orches example deployment
Feel free to fork this repository, or use the minimal rootless template, or the rootful template to get started quickly.
To run this example deployment with orches, execute the following commands:
loginctl enable-linger $(whoami)
mkdir -p ~/.config/orches ~/.config/containers/systemd
podman run --rm -it --userns=keep-id --pid=host --pull=newer \
--mount \
type=bind,source=/run/user/$(id -u)/systemd,destination=/run/user/$(id -u)/systemd \
-v ~/.config/orches:/var/lib/orches \
-v ~/.config/containers/systemd:/etc/containers/systemd \
--env XDG_RUNTIME_DIR=/run/user/$(id -u) \
ghcr.io/orches-team/orches init \
https://github.com/orches-team/example.gitThis will initialize orches with the contents of this repository and start all defined services as user units.
The following services are installed and managed by default:
Self-hosted Git service
Ports: web: 8080, ssh: 2222
Analytics and monitoring dashboard
Port: 8081
Simple and customizable homepage for your server
Port: 7575
Open-source home automation platform
Port: 8123
Media server for streaming movies, TV, music, and more
Port: 8096
Continuous file synchronization
Ports: web: 8384, sync: 22000/tcp+udp, discovery: 21027/udp
Self-hosted monitoring tool
Port: 3001
You can customize this deployment by editing or adding unit files in this repository. For more information, see the orches documentation.
Some services are included but disabled by default. To enable them:
- Fork this repository to your own GitHub account.
- Clone your fork locally and make the desired changes (such as adding or modifying configuration files for the extra services).
- Push your changes to your forked repository.
- On your orches host, switch orches to use your fork by running:
podman exec systemd-orches orches switch <YOUR_FORK_URL>- orches will automatically apply the changes and start the newly enabled services.
For more details, see the orches documentation.
- vaultwarden – Self-hosted password manager
- pi-hole – Network-wide ad blocker
To enable vaultwarden with HTTPS using Caddy, enable the required unit files:
mv caddy.container.disabled caddy.container
mv main.network.disabled main.network
mv vaultwarden.container.disabled vaultwarden.container- Edit the
Caddyfileand replace{YOUR_IP_ADDRESS}with your node's actual IP address.
Note: Using a domain name is recommended for production, but this quick start uses your IP for simplicity.
Example diff for Caddyfile:
{
- default_sni {YOUR_IP_ADDRESS}
+ default_sni 192.168.1.42
}
-https://{YOUR_IP_ADDRESS} {
+https://192.168.1.42 {
reverse_proxy systemd-vaultwarden:80
}- Sync orches to apply the changes:
podman exec systemd-orches orches syncYou can now access vaultwarden at https://<YOUR_IP_ADDRESS>:4443/.
To enable pi-hole (which requires binding to port 53):
- Allow unprivileged users to bind to port 53 (required for rootless Podman): Allow non-root users to bind to port 53 and above by running:
echo "net.ipv4.ip_unprivileged_port_start=53" | sudo tee /etc/sysctl.d/50-unprivileged-ports.conf
sudo sysctl --system- Remove the
.disabledsuffix from the following file:
pihole.container.disabled→pihole.container
- Sync orches to apply the changes:
podman exec systemd-orches orches syncPi-hole should now be running and accessible on your server. The dashboard is available at http://<YOUR_IP_ADDRESS>:8082/.