Windows)

  ~/.ssh/id_ed25519 (macOS/Linux)

  3. Enter a passphrase for extra security. # This will secure your private key
  4. Re-enter the same passphrase to confirm.
  5. Navigate to "Credentials > Users" in the TrueNAS web interface.
  6. Click on the "Add" button.
  7. Type your username on the "Full Name" and "Username" fields.
  8. Type your secure password on the "Password" and "Confirm Password" fields.
  9. Type your valid email address on the "Email" field. # It will be used to send you alerts
  10. Type "builtin_administrators" on the "Auxiliary Groups" field.
  11. Type "/mnt/tank/users" on the "Home Directory" field. # Replace 'tank' with your Data/Games' pool name
  12. Check "Create Home Directory".
  13. Under "Upload SSH Key", click "Choose File" and select your public key file: # id_ed25519.pub

  %USERPROFILE%\.ssh\id_ed25519.pub (Windows)

  ~/.ssh/id_ed25519.pub (macOS/Linux)

  14. Select "bash" from the "Shell" dropdown menu.
  15. Check "Allow all sudo commands".
  16. Check "SMB User".
  17. Click "Save".
  18. Log out, then log back in using your new "Username" and "Password".
  19. Select your "truenas_admin" account.
  20. Click on the "Edit" button.
  21. Check "Lock User".
  22. Click "Save".
  23. Navigate to "System > General Settings > Email" in the TrueNAS interface.
  24. Click on the "Settings" button.
  25. Select "GMail OAuth" from the "Send Mail Method" options. # Or choose another method ('Outlook OAuth' for Microsoft accounts or 'SMTP' for other email providers) and ignore steps 26-27

  NOTE: To configure SMTP with your preferred email provider, refer to their official documentation for setup instructions.

  26. Click "Log in to Gmail".
  27. Proceed to set up your Oauth credentials.
  28. Click "Send Test Mail" to test the connection. # It will generate a test message on your email inbox
  29. Click "Save".
• Step 17: Configure SSH (optional) - Configure SSH access for your user account:
  1. Navigate to "System > Services" in the TrueNAS web interface.
  2. Click on the "Edit" button of the "SSH" service.
  3. Uncheck "Allow Password Authentication".
  4. Click on the "Advaced Settings" button.
  5. Select "br0" from the "Bind Interfaces" dropdown menu.
  6. Uncheck "None" and "AES128-CBC" from the "Weak Ciphers" dropdown menu.
  7. Click "Save".
  8. Toggle the "SSH" service to "ON".
  9. Toggle the "Start Automatically" option to "ON" to run SSH at every boot.
  10. Copy and paste the following command into your terminal (on your local computer): # Replace 'user' with your username and '192.168.1.1' with your TrueNAS IP address

  ssh [email protected]

• Step 18: Create Docker Networks - You'll need to create the "dns", "proxy" and "home" networks to easily access your Docker services:
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Copy and paste the following commands into the TrueNAS shell:

  sudo docker network create --driver=bridge --subnet=172.17.0.0/24 --ip-range=172.17.0.0/24 --gateway=172.17.0.1 dns

  sudo docker network create --driver=bridge --subnet=172.18.0.0/24 --ip-range=172.18.0.0/24 --gateway=172.18.0.1 proxy

  sudo docker network create --driver=macvlan --subnet=192.168.1.0/24 --ip-range=192.168.1.48/28 --aux-address 'host=192.168.1.63' --gateway=192.168.1.254 -o parent=br0 home

  3. If needed, replace the "home" network's subnet, ip-range, aux-address and gateway to match your TrueNAS network's settings. # You'll need to keep the CIDR '/28' for a total of 16 hosts (e.g.: 192.168.1.48 - 192.168.1.63)
• Step 19: Create Host Macvlan Network - You'll need to create the "home-shim" network to allow access to your "home" network from your host:
  1. Navigate to "System > Advanced Settings > Init/Shutdown Scripts" in the TrueNAS interface.
  2. Click "Add" to create a script that sets the "home-shim" network.
  3. Type "Host Macvlan" in the "Description" field.
  4. Select "Command" from the "Type" dropdown menu.
  5. Copy and paste the following command into the "Command" field:

  ip link add home-shim link br0 type macvlan mode bridge; ip addr add 192.168.1.63/32 dev home-shim; ip link set home-shim up; ip route add 192.168.1.48/28 dev home-shim

