๐Ÿ’พ Archived View for m0yng.uk โ€บ 2020 โ€บ 08 โ€บ Owntracks-in-Docker captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

โžก๏ธ Next capture (2022-01-08)

-=-=-=-=-=-=-

Owntracks in Docker - M0YNG.uk

Created 2020-08-03

Modified 2021-01-05

Tagged

For a while I've used Traccar[1] for friendly stalking of things, and it works well. But it is very feature rich, which isn't always what you want.

1: https://www.traccar.org/

I'd heard good things about Owntracks[2], and it seemed to have a good balance of features and performance.

2: https://owntracks.org/

However, the documentation is as far as I can tell mostly a list of things you can do, rather than details of how to actually set anything up, and the project appears to be a collection of technologies rather than one coherent offering.

I have got the thing working, but it was a pain, so I've tried to write it down here, so I can try and do it again later.

What we're going to do

I've used a โ‚ฌ2 VPS running Debian 10 for this, but it should work on other similar setups.

At the end of the day we should have:

We'll need to setup;

I assume you can / have already:

nginx + reverse proxy + basic auth + certificates

There isn't much to getting certificates, just use certbot to get the certificate for your domain.

3: https://certbot.eff.org/lets-encrypt/debianbuster-nginx

I use nginx to reverse proxy the docker containers, but also provide some security because the owncloud services don't have any concept of what a user is (MQTT does), so we'll use basic auth to stop anyone we don't want seeing our location. Some guides put this just on the API, but I want it on the entire domain. This also gives us `https`, which we'd not get otherwise.

All of this config was put in the default site, at `/etc/nginx/sites-available/default`

server {
  auth_basic              "OwnTracks";
  auth_basic_user_file    /usr/local/etc/nginx/owntracks.htpasswd;

To create the first user run

htpasswd -c /usr/local/etc/nginx/owntracks.htpasswd christopher

To add more users, drop `-c` so:

htpasswd /usr/local/etc/nginx/owntracks.htpasswd anotheruser

You may need to `apt install apache2-utils` to get the `htpasswd` command.

The following configuration was tweaked from elsewhere, but I can't remember *which* guide now (I went through a lot!)

location /owntracks/ws {
    rewrite ^/owntracks/(.*)    /$1 break;
    proxy_pass      http://127.0.0.1:8083;
    proxy_http_version  1.1;
    proxy_set_header    Upgrade $http_upgrade;
    proxy_set_header    Connection "upgrade";
    proxy_set_header    Host $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
}

location / {
    proxy_pass http://127.0.0.1:8080/;

    proxy_http_version  1.1;
    proxy_set_header    Host $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Real-IP $remote_addr;
}

location /owntracks/ {
    proxy_pass      http://127.0.0.1:8083/;
    proxy_http_version  1.1;
    proxy_set_header    Host $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Real-IP $remote_addr;
}

# OwnTracks Recorder Views
location /owntracks/view/ {
      proxy_buffering         off;            # Chrome
      proxy_pass              http://127.0.0.1:8083/view/;
      proxy_http_version      1.1;
      proxy_set_header        Host $host;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Real-IP $remote_addr;
}
location /owntracks/static/ {
      proxy_pass              http://127.0.0.1:8083/static/;
      proxy_http_version      1.1;
      proxy_set_header        Host $host;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Real-IP $remote_addr;
}
# HTTP Mode
location /owntracks/pub {
    proxy_pass              http://127.0.0.1:8083/pub;
    proxy_http_version      1.1;
    proxy_set_header        Host $host;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Real-IP $remote_addr;

    # Optionally force Recorder to use username from Basic
    # authentication user. Whether or not client sets
    # X-Limit-U and/or uses ?u= parameter, the user will
    # be set to $remote_user.
    proxy_set_header        X-Limit-U $remote_user;
}

Dock some containers

Awesome, let's get the actual stuff running.

Owntracks is a bit of a veneer, mostly the work is done by MQTT which handles all the location data, and passes it between clients, etc.

I'd suggest creating a directory for all of this, and then make a few directories to put stuff into;

mkdir recorder-data ui-data mosquitto-data

Then we'll need a `docker-compose.yml` file has three containers, one for the recorder (which records locations), one for mosquitto (which is MQTT and gets and shares locations), and one for the fancy UI (which has more features that the recorder UI);

version: "3"

services:
  otrecorder:
    image: owntracks/recorder
    ports:
      - 127.0.0.1:8083:8083 # only expose the unencrypted connection locally (so we can proxy it)
    volumes:
      - ./recorder-data/config:/config
      - ./recorder-data/store:/store
    restart: unless-stopped

  mosquitto:
    image: eclipse-mosquitto
    ports:
      - 8883:8883 # expose the TLS port to the world
    volumes:
      - ./mosquitto-data/data:/mosquitto/data
      - ./mosquitto-data/logs:/mosquitto/logs
      - ./mosquitto-data/conf:/mosquitto/config
      - /etc/letsencrypt:/mosquitto/certs #this lets us use the let's encrypt certs directly
    restart: unless-stopped

  owntracks-ui:
    image: owntracks/frontend
    ports:
      - 127.0.0.1:8080:80 # only expose the unencrypted connection locally (so we can proxy it)
    volumes:
      - ./ui-data/config.js:/usr/share/nginx/html/config/config.js
    environment:
      - SERVER_HOST=otrecorder # the UI needs to know where the recorder is
      - SERVER_PORT=8083
    restart: unless-stopped

We'll need to create some configs to get us going too;

recorder-data/confg/recorder.conf

#(@)ot-recorder.default
#
# Specify global configuration options for the OwnTracks Recorder
# and its associated utilities to override compiled-in defaults.

