Dockge + NPM mit Netbird
Diese Anleitung beschreibt ein komplettes Docker-Setup mit Dockge als Stack-Manager, Nginx Proxy Manager als Reverse Proxy und NetBird als sicheren Tunnel zwischen VPS und Heimserver. Dockge bietet eine moderne Web-UI zur Verwaltung aller Docker Compose Stacks.
Anpassbare Werte in dieser Anleitung:
luna→ Dein Benutzername226→ Dein SSH-Port100.64.0.1→ NetBird-IP des Heimservers100.64.0.2→ NetBird-IP des VPSdeine-domain.de→ Deine Domain
Überblick: Was ist Dockge?
Dockge ist ein moderner, selbstgehosteter Docker Compose Stack Manager mit Web-UI – entwickelt vom Uptime Kuma Autor.
| Feature | Dockge | Portainer |
|---|---|---|
| Fokus | Docker Compose Stacks | Alles (Swarm, K8s, etc.) |
| Komplexität | Einfach | Komplex |
| Ressourcen | Leichtgewichtig | Schwerer |
| compose.yaml editieren | Direkt in UI | Umständlicher |
| Dateien auf Host | Ja, normale Struktur | In Portainer-DB |
Architektur
┌─────────────────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ │ │
│ ▼ │
│ ┌───────────────────┐ │
│ │ VPS │ │
│ │ │ │
│ │ ┌─────────────┐ │ │
│ │ │ Dockge │──┼── :5001 (SSH-Tunnel) │
│ │ └──────┬──────┘ │ │
│ │ │ verwaltet │
│ │ ┌──────▼──────┐ │ │
│ Port 80/443 ──┼──│ NPM │ │ │
│ │ └──────┬──────┘ │ │
│ │ │ │ │
│ │ ┌──────▼──────┐ │ │
│ │ │ NetBird │ │ │
│ │ │ 100.64.0.2 │ │ │
│ │ └──────┬──────┘ │ │
│ └─────────┼─────────┘ │
│ │ │
│ ══════════════╪══════════════ │
│ Verschlüsselter NetBird-Tunnel │
│ ══════════════╪══════════════ │
│ │ │
│ ┌─────────────────────────────────┼────────────────────────────────────┐ │
│ │ HEIMNETZ │ │
│ │ │ │ │
│ │ ┌──────────▼──────────┐ │ │
│ │ │ Heimserver │ │ │
│ │ │ │ │ │
│ │ │ ┌──────────────┐ │ │ │
│ │ │ │ NetBird │ │ │ │
│ │ │ │ 100.64.0.1 │ │ │ │
│ │ │ └──────┬───────┘ │ │ │
│ │ │ │ │ │ │
│ │ │ ┌──────▼───────┐ │ │ │
│ │ │ │ Dockge │───┼── :5001 (lokal) │ │
│ │ │ └──────┬───────┘ │ │ │
│ │ │ │ verwaltet │ │ │
│ │ │ ┌──────▼───────┐ │ │ │
│ │ │ │ Stacks: │ │ │ │
│ │ │ │ - Wiki │ │ │ │
│ │ │ │ - Vault │ │ │ │
│ │ │ │ - Gitea │ │ │ │
│ │ │ │ - etc. │ │ │ │
│ │ │ └──────────────┘ │ │ │
│ │ └─────────────────────┘ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘Teil 1: Grundinstallation
Docker installieren (beide Systeme)
# Docker installieren
curl -fsSL https://get.docker.com | sudo sh
# User zur Docker-Gruppe
sudo usermod -aG docker $USER
# Ausloggen und wieder einloggen, dann testen:
docker run hello-worldNetBird installieren (beide Systeme)
# NetBird installieren
curl -fsSL https://pkgs.netbird.io/install.sh | sudo sh
# Verbinden (Setup-Key aus NetBird Dashboard)
sudo netbird up --setup-key DEIN-SETUP-KEY
# Status prüfen
sudo netbird statusTeil 2: Heimserver Setup
Dockge installieren
# Verzeichnisse erstellen
sudo mkdir -p /opt/stacks /opt/dockge
cd /opt/dockge
# compose.yaml erstellen
sudo nano compose.yamlversion: "3.8"
services:
dockge:
image: louislam/dockge:1
container_name: dockge
restart: unless-stopped
ports:
- "127.0.0.1:5001:5001" # Nur localhost
- "100.64.0.1:5001:5001" # NetBird-IP für Remote-Zugriff
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/app/data
- /opt/stacks:/opt/stacks # Hier liegen alle Stacks
environment:
- DOCKGE_STACKS_DIR=/opt/stacks
- TZ=Europe/Berlin# Starten
sudo docker compose up -d
# Logs prüfen
sudo docker compose logs -fErster Zugriff: http://localhost:5001 oder http://LOKALE-IP:5001
Beim ersten Aufruf Benutzername und Passwort festlegen.