  6. If needed, replace "192.168.1.48/28" with the ip-range of your "home" network and "192.168.1.63/32" with the aux-address for your host macvlan bridge.
  7. Select "Pre Init" from the "When" dropdown menu.
  8. Click "Save".
• Step 20: Install Dockge - Use Dockge to manage all your Docker stacks. To install it:
  1. Navigate to "Apps > Discover Apps" in the TrueNAS interface.
  2. Search for "dockge" and click to install.
  3. Navigate to "Network Configuration" in the installation interface.
  4. Keep the default "WebUI Port":

  31014

  5. Change the "Certificate" to:

  'truenas_default' Certificate

  6. Navigate to "Storage Configuration" in the installation interface.
  7. Choose the following type in "Dockge Stacks Storage":

  Host Path (Path that already exists on the system)

  8. Insert the following path in "Host Path": # Replace 'tank' with your Apps' pool name

  /mnt/tank/docker/dockge/stacks

  9. Choose the following type in "Dockge Data Storage":

  Host Path (Path that already exists on the system)

  10. Insert the following path in "Host Path": # Replace 'tank' with your Apps' pool name

  /mnt/tank/docker/dockge/data

  11. Navigate to "Labels Configuration" in the installation interface.
  12. Add the following "Key=Value" pairs: # Don't copy the '=' sign in between the Keys and their Values

  diun.enable=true

  tsdproxy.enable=true

  tsdproxy.name=dockge

  13. Make sure to set "dockge" in the "Containers" section of each label.
  14. Click "Install" and wait for the green "Running" status indicator.
  15. Click on the "Web UI" button in the "Application Info" section to open Dockge.
  16. Change the URL to "https://" and press Enter. # Add this page to your browser's bookmark bar
  17. Set your "Username" and "Password". # Confirm password
  18. Click "Create".
• Step 21: Install Gotify and DIUN - Use Gotify and DIUN to manage your notifications. To install them:
  1. Click on the "+ Compose" button on Dockge Web interface and type "notifications" on the "Stack Name" field.
  2. Click "Delete" on the "nginx" container.
  3. Copy the notifications stack Docker Compose: Copy

  ####################################################################################################
  # name: NOTIFICATIONS
  ####################################################################################################
  
  services:
  
  ####################################################################################################
  # GOTIFY | URL: https://gotify.net
  ####################################################################################################
  
    gotify:
      container_name: gotify
      image: gotify/server:latest
      environment:
        - TZ=${TZ:-Europe/Lisbon}
      volumes:
        - /mnt/${APPS_POOL:-tank}/docker/notifications/gotify:/app/data
      networks:
        proxy:
          ipv4_address: 172.18.0.5
        dns:
          ipv4_address: 172.17.0.5
      ports:
        - 31015:80
      dns:
        - 172.17.0.2
      labels:
        - diun.enable=true
        - tsdproxy.enable=true
        - tsdproxy.name=gotify
        - traefik.enable=true
        - traefik.docker.network=proxy
        - traefik.http.routers.gotify.entrypoints=websecure
        - traefik.http.routers.gotify.rule=Host(`gotify.${DOMAIN:-home.arpa}`) || Host(`gotify.ts.${DOMAIN:-home.arpa}`)
        - traefik.http.routers.gotify.tls=true
        - traefik.http.services.gotify.loadbalancer.server.port=80
        #- traefik.http.routers.gotify.middlewares=tinyauth
        #- traefik.http.routers.gotify_ext.entrypoints=cloudflared
        #- traefik.http.routers.gotify_ext.rule=Host(`gotify.${DOMAIN:-home.arpa}`)
        #- traefik.http.routers.gotify_ext.tls=true
        #- traefik.http.services.gotify_ext.loadbalancer.server.port=80
        #- traefik.http.routers.gotify_ext.middlewares=tinyauth
      restart: unless-stopped
  
