Firefly III Docker

Self-hosted financial manager.

This setup will focus on creating a docker-based reverse proxy, enforcing SSL for all connections to docker containers using Let’s Encrypt.

See Firefly Docker and Documentation.

Ports

Files

Docker Creation

Firefly runs a frontend webservice with a backend postgres SQL database. Local storage should be locked down to prevent sensitive data from leaking.

Docker Compose
firefly:
  image: jc5x/firefly-iii
  restart: unless-stopped
  environment:
    - FF_DB_HOST=firefly_iii_db
    - FF_DB_NAME=firefly
    - FF_DB_USER={DB USER}
    - FF_DB_PASSWORD={DB PASS}
    - FF_APP_KEY={32 CHAR APP KEY WITHOUT %*#$&}
    - FF_APP_ENV=local
    - FF_DB_CONNECTION=pgsql
    - TZ=America/Los_Angeles
    - APP_URL=https://firefly.{DOMAIN}
    - TRUSTED_PROXIES={PROXY IP ADDRESS}
    - APP_LOG_LEVEL=debug
  volumes:
    - /data/services/firefly/export:/var/www/firefly-iii/storage/export
    - /data/services/firefly/upload:/var/www/firefly-iii/storage/upload
    - /etc/localtime:/etc/localtime:ro

firefly_db:
  image: postgres:10
  restart: unless-stopped
  environment:
    - POSTGRES_PASSWORD={DB PASS}
    - POSTGRES_USER={DB USER}
    - TZ=America/Los_Angeles
  volumes:
    - /data/services/firefly/db:/var/lib/postgresql/data
    - /etc/localtime:/etc/localtime:ro
  • Docker container should be run in an isolated network given the sensitive nature of the data.

  • TRUSTED_PROXIES should be set to the known proxy IP address so all other connections are denied by default. Setting to ** will enable all connections (insecure).

  • Additional environment settings here.

Reverse Proxy Setup

Allows you to isolate your containers as well as wrap connections in SSL. See NGINX for more details. See Setup Base Proxy Control for basic proxy configuration.

Using Subdomains

0644 root root nginx/conf.d/reverse-proxy.conf
server {
  listen                               443 ssl http2;
  server_name                          firefly.{DOMAIN} firefly;

  location / {
    proxy_bind                         {PROXY IP ON FIREFLY NETWORK};
    proxy_pass                         http://firefly/;
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffering                    off;
  }
}

See subdomain reference.

Postgress Backend

Just include the external network and remove the DB docker definition if using an external Postgres backend. Use external DB credentials in firefly DB config section.

Docker Compose Add Postgres Network.
networks:
  db:
    external: True
firefly:
  image: jc5x/firefly-iii
  networks:
    - db

Initial Setup

Start firefly and setup the initial database. This only needs to be done on initial container creation.

Initialize the DB.
docker-compose up -d
docker-compose exec firefly php artisan migrate --seed
docker-compose exec firefly php artisan firefly:upgrade-database
docker-compose exec firefly php artisan firefly:verify
docker-compose exec firefly php artisan cache:clear

Login to Site, first user created is an administrator.

Note

Verifying password security checks that the password used is not in known password dumps. See linked documentation for more details.

Firefly Gotchas

Attachment Disappears

There is a hard 2MB limit from lavarel. This will be displayed as uploading successfully but will be sliently dropped.

References

  1. Firefly with NGINX reverse proxy