NPM Stack erstellen (via Dockge oder manuell)
# Verzeichnis für NPM-Stack
sudo mkdir -p /opt/stacks/nginx-proxy-manager
sudo nano /opt/stacks/nginx-proxy-manager/compose.yamlversion: "3.8"
services:
npm:
image: jc21/nginx-proxy-manager:latest
container_name: npm
restart: unless-stopped
ports:
- "100.64.0.1:80:80" # HTTP auf NetBird-IP
- "100.64.0.1:443:443" # HTTPS auf NetBird-IP
- "127.0.0.1:81:81" # Admin-UI nur lokal
- "192.168.1.50:81:81" # Admin-UI im LAN (IP anpassen!)
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
environment:
- TZ=Europe/Berlin
networks:
- proxy
networks:
proxy:
name: proxy
driver: bridge# Starten (oder in Dockge UI)
cd /opt/stacks/nginx-proxy-manager
sudo docker compose up -dDienste-Stacks erstellen
BookStack Wiki
sudo mkdir -p /opt/stacks/bookstack
sudo nano /opt/stacks/bookstack/compose.yamlversion: "3.8"
services:
bookstack:
image: lscr.io/linuxserver/bookstack:latest
container_name: bookstack
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- APP_URL=https://wiki.deine-domain.de # ← Anpassen
- DB_HOST=bookstack-db
- DB_USER=bookstack
- DB_PASS=geheimes-db-passwort # ← Anpassen
- DB_DATABASE=bookstack
volumes:
- ./config:/config
ports:
- "100.64.0.1:3000:80" # Nur NetBird
depends_on:
- bookstack-db
networks:
- internal
- proxy
bookstack-db:
image: mariadb:10
container_name: bookstack-db
restart: unless-stopped
environment:
- MYSQL_ROOT_PASSWORD=root-passwort # ← Anpassen
- MYSQL_DATABASE=bookstack
- MYSQL_USER=bookstack
- MYSQL_PASSWORD=geheimes-db-passwort # ← Anpassen
volumes:
- ./db:/var/lib/mysql
networks:
- internal
networks:
internal:
proxy:
external: trueVaultwarden
sudo mkdir -p /opt/stacks/vaultwarden
sudo nano /opt/stacks/vaultwarden/compose.yamlversion: "3.8"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- TZ=Europe/Berlin
- DOMAIN=https://vault.deine-domain.de # ← Anpassen
- SIGNUPS_ALLOWED=false
- ADMIN_TOKEN=langer-geheimer-token # ← openssl rand -base64 48
- WEBSOCKET_ENABLED=true
volumes:
- ./data:/data
ports:
- "100.64.0.1:8080:80" # Nur NetBird
networks:
- proxy
networks:
proxy:
external: trueGitea
sudo mkdir -p /opt/stacks/gitea
sudo nano /opt/stacks/gitea/compose.yamlversion: "3.8"
services:
gitea:
image: gitea/gitea:latest
container_name: gitea
restart: unless-stopped
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__server__DOMAIN=git.deine-domain.de
- GITEA__server__ROOT_URL=https://git.deine-domain.de/
- GITEA__server__SSH_DOMAIN=git.deine-domain.de
volumes:
- ./data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "100.64.0.1:3001:3000" # Web auf NetBird
- "100.64.0.1:2222:22" # SSH auf NetBird
networks:
- proxy
networks:
proxy:
external: trueUptime Kuma (Monitoring)
sudo mkdir -p /opt/stacks/uptime-kuma
sudo nano /opt/stacks/uptime-kuma/compose.yamlversion: "3.8"
services:
uptime-kuma:
image: louislam/uptime-kuma:1
container_name: uptime-kuma
restart: unless-stopped
volumes:
- ./data:/app/data
ports:
- "100.64.0.1:3002:3001" # Nur NetBird
networks:
- proxy
networks:
proxy:
external: trueAlle Stacks starten
# Manuell per CLI:
for stack in /opt/stacks/*/; do
echo "Starting $stack..."