  ####################################################################################################
  # TRUENAS GOTIFY ADAPTER | URL: https://github.com/ZTube/truenas-gotify-adapter
  ####################################################################################################
  
    gotify-truenas-adapter:
      container_name: gotify-truenas-adapter
      image: ghcr.io/ztube/truenas-gotify-adapter:main
      environment:
        - GOTIFY_URL=http://172.17.0.5
        - GOTIFY_TOKEN=${TRUENAS_TOKEN}
      network_mode: host
      labels:
        - diun.enable=true
        - tsdproxy.enable=false
        - traefik.enable=false
      restart: unless-stopped
      depends_on:
        gotify:
          condition: service_healthy
  
  ####################################################################################################
  # DOCKER IMAGE UPDATE NOTIFIER | URL: https://crazymax.dev/diun
  ####################################################################################################
  
    diun:
      container_name: diun
      image: crazymax/diun:latest
      command: serve
      environment:
        - TZ=${TZ:-Europe/Lisbon}
        - LOG_LEVEL=info
        - DIUN_WATCH_WORKERS=20
        - DIUN_WATCH_SCHEDULE=0 */6 * * *
        - DIUN_WATCH_JITTER=30s
        - DIUN_WATCH_RUNONSTARTUP=true
        - DIUN_PROVIDERS_DOCKER=true
        - DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true
        - DIUN_NOTIF_GOTIFY_ENDPOINT=http://172.17.0.5
        - DIUN_NOTIF_GOTIFY_TOKEN=${DIUN_TOKEN}
        - DIUN_NOTIF_GOTIFY_PRIORITY=1
        - DIUN_NOTIF_GOTIFY_TIMEOUT=10s
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - /mnt/${APPS_POOL:-tank}/docker/notifications/diun:/data
      network_mode: host
      labels:
        - diun.enable=true
        - tsdproxy.enable=false
        - traefik.enable=false
      restart: unless-stopped
      depends_on:
        gotify:
          condition: service_healthy
  
  ####################################################################################################
  # NETWORKS
  ####################################################################################################
  
  networks:
    home:
      external: true
    proxy:
      external: true
    dns:
      external: true
  
  ####################################################################################################
  # EOF - TrueNAS-Compose - URL: https://www.truenas-compose.com
  ####################################################################################################

  4. Paste the notifications stack Docker Compose where it says: # Replacing the default

  version: "3.8"
  services: {}
  networks: {}

  5. Copy the notifications stack .env file: Copy

  ####################################################################################################
  # .env - NOTIFICATIONS
  ####################################################################################################
  
  # GLOBAL:
  
  APPS_POOL=tank # Replace 'tank' with your Apps' pool name
  
  MEDIA_POOL=tank # Replace 'tank' with your Media/Downloads' pool name
  
  DATA_POOL=tank # Replace 'tank' with your Data/Games' pool name
  
  DOMAIN=home.arpa # Replace 'home.arpa' with your Top Level Domain name (e.g.: example.com)
  
  TZ=Europe/Lisbon # Replace 'Europe/Lisbon' with your local time zone
  
  PUID=568 # Default: 568 (Apps)
  
  PGID=568 # Default: 568 (Apps)
  
  ####################################################################################################
  
  # GOTIFY:
  
  TRUENAS_TOKEN=truenas_token # Replace 'truenas_token' with your TrueNAS token
  
  DIUN_TOKEN=diun_token # Replace 'diun_token' with your DIUN token
  
  ####################################################################################################
  # EOF - TrueNAS-Compose - URL: https://www.truenas-compose.com
  ####################################################################################################

