๐พ Archived View for m0yng.uk โบ 2020 โบ 08 โบ Owntracks-in-Docker captured on 2022-03-01 at 15:05:08. Gemini links have been rewritten to link to archived content
โฌ ๏ธ Previous capture (2022-01-08)
โก๏ธ Next capture (2022-04-28)
-=-=-=-=-=-=-
Created 2020-08-03
Modified 2021-01-05
For a while I've used Traccar[1] for friendly stalking of things, and it works well. But it is very feature rich, which isn't always what you want.
I'd heard good things about Owntracks[2], and it seemed to have a good balance of features and performance.
However, the documentation is as far as I can tell mostly a list of things you can do, rather than details of how to actually set anything up, and the project appears to be a collection of technologies rather than one coherent offering.
I have got the thing working, but it was a pain, so I've tried to write it down here, so I can try and do it again later.
I've used a โฌ2 VPS running Debian 10 for this, but it should work on other similar setups.
At the end of the day we should have:
We'll need to setup;
I assume you can / have already:
3: https://certbot.eff.org/lets-encrypt/debianbuster-nginx
There isn't much to getting certificates, just use certbot to get the certificate for your domain.
I use nginx to reverse proxy the docker containers, but also provide some security because the owncloud services don't have any concept of what a user is (MQTT does), so we'll use basic auth to stop anyone we don't want seeing our location. Some guides put this just on the API, but I want it on the entire domain. This also gives us `https`, which we'd not get otherwise.
All of this config was put in the default site, at `/etc/nginx/sites-available/default`
server { auth_basic "OwnTracks"; auth_basic_user_file /usr/local/etc/nginx/owntracks.htpasswd;
To create the first user run
htpasswd -c /usr/local/etc/nginx/owntracks.htpasswd christopher
To add more users, drop `-c` so:
htpasswd /usr/local/etc/nginx/owntracks.htpasswd anotheruser
You may need to `apt install apache2-utils` to get the `htpasswd` command.
The following configuration was tweaked from elsewhere, but I can't remember *which* guide now (I went through a lot!)
location /owntracks/ws { rewrite ^/owntracks/(.*) /$1 break; proxy_pass http://127.0.0.1:8083; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location / { proxy_pass http://127.0.0.1:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } location /owntracks/ { proxy_pass http://127.0.0.1:8083/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } # OwnTracks Recorder Views location /owntracks/view/ { proxy_buffering off; # Chrome proxy_pass http://127.0.0.1:8083/view/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } location /owntracks/static/ { proxy_pass http://127.0.0.1:8083/static/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } # HTTP Mode location /owntracks/pub { proxy_pass http://127.0.0.1:8083/pub; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; # Optionally force Recorder to use username from Basic # authentication user. Whether or not client sets # X-Limit-U and/or uses ?u= parameter, the user will # be set to $remote_user. proxy_set_header X-Limit-U $remote_user; }
Awesome, let's get the actual stuff running.
Owntracks is a bit of a veneer, mostly the work is done by MQTT which handles all the location data, and passes it between clients, etc.
I'd suggest creating a directory for all of this, and then make a few directories to put stuff into;
mkdir recorder-data ui-data mosquitto-data
Then we'll need a `docker-compose.yml` file has three containers, one for the recorder (which records locations), one for mosquitto (which is MQTT and gets and shares locations), and one for the fancy UI (which has more features that the recorder UI);
version: "3" services: otrecorder: image: owntracks/recorder ports: - 127.0.0.1:8083:8083 # only expose the unencrypted connection locally (so we can proxy it) volumes: - ./recorder-data/config:/config - ./recorder-data/store:/store restart: unless-stopped mosquitto: image: eclipse-mosquitto ports: - 8883:8883 # expose the TLS port to the world volumes: - ./mosquitto-data/data:/mosquitto/data - ./mosquitto-data/logs:/mosquitto/logs - ./mosquitto-data/conf:/mosquitto/config - /etc/letsencrypt:/mosquitto/certs #this lets us use the let's encrypt certs directly restart: unless-stopped owntracks-ui: image: owntracks/frontend ports: - 127.0.0.1:8080:80 # only expose the unencrypted connection locally (so we can proxy it) volumes: - ./ui-data/config.js:/usr/share/nginx/html/config/config.js environment: - SERVER_HOST=otrecorder # the UI needs to know where the recorder is - SERVER_PORT=8083 restart: unless-stopped
We'll need to create some configs to get us going too;
#(@)ot-recorder.default # # Specify global configuration options for the OwnTracks Recorder # and its associated utilities to override compiled-in defaults. OTR_TOPICS = "owntracks/#" OTR_HTTPHOST = "0.0.0.0" # ideally this would be IPv6 too... OTR_HOST = "your.domain.here" OTR_PORT = 8883 OTR_USER = "recorder" # the user for connecting to mosquitto OTR_PASS = "password" # the password for that user OTR_CAPATH = "/etc/ssl/certs/" # where can it find a root certificate to connect using TLS?