cd "$stack" && sudo docker compose up -d
done
# Oder einfach in Dockge UI alle Stacks startenTeil 3: VPS Setup
Dockge auf VPS installieren
# Verzeichnisse erstellen
sudo mkdir -p /opt/stacks /opt/dockge
cd /opt/dockge
sudo nano compose.yamlversion: "3.8"
services:
dockge:
image: louislam/dockge:1
container_name: dockge
restart: unless-stopped
ports:
- "127.0.0.1:5001:5001" # Nur via SSH-Tunnel erreichbar
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/app/data
- /opt/stacks:/opt/stacks
environment:
- DOCKGE_STACKS_DIR=/opt/stacks
- TZ=Europe/Berlinsudo docker compose up -dZugriff via SSH-Tunnel:
ssh -L 5001:127.0.0.1:5001 luna@VPS-IP -p 226
# Dann im Browser: http://localhost:5001NPM Stack auf VPS
sudo mkdir -p /opt/stacks/nginx-proxy-manager
sudo nano /opt/stacks/nginx-proxy-manager/compose.yamlversion: "3.8"
services:
npm:
image: jc21/nginx-proxy-manager:latest
container_name: npm
restart: unless-stopped
ports:
- "80:80" # HTTP öffentlich
- "443:443" # HTTPS öffentlich
- "127.0.0.1:81:81" # Admin nur via SSH-Tunnel
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
environment:
- TZ=Europe/Berlin
extra_hosts:
- "heimserver:100.64.0.1" # ← Heimserver NetBird-IP
networks:
- proxy
networks:
proxy:
name: proxy
driver: bridgecd /opt/stacks/nginx-proxy-manager
sudo docker compose up -dFirewall auf VPS
# UFW konfigurieren
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
sudo ufw allow 226/tcp comment 'SSH'
# NICHT öffnen: 5001 (Dockge), 81 (NPM Admin)
sudo ufw enableTeil 4: NPM Proxy Hosts konfigurieren
Zugriff auf NPM Admin-UI
# SSH-Tunnel zum VPS
ssh -L 8181:127.0.0.1:81 luna@VPS-IP -p 226
# Browser öffnen: http://localhost:8181
# Standard-Login: admin@example.com / changemeProxy Hosts erstellen
Wiki (BookStack)
| Domain Names | wiki.deine-domain.de |
| Scheme | http |
| Forward Hostname/IP | 100.64.0.1 |
| Forward Port | 3000 |
| Block Common Exploits | ☑ |
| Websockets Support | ☑ |
SSL Tab:
- Request a new SSL Certificate
- ☑ Force SSL
- ☑ HTTP/2 Support
- ☑ HSTS Enabled
Vaultwarden
| Domain Names | vault.deine-domain.de |
| Forward Hostname/IP | 100.64.0.1 |
| Forward Port | 8080 |
| Websockets Support | ☑ (wichtig!) |
Gitea
| Domain Names | git.deine-domain.de |
| Forward Hostname/IP | 100.64.0.1 |
| Forward Port | 3001 |
Uptime Kuma
| Domain Names | status.deine-domain.de |
| Forward Hostname/IP | 100.64.0.1 |
| Forward Port | 3002 |
| Websockets Support | ☑ |
Dockge (Heimserver) – Optional über VPS erreichbar
| Domain Names | dockge.deine-domain.de |
| Forward Hostname/IP | 100.64.0.1 |
| Forward Port | 5001 |
| Websockets Support | ☑ |
Sicherheit: Dockge-Zugriff über Internet nur mit Access List (IP-Whitelist) oder HTTP Basic Auth absichern!