  6. Paste the notifications stack .env file where it says: # Replacing the default

  # VARIABLE=value #comment

  7. Edit the .env file to meet your TrueNAS set up if needed. # Ignore "TRUENAS_TOKEN" and "DIUN_TOKEN" for now
  8. Click "Deploy" to install.
  9. Click on the port "31015" in the "gotify" container to access Gotify.
  10. Type "admin" in "Username" and "Password" fields and click "Login". # Default
  11. Navigate to "ADMIN" in Gotify's Web interface, type a "New Password" for the default user and click on "CHANGE".
  12. Navigate to "APPS" in Gotify's Web interface and click on "CREATE APPLICATION" to add TrueNAS as an App.
  13. Type "TrueNAS" in the "Name" field and click "CREATE".
  14. Click on the button to show the token and copy the generated token.
  15. Go back to Dockge's interface and click "Edit" on the notifications stack.
  16. Paste the generated token into the .env file where it says:

  TRUENAS_TOKEN=truenas_token

  17. Go back to "APPS" in Gotify's Web interface and click on "CREATE APPLICATION" to add DIUN as an App.
  18. Type "DIUN" in the "Name" field and click "CREATE".
  19. Click on the button to show the token and copy the generated token.
  20. Go back to Dockge's interface and paste the generated token into the .env file where it says:

  DIUN_TOKEN=diun_token

  21. Click "Deploy" to redeploy the notifications stack.
• Step 22: Install Gotify APP (Android only) - You'll need to install the Gotify app to get notifications:
  1. Download and install the latest Gotify app. # https://play.google.com/store/apps/details?id=com.github.gotify
  2. Type your "Gotify URL", in most cases: # Replace '192.168.1.1' with your TrueNAS IP address

  http://192.168.1.1:31015

  3. Click "Check URL".
  4. Ignore the warning saying "Using HTTP is insecure" and click "I Understand".
  5. Type "admin" in the "Username" field and your new password in the "Password" field.
  6. Click "Login".
  7. Choose a name for your session and click "Create".
  8. Enable notifications on your Android device.
• Step 23: Configure Alerts - You'll need to configure Gotify alerts to warn you of any issues with your TrueNAS system:
  1. Navigate to "System > Alert Settings" in the TrueNAS interface.
  2. Click on the "Add" button to add a new alert.
  3. Type "Gotify" in the "Name" field.
  4. Select "Slack" from the "Type" dropdown menu.
  5. Select "Info" from the "Level" dropdown menu. # This will show you all syslog alerts, adjust the level as needed
  6. Copy and paste the following URL into the "Webhook URL" field:

  http://localhost:31662

  7. Click "Send Test Alert" to test the connection. # It will generate a test alert on your Gotify's dashboard (and a notification on your Android device)
  8. Click "Save" to confirm.
• Step 24: Disable CPU Power Savings (optional) - Ensure that your CPU latency is minimal: # Reduces latency but increases power consumption
  1. Navigate to "System > Advanced Settings > Init/Shutdown Scripts" in the TrueNAS interface.
  2. Click "Add" to create a script that sets the CPU governor to "performance".
  3. Type "CPU governor" in the "Description" field.
  4. Select "Command" from the "Type" dropdown menu.
  5. Copy and paste the following command into the "Command" field:

  cpupower frequency-set -g performance

  6. Select "Post Init" from the "When" dropdown menu.
  7. Click "Save".
  8. Click "Add" again to create a second script to disable the "C2" idle state.
  9. Type "CPU idle-states" in the "Description" field.
  10. Select "Command" from the "Type" dropdown menu.
  11. Copy and paste the following command into the "Command" field:

  cpupower -c all idle-set -d 2

  12. Select "Post Init" from the "When" dropdown menu.
  13. Click "Save".
• Step 25: Disable PCIe Power Savings (optional) - Ensure that your high-performance storage (e.g.: Optane, NVMe) latency is minimal: # Reduces latency but increases power consumption
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Copy and paste the following command into the TrueNAS SHELL:

  midclt call system.advanced.update '{"kernel_extra_options": "nvme_core.default_ps_max_latency_us=0 pcie_aspm=off pci=noaer"}'

• Step 26: Offload RCU Callbacks (optional) - Offload RCU (Read-Copy-Update) callbacks from CPU cores to kernel threads: # Reduces latency and improves performance, especially on high-core-count systems
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Copy and paste the following command into the TrueNAS SHELL: # Replace '63' with the number of logical CPU cores in your system minus 1 (e.g.: 64 threads - 1 = 63)

  midclt call system.advanced.update '{"kernel_extra_options": "rcu_nocbs=0-63"}'

  WARNING: If you previously configured Step 24, combine those options with these in a single command to avoid overwriting settings!