OTR_TOPICS = "owntracks/#"
OTR_HTTPHOST = "0.0.0.0" # ideally this would be IPv6 too...
OTR_HOST = "your.domain.here"
OTR_PORT = 8883
OTR_USER = "recorder" # the user for connecting to mosquitto
OTR_PASS = "password" # the password for that user
OTR_CAPATH = "/etc/ssl/certs/" # where can it find a root certificate to connect using TLS?

mosquitto-data/conf/mosquitto.conf

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log

allow_anonymous false # require the user to log in
password_file /mosquitto/config/passwd # where to find the users/passwords

listener 8883 # set the listener on the default TLS port
cafile /mosquitto/certs/live/tracks.your.domain/chain.pem
certfile /mosquitto/certs/live/tracks.your.domain/cert.pem
keyfile /mosquitto/certs/live/tracks.your.domain/privkey.pem

ui-data/config.js

(I don't use this, but you might want to)

// Here you can overwite the default configuration values
window.owntracks = window.owntracks || {};
window.owntracks.config = {};

The first run will probably fail, because we haven't created our `recorder` user in mosquitto yet.

There are two ways to do that, both are a pain.

1. Run the mosquitto container, and then `exec` into it, and create the user there

2. Install required software outside the container, and create the user outside

Create Users

Let's create some users so we can record and read locations, we'll do this inside the mosquitto container, so run:

docker-compose exec mosquitto sh

Then we can create our first user with:

mosquitto_passwd -c /mosquitto/config/passwd recorder

Like with `htpasswd` we need to use `-c` to create the file the first time, then drop it for more users

mosquitto_passwd /mosquitto/config/passwd christopher

To be sure, I'd suggest grabbing a copy of the generated file just in case docker doesn't magic it outside the container correctly, just run this and copy and paste the output somewhere.

cat /mosquitto/config/passwd

Be sure to put the new password for the `recorder` user in the config file.

You will need to completely restart the containers when config files are changed, I do that with this incantation:

docker-compose down && docker-compose up -d && docker-compose logs -f

Which means I can be sure everything shuts down, then starts up fresh (as a daemon with `-d`), but I can still see the logs. Crucially I can **stop** seeing the logs without stopping the containers.

If we want the users to be able to use the UI we'll also need to create accounts for nginx, so don't forget to do that if you haven't already.

Setup Android clients

It's not obvious how to configure your client apps to connect, so for quick reference:

1. Install and open the "Owntracks" app

2. Open the menu in the left

3. Select "Preferences"

4. Select "Connection"

5. Set "Mode" to "MQTT"

6. Set "Host" to 1. host: your full domain 2. port `8883` 3. do not use websockets

7. Set "Identification" to 1. username and password as you configured for mosquitto 2. "device ID" something like "phone" (it will become the full `user/id` e.g. `christopher/phone`) 3. "tracker ID" whatever you like, maybe an initial and number, e.g. "c1"

8. Set "Security" to TLS, but leave the rest blank (our phone should trust Let's Encrypt certificates)

9. Leave "Parameters" empty

10. Tap the `i` icon to see any status / error messages

Make users look nice

In theory, at this point we should be able to see locations on the UI, and on the app. But it won't be pretty, just `c1` or similar.

However, we can create "cards" that represent our users in a nicer way. We'll want an image, and the `image2card` script:

wget https://github.com/owntracks/recorder/raw/master/contrib/faces/image2card.sh
./image-card.sh user-image.png UserName > username-card.json
mosquitto_pub -t owntracks/user/phone -f username-card.json -r -p 8883 --capath /etc/ssl/certs -h yourtracker.url -u recorder -P recorderpassword

The end bit

Hopefully you should now have the ability to see where you are, and where other people are too. Yay!

If not, sorry. Maybe I missed something, maybe I screwed up an instruction. I've not actually tested this guide, just extracted what I have that does work.

-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-

๐Ÿ–ค Black Lives Matter

๐Ÿ’™๐Ÿค๐Ÿ’œ Trans Rights are Human Rights

โค๏ธ๐Ÿงก๐Ÿ’›๐Ÿ’š๐Ÿ’™๐Ÿ’œ Love is Love

Copyright ยฉ 2021 Christopher M0YNG

Code snippets are licenced under the Hippocratic License 3.0 (or later.)

Page generated 2021-11-02 by Complex 19