persistence true persistence_location /mosquitto/data/ log_dest file /mosquitto/log/mosquitto.log allow_anonymous false # require the user to log in password_file /mosquitto/config/passwd # where to find the users/passwords listener 8883 # set the listener on the default TLS port cafile /mosquitto/certs/live/tracks.your.domain/chain.pem certfile /mosquitto/certs/live/tracks.your.domain/cert.pem keyfile /mosquitto/certs/live/tracks.your.domain/privkey.pem
(I don't use this, but you might want to)
// Here you can overwite the default configuration values window.owntracks = window.owntracks || {}; window.owntracks.config = {};
The first run will probably fail, because we haven't created our `recorder` user in mosquitto yet.
There are two ways to do that, both are a pain.
1. Run the mosquitto container, and then `exec` into it, and create the user there
2. Install required software outside the container, and create the user outside
Let's create some users so we can record and read locations, we'll do this inside the mosquitto container, so run:
docker-compose exec mosquitto sh
Then we can create our first user with:
mosquitto_passwd -c /mosquitto/config/passwd recorder
Like with `htpasswd` we need to use `-c` to create the file the first time, then drop it for more users
mosquitto_passwd /mosquitto/config/passwd christopher
To be sure, I'd suggest grabbing a copy of the generated file just in case docker doesn't magic it outside the container correctly, just run this and copy and paste the output somewhere.
cat /mosquitto/config/passwd
Be sure to put the new password for the `recorder` user in the config file.
You will need to completely restart the containers when config files are changed, I do that with this incantation:
docker-compose down && docker-compose up -d && docker-compose logs -f
Which means I can be sure everything shuts down, then starts up fresh (as a daemon with `-d`), but I can still see the logs. Crucially I can **stop** seeing the logs without stopping the containers.
If we want the users to be able to use the UI we'll also need to create accounts for nginx, so don't forget to do that if you haven't already.
It's not obvious how to configure your client apps to connect, so for quick reference:
1. Install and open the "Owntracks" app
2. Open the menu in the left
3. Select "Preferences"
4. Select "Connection"
5. Set "Mode" to "MQTT"
6. Set "Host" to 1. host: your full domain 2. port `8883` 3. do not use websockets
7. Set "Identification" to 1. username and password as you configured for mosquitto 2. "device ID" something like "phone" (it will become the full `user/id` e.g. `christopher/phone`) 3. "tracker ID" whatever you like, maybe an initial and number, e.g. "c1"
8. Set "Security" to TLS, but leave the rest blank (our phone should trust Let's Encrypt certificates)
9. Leave "Parameters" empty
10. Tap the `i` icon to see any status / error messages
In theory, at this point we should be able to see locations on the UI, and on the app. But it won't be pretty, just `c1` or similar.
However, we can create "cards" that represent our users in a nicer way. We'll want an image, and the `image2card` script:
wget https://github.com/owntracks/recorder/raw/master/contrib/faces/image2card.sh ./image-card.sh user-image.png UserName > username-card.json mosquitto_pub -t owntracks/user/phone -f username-card.json -r -p 8883 --capath /etc/ssl/certs -h yourtracker.url -u recorder -P recorderpassword
Hopefully you should now have the ability to see where you are, and where other people are too. Yay!
If not, sorry. Maybe I missed something, maybe I screwed up an instruction. I've not actually tested this guide, just extracted what I have that does work.
-+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-
๐ค Black Lives Matter
๐๐ค๐ Trans Rights are Human Rights
โค๏ธ๐งก๐๐๐๐ Love is Love
Copyright ยฉ 2022 Christopher M0YNG
Code snippets are licenced under the Hippocratic License 3.0 (or later.)
Page generated 2022-02-27 by Complex 19