  3. If needed, copy and paste the following command into the TrueNAS SHELL to find the number of logical CPU cores in your system:

  lscpu | grep '^CPU(s):'

• Step 27: Tune NVMe Driver (optional) - Ensure that the NVMe driver is optimized for your high-performance storage (e.g.: Optane, NVMe): # Improves NVMe performance by optimizing queue usage
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Copy and paste the following command into the TrueNAS SHELL: # Choose only the configuration that matches your NVMe hardware layout
     • Optane-only

     midclt call system.advanced.update '{"kernel_extra_options": "nvme.poll_queues=2 nvme.write_queues=2 nvme.io_queue_depth=16 nvme.use_threaded_interrupts=1 nvme.max_host_mem_size_mb=512"}'

     • Optane + NAND

     midclt call system.advanced.update '{"kernel_extra_options": "nvme.poll_queues=2 nvme.write_queues=2 nvme.io_queue_depth=64 nvme.use_threaded_interrupts=1 nvme.max_host_mem_size_mb=512"}'

     • NAND-only # Replace '8' with the number of physical CPU cores in your system divided by 4 (e.g.: 32 cores / 4 = 8) in 'nvme.poll_queues' and 'nvme.write_queues'

     midclt call system.advanced.update '{"kernel_extra_options": "nvme.poll_queues=8 nvme.write_queues=8 nvme.io_queue_depth=256 nvme.use_threaded_interrupts=1 nvme.max_host_mem_size_mb=512"}'

  WARNING: If you previously configured Step 24 and/or Step 25, combine those options with these in a single command to avoid overwriting settings!

  3. If needed, copy and paste the following command into the TrueNAS SHELL to find the number of physical CPU cores in your system:

  lscpu | grep 'Core(s) per socket'

• Step 28: Tune ZFS Module Parameters (optional) - Ensure that ZFS is optimized for your high-performance storage (e.g.: Optane, NVMe): # Maximizes IOPS and reduces I/O bottlenecks
  1. Navigate to "System > Shell" in the TrueNAS interface.
  2. Copy and paste the following command into the TrueNAS SHELL: # Choose only the configuration that matches your storage pool layout
     • NVMe-only pools # Work in progress... please be patient! :)

     midclt call system.advanced.update '{"kernel_extra_options": "zfs.metaslab_lba_weighting_enabled=0"}'

     • NVMe pools + SSD pools # Work in progress... please be patient! :)

     midclt call system.advanced.update '{"kernel_extra_options": "zfs.metaslab_lba_weighting_enabled=0"}'

     • NVMe pools + SSD pools + HDD pools # Work in progress... please be patient! :)

     midclt call system.advanced.update '{"kernel_extra_options": ""}'

     • NVMe pools + HDD pools # Work in progress... please be patient! :)

     midclt call system.advanced.update '{"kernel_extra_options": ""}'

  WARNING: If you previously configured Step 24 and/or Step 25 and/or Step 26, combine those options with these in a single command to avoid overwriting settings!

  3. If needed, refer to the official OpenZFS documentation for detailed guidance on module parameters. # https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Module%20Parameters.html
• Step 29: Save Configuration - Ensure that you back up your TrueNAS configuration file: # Do this periodically
  1. Navigate to "System > General Settings" in the TrueNAS interface.
  2. Click on the "Manage Configuration" dropdown menu and select "Download File".
  3. Check "Export Password Secret Seed".
  4. Click "Save" to confirm.
• Step 30: Reboot - If everything went well, reboot your TrueNAS system.