Teil 5: DNS konfigurieren
Bei deinem DNS-Provider A/AAAA-Records auf die VPS-IP setzen:
| Typ | Name | Wert |
|---|---|---|
| A | wiki | VPS-IPv4 |
| A | vault | VPS-IPv4 |
| A | git | VPS-IPv4 |
| A | status | VPS-IPv4 |
| A | dockge | VPS-IPv4 |
| AAAA | wiki | VPS-IPv6 |
| ... | ... | ... |
Teil 6: Komplettes Beispiel – Alle Compose Files
Verzeichnisstruktur
# Heimserver
/opt/
├── dockge/
│ └── compose.yaml
└── stacks/
├── nginx-proxy-manager/
│ └── compose.yaml
├── bookstack/
│ └── compose.yaml
├── vaultwarden/
│ └── compose.yaml
├── gitea/
│ └── compose.yaml
└── uptime-kuma/
└── compose.yaml
# VPS
/opt/
├── dockge/
│ └── compose.yaml
└── stacks/
└── nginx-proxy-manager/
└── compose.yamlHeimserver – Komplette compose.yaml Sammlung
/opt/dockge/compose.yaml
version: "3.8"
services:
dockge:
image: louislam/dockge:1
container_name: dockge
restart: unless-stopped
ports:
- "127.0.0.1:5001:5001"
- "100.64.0.1:5001:5001" # ← NetBird-IP anpassen
- "192.168.1.50:5001:5001" # ← LAN-IP anpassen
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/app/data
- /opt/stacks:/opt/stacks
environment:
- DOCKGE_STACKS_DIR=/opt/stacks
- TZ=Europe/Berlin/opt/stacks/nginx-proxy-manager/compose.yaml
version: "3.8"
services:
npm:
image: jc21/nginx-proxy-manager:latest
container_name: npm
restart: unless-stopped
ports:
- "100.64.0.1:80:80" # ← NetBird-IP anpassen
- "100.64.0.1:443:443"
- "192.168.1.50:81:81" # ← LAN-IP anpassen
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
environment:
- TZ=Europe/Berlin
networks:
- proxy
networks:
proxy:
name: proxy
driver: bridge/opt/stacks/bookstack/compose.yaml
version: "3.8"
services:
bookstack:
image: lscr.io/linuxserver/bookstack:latest
container_name: bookstack
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- APP_URL=https://wiki.deine-domain.de
- DB_HOST=bookstack-db
- DB_USER=bookstack
- DB_PASS=super-sicheres-passwort-123
- DB_DATABASE=bookstack
volumes:
- ./config:/config
ports:
- "100.64.0.1:3000:80"
depends_on:
- bookstack-db
networks:
- internal
- proxy
bookstack-db:
image: mariadb:10
container_name: bookstack-db
restart: unless-stopped
environment:
- MYSQL_ROOT_PASSWORD=root-passwort-456
- MYSQL_DATABASE=bookstack
- MYSQL_USER=bookstack
- MYSQL_PASSWORD=super-sicheres-passwort-123
volumes:
- ./db:/var/lib/mysql
networks:
- internal
networks:
internal:
proxy:
external: true/opt/stacks/vaultwarden/compose.yaml
version: "3.8"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- TZ=Europe/Berlin
- DOMAIN=https://vault.deine-domain.de
- SIGNUPS_ALLOWED=false
- ADMIN_TOKEN=generiere-mit-openssl-rand-base64-48
- WEBSOCKET_ENABLED=true
- SENDS_ALLOWED=true
- EMERGENCY_ACCESS_ALLOWED=true
volumes:
- ./data:/data
ports:
- "100.64.0.1:8080:80"
networks:
- proxy
networks:
proxy:
external: true/opt/stacks/gitea/compose.yaml
version: "3.8"
services:
gitea:
image: gitea/gitea:latest
container_name: gitea
restart: unless-stopped
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__server__DOMAIN=git.deine-domain.de
- GITEA__server__ROOT_URL=https://git.deine-domain.de/
- GITEA__server__SSH_DOMAIN=git.deine-domain.de
- GITEA__server__SSH_PORT=2222
volumes:
- ./data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "100.64.0.1:3001:3000"
- "100.64.0.1:2222:22"
networks:
- proxy
networks:
proxy:
external: true/opt/stacks/uptime-kuma/compose.yaml
version: "3.8"
services:
uptime-kuma:
image: louislam/uptime-kuma:1
container_name: uptime-kuma
restart: unless-stopped
volumes:
- ./data:/app/data
ports:
- "100.64.0.1:3002:3001"
networks:
- proxy
networks:
proxy:
external: trueVPS – Komplette compose.yaml Sammlung
/opt/dockge/compose.yaml
version: "3.8"
services:
dockge:
image: louislam/dockge:1
container_name: dockge
restart: unless-stopped
ports:
- "127.0.0.1:5001:5001"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/app/data
- /opt/stacks:/opt/stacks
environment:
- DOCKGE_STACKS_DIR=/opt/stacks
- TZ=Europe/Berlin/opt/stacks/nginx-proxy-manager/compose.yaml
version: "3.8"
services:
npm:
image: jc21/nginx-proxy-manager:latest
container_name: npm
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "127.0.0.1:81:81"
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
environment:
- TZ=Europe/Berlin
extra_hosts:
- "heimserver:100.64.0.1" # ← NetBird-IP anpassen
networks:
- proxy
networks:
proxy:
name: proxy
driver: bridgeTeil 7: Wartung und Tipps
Stacks updaten
In Dockge UI: Stack auswählen → "Update" Button
Oder per CLI:
cd /opt/stacks/STACK-NAME
docker compose pull
docker compose up -dBackup
# Alle Stacks sichern
sudo tar -czvf stacks-backup-$(date +%Y%m%d).tar.gz /opt/stacks /opt/dockgeLogs prüfen
# In Dockge UI: Stack → Logs Tab
# Oder CLI:
docker logs -f CONTAINER-NAMENetzwerk prüfen
# NetBird-Verbindung
sudo netbird status
# Ping zum Heimserver
ping 100.64.0.1
# Dienst vom VPS aus testen
curl http://100.64.0.1:3000Zusammenfassung: Port-Übersicht
| Dienst | Container-Port | Host-Binding (Heimserver) | Extern via NPM |
|---|---|---|---|
| Dockge | 5001 | 100.64.0.1:5001, 192.168.1.50:5001 | dockge.domain.de (optional) |
| NPM (Heimserver) | 80, 443, 81 | 100.64.0.1:80/443, LAN:81 | – |
| BookStack | 80 | 100.64.0.1:3000 | wiki.domain.de |
| Vaultwarden | 80 | 100.64.0.1:8080 | vault.domain.de |
| Gitea | 3000, 22 | 100.64.0.1:3001, :2222 | git.domain.de |
| Uptime Kuma | 3001 | 100.64.0.1:3002 | status.domain.de |
Letzte Aktualisierung: 2025