  NOTE: After reboot, access the IP address and HTTPS port you set up for TrueNAS and login again, in most cases:

  https://192.168.1.1:444

• Step 31: Install OPNsense (optional) - If you have more than one network interface, you can install OPNsense firewall on a Virtual Machine: [ Click to Expand ]

  ####################################################################################################
  # install - OPNsense
  ####################################################################################################
  
  1 - Download and extract the latest OPNsense "dvd" image. # https://opnsense.org/download
  
  2 - Set up your ISP router in "bridge" mode (usually on port number 4). # RTFM
  
  3 - Navigate to "Network > Interfaces" in the TrueNAS interface.
  
  4 - Click on the "Edit" button of the network interface you'll use to connect to the internet (WAN).
  
  5 - Uncheck "DHCP".
  
  6 - Uncheck "Autoconfigure IPv6".
  
  7 - Set the "MTU" to "1500".
  
  8 - Click "Save". # Don't click on the 'Test Changes' button
  
  9 - Click on the "Add" button to add a new network interface.
  
  10 - Select "Bridge" from the "Type" dropdown menu to create a virtual Switch.
  
  11 - Type "br1" in the "Name" field.
  
  12 - Type "vSwitch" in the "Description" field.
  
  13 - Uncheck "DHCP".
  
  14 - Uncheck "Autoconfigure IPv6".
  
  15 - Select your network interface (e.g.: eno2, eth1, etc...) from the "Bridge Members" dropdown menu.
  
  16 - Check "Enable Learning".
  
  17 - Set the "MTU" to "1500".
  
  18 - Click "Save".
  
  19 - Click on "Test Changes" and confirm.
  
  20 - Click on "Save Changes", followed by "Save" to confirm.
  
  21 - Navigate to "Instances" in the TrueNAS interface.
  
  22 - Select "Global Settings" from the "Configuration" dropdown menu.
  
  23 - Select "tank" from the "Pool" dropdown menu. # Replace 'tank' with your Apps' pool name
  
  24 - Select "br0" from the "Bridge" dropdown menu.
  
  25 - Click "Save".
  
  26 - Click "Create New Instance".
  
  27 - Type "opnsense" in the "Name" field.
  
  28 - Choose "VM" from the "Virtualization Method" menu.
  
  29 - Choose "Upload ISO, import a zvol or use another volume" from the "VM Image Options".
  
  30 - Click "Select Volume", followed by "Upload ISO" and select OPNsense ISO image.
  
  31 - Wait for the download to finish and click "Select".
  
  32 - Type "4" in the "CPU Configuration" field. # Or set it to your preference
  
  33 - Type "8 GiB" in the "Memory Size" field. # Or set it to your preference
  
  34 - Click "Add" in the "Disks" section.
  
  35 - Click "Select Volume", followed by "Create Volume".
  
  36 - Type "opnsense" in the "Name" field.
  
  37 - Type "40 GiB" in the "Size" field. # Or set it to your preference
  
  38 - Click "Create"
  
  39 - Click "Select" on the new "opnsense" volume.
  
  40 - Uncheck "Use default network settings".
  
  41 - Check "br0" and "br1" from the "Bridged NICs" section.
  
  42 - Check "Enable VNC".
  
  43 - Click "Create".
  
  44 - Open your VNC client and access: # Replace '192.168.1.1' with your TrueNAS IP address
  
  192.168.1.1:5900
  
  45 - Login using the user "installer" and password "opnsense".
  
  46 - Select your "keymap" (keyboard layout).
  
  47 - Select "Install (UFS)" and click "OK".
  
  48 - Select "nda1 <QEMU NVMe Ctrl 7215 incusdisk0> (40GB)" and click "OK".
  
  49 - Click "Yes" to create a recommended SWAP partition of 8GB.
  
  50 - Click "Yes" to confirm that you're sure you want to destroy the current contents of the disk and wait for the installation to finish.
  
  51 - Select "Complete Install" and click "OK". # Don't change the root password just yet
  
  52 - Select "Halt now" and click "OK".
  
  53 - Navigate to "Instances > opnsense > Disks" in the TrueNAS interface. # You may need to refresh the page to see the VM status as 'Stopped'
  
  54 - Delete "OPNsense-25.1-dvd-amd64.iso (Virtio-SCSI)" and confirm to continue.
  
  55 - Click on the "play" button to restart the VM.
  
  56 - Reopen your VNC client and connect again to: # Replace '192.168.1.1' with your TrueNAS IP address
  
  192.168.1.1:5900
  
  57 - Login using the user "root" and password "opnsense". # Default
  
  58 - Enter "2" to "Set interface IP address".
  
  59 - Enter "1" to select the "LAN" interface.
  
  60 - Enter "n" to disable DHCP.
  
  61 - Type your OPNsense Web interface IP address, in most cases: # Replace '192.168.1.253' with OPNsense's IP address on your local network
  
  192.168.1.253
  
  62 - Type "24" as the subnet mask (255.255.255.0).
  
  63 - Press "ENTER" to leave the gateway empty.
  
  64 - Enter "n" to disable IPv6 via WAN tracking.
  
  65 - Enter "n" to disable DHCP for IPv6.
  
  66 - Press "ENTER" to leave IPv6 empty/disabled.
  
  67 - Enter "n" to skip enabling the DHCP server.
  
  68 - Enter "n" to keep the default web GUI protocol (HTTPS).
  
  69 - Enter "n" to skip generating new certificates.
  
  70 - Enter "n" to skip restoring default web GUI access.
  
  71 - Open OPNsense's Web interface, in most cases:
  
  https://192.168.1.253
  
  72 - Login using the user "root" and password "opnsense".
  
  73 - Click "Next" to start the Wizard.
  
  74 - Fill out the "General Information" section: # Replace 'home.arpa' with your Top Level Domain name (e.g.: example.com)
  
  Hostname: opnsense
  
  Domain: home.arpa
  
  Primary DNS Server: 1.1.1.2
  
  Secondary DNS Server: 1.0.0.2
  
  75 - Uncheck "Override DNS".
  
  76 - Uncheck "Enable Resolver".
  
  77 - Click "Next".
  
  78 - Select you "Timezone".
  
  79 - Click "Next".
  
  80 - Ignore the "Configure WAN Interface" section and click "Next".
  
  81 - Ignore the "Configure LAN Interface" section and click "Next".
  
  82 - Change your "Root Password".
  
  83 - Click "Next".
  
  84 - Click "Reload" to apply the changes.
  
  85 - Navigate to "System > Firmware > Status" in the OPNsense interface.
  
  86 - Click "Check for updates". # Do this periodically
  
  87 - Click "Close".
  
  88 - Click "Update" to apply the updates and reboot.
  
  89 - Login using the user "root" and the new password from step 81.
  
  90 - Navigate to "Interfaces > LAN" in the OPNsense interface.
  
  91 - Check "Lock" to prevent interface removal.
  
  92 - Click "Save", followed by "Apply changes".
  
  93 - Navigate to "Interfaces > WAN" in the OPNsense interface.
  
  94 - Check "Lock" to prevent interface removal.
  
  95 - Select "DHCP" from the "IPv4 Configuration Type" dropdown menu.
  
  96 - Select "None" from the "IPv6 Configuration Type" dropdown menu.
  
  97 - Click "Save", followed by "Apply changes".
  
  98 - Navigate to "Interfaces > Settings" in the OPNsense interface.
  
  99 - Uncheck "Allow IPv6".
  
  100 - Click "Save".
  
  101 - Navigate to "System > Settings > Administration" in the OPNsense interface.
  
  102 - Select "LAN" from the "Listen Interfaces" and click "I know what I am doing" to confirm.
  
  103 - Click "Save".
  
  104 - Navigate to "System > Settings > General" in the OPNsense interface.
  
  105 - Check "Prefer IPv4 over IPv6".
  
  106 - Change the DNS servers "Use gateway" option from "None" to: # For both '1.1.1.2' and '1.0.0.2'
  
  WAN_GW - wan -
  
  107 - Type "." in the "DNS search domain" field.
  
  108 - Click "Save".
  
  109 - Navigate to "System > Firmware > Plugins" in the OPNsense interface.
  
  110 - Add the following plugins:
  
  os-clamav
  
  os-crowdsec
  
  os-tailscale
  
  111 - Navigate to "Power > Reboot" in the OPNsense interface.
  
  112 - Click "Yes" to reboot.
  
  113 - Login using the user "root" and the new password from step 81.
  
  114 - Navigate to "Lobby > Dashboard" in the OPNsense interface.
  
  115 - Copy your "WAN_GW" IP address from the "Gateways" widget. 
  
  116 - Navigate to "Services > Intrusion Detection > Administration" in the OPNsense interface.
  
  117 - Toggle the "advanced mode" option to "ON".
  
  118 - Check "Enabled".
  
  119 - Check "IPS mode".
  
  120 - Check "Promiscuous mode".
  
  121 - Select "Hyperscan" from the "Pattern matcher" dropdown menu.
  
  122 - Paste the "WAN_GW" IP address from step 114 into the "Home networks" field. 
  
  WARNING: You'll need to update this field everytime your public IP address changes!
  
  123 - Click "Apply".
  
  124 - Switch to the "Download" tab and select the following "Rulesets": # https://docs.opnsense.org/manual/ips.html#available-rulesets
  
  abuse.ch/Feodo Tracker
  abuse.ch/SSL Fingerprint Blacklist
  abuse.ch/SSL IP Blacklist
  abuse.ch/ThreatFox
  abuse.ch/URLhaus
  
  125 - You may also select the "ET Open" ruleset (optional). # For guidance, visit the Emerging Threats Community at: https://community.emergingthreats.net
  
  126 - Click "Enable selected".
  
  127 - Click "Download & Update Rules".
  
  128 - Navigate to "Services > ClamAV > Configuration" in the OPNsense interface.
  
  129 - Check "Enable clamd service".
  
  130 - Check "Enable freshclam service".
  
  131 - Click "Save".
  
  132 - Click "Download signatures" (on the top right corner of the page).
  
  133 - Navigate to "System > Configuration > Backups" in the OPNsense interface.
  
  134 - Click "Download Configuration". # Do this periodically
  
  135 - Navigate to "System > Shell" in the TrueNAS interface.
  
  136 - Copy and paste the following commands into the TrueNAS shell:
  
  sudo docker network rm home
  sudo docker network create --driver=macvlan --subnet=192.168.1.0/24 --ip-range=192.168.1.0/24 --gateway=192.168.1.253 -o parent=br0 home
  
  NOTE: If needed, replace the "home" network's subnet, ip-range and gateway (OPNsense) to match your TrueNAS network's settings!
  
  137 - Navigate to "Network > Global Configuration > Settings" in the TrueNAS interface.
  
  138 - Replace your router's IP address with your OPNsense IP address in the "Default Gateway" field, in most cases:
  
  192.168.1.253
  
  139 - Click "Save".
  
  140 - Navigate to "System > General Settings" in the TrueNAS interface.
  
  141 - Click on the "Manage Configuration" dropdown menu and select "Download File".
  
  142 - Check "Export Password Secret Seed".
  
  143 - Click "Save" to confirm.
  
  144 - If everything went well, reboot your TrueNAS system.
  
  Congratulations on successfully installing OPNsense in TrueNAS! :)
  
  ####################################################################################################
  # EOF - TrueNAS-Compose - URL: https://www.truenas-compose.com
  ####################################################################################################

Once these steps are completed, you'll be ready to use this Docker stacks on your TrueNAS CE (Scale).

Choose a Docker Stack from the dropdown below to get the Docker Compose and .env File configurations, along with Installation Instructions for TrueNAS CE (Scale).