Skip to content

Deployment Overview of TeamSpeak on Server

Prerequisites and Basic Requirements

To deploy the TeamSpeak server and its associated management interface, the following system requirements must be met:

  • Operating System: Ubuntu (compatible with Docker Engine).
  • Privileges: Root access or sudo privileges are required to install Docker, manage containers, and configure the firewall.
  • Domain: A valid domain name (final_domain) is required for the reverse proxy and SSL certificate generation.
  • Ports: The following ports must be available and open on the host server:
  • 9987/udp: TeamSpeak voice traffic.
  • 10011: TeamSpeak query port.
  • 10022: TeamSpeak file transfer port.
  • 30033: TeamSpeak server instance port.
  • 41144: TeamSpeak server instance port (secondary).
  • 8080: TS3-Manager web interface (internal).
  • 80 and 443: HTTP and HTTPS traffic for the Nginx reverse proxy.

File and Directory Structure

The deployment utilizes specific directories on the host system to store application data, configurations, and certificates:

  • /opt/teamspeak: Stores the persistent data for the TeamSpeak server container.
  • /opt/tsi-web: Stores the persistent data for the TS3-Manager web interface container.
  • /root/nginx: Contains the Docker Compose configuration for the Nginx proxy.
  • /data/nginx/user_conf.d: Stores the Nginx server block configuration files.
  • /data/nginx/nginx-certbot.env: Environment file for the Nginx-Certbot container.
  • /etc/letsencrypt: Mount point for SSL certificates managed by Certbot within the Nginx container.

Application Installation Process

The application is deployed using Docker containers. The installation involves running two primary containers for the core services and a third container for the reverse proxy.

TeamSpeak Server Container

The TeamSpeak server is deployed using the teamspeak:latest image. The container is configured with the following parameters: - Name: teamspeak - License: Automatically accepts the license agreement via the TS3SERVER_LICENSE environment variable. - Health Check: Monitors the 10022 port using telnet every 30 seconds with a 10-second timeout. - Restart Policy: unless-stopped.

TS3-Manager Web Interface Container

The management interface is deployed using the joni1802/ts3-manager:v2.2.3 image. The container is configured with: - Name: ts3-manager - Port: Exposes port 8080 on the host. - Security: A random 32-character hexadecimal JWT_SECRET is generated and passed as an environment variable to secure the session. - Restart Policy: unless-stopped.

Nginx Reverse Proxy Container

The reverse proxy is deployed using Docker Compose with the jonasal/nginx-certbot:latest image. - Name: nginx-certbot - Network Mode: Host. - Environment: Configured with the administrator email for Let's Encrypt (CERTBOT_EMAIL). - Volumes: Mounts the external nginx_secrets volume for SSL certificates and the host directory for custom configurations.

Access Rights and Security

Security is enforced through container isolation, firewall rules, and SSL encryption.

  • Firewall: The host firewall must allow incoming traffic on the specific ports listed in the Prerequisites section.
  • SSL/TLS: All web traffic to the TS3-Manager interface is encrypted using SSL certificates obtained via Let's Encrypt.
  • JWT Authentication: The TS3-Manager interface uses a generated JWT_SECRET to secure user sessions.
  • Network Isolation: Containers run on the bridge network, isolating them from the host network stack except for explicitly mapped ports.

Docker Containers and Their Deployment

The deployment relies on Docker Engine. The containers are managed individually for the core services and via Docker Compose for the proxy.

TeamSpeak and TS3-Manager Deployment

These containers are started directly using the Docker API or CLI commands equivalent to the configuration provided:

docker run -d \
  --name teamspeak \
  --restart unless-stopped \
  -p 9987:9987/udp \
  -p 10011:10011 \
  -p 10022:10022 \
  -p 30033:30033 \
  -p 41144:41144 \
  -v /opt/teamspeak:/data \
  -e TS3SERVER_LICENSE=accept \
  --network bridge \
  --health-cmd "telnet localhost 10022" \
  --health-interval 30s \
  --health-timeout 10s \
  --health-retries 3 \
  teamspeak:latest

docker run -d \
  --name ts3-manager \
  --restart unless-stopped \
  -p 8080:8080 \
  -v /opt/tsi-web:/app/data \
  -e PORT=8080 \
  -e JWT_SECRET=<generated_secret> \
  --network bridge \
  joni1802/ts3-manager:v2.2.3

Nginx Proxy Deployment

The Nginx proxy is deployed using a docker compose file located at /root/nginx/compose.yml. The deployment process involves:

  1. Navigating to the configuration directory: 
    cd /root/nginx
  2. Starting the services: 
    docker compose up -d

The compose.yml file defines the nginx-certbot service, which handles SSL certificate generation and renewal.

Proxy Servers

The Nginx reverse proxy manages external access to the TS3-Manager web interface.

  • Configuration Location: /data/nginx/user_conf.d/{final_domain}.conf
  • HTTP Redirect: Port 80 traffic is automatically redirected to HTTPS (port 443).
  • SSL Configuration:
  • Certificate: /etc/letsencrypt/live/{final_domain}/fullchain.pem
  • Private Key: /etc/letsencrypt/live/{final_domain}/privkey.pem
  • Chain: /etc/letsencrypt/live/{final_domain}/chain.pem
  • Proxy Settings:
  • The proxy forwards requests to the internal TS3-Manager container at http://127.0.0.1:8080.
  • Headers Host, X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto are preserved to ensure correct application behavior.
  • Certificate Management: Certificates are obtained and renewed using Certbot within the nginx-certbot container via the webroot method at /var/www/letsencrypt.

Permission Settings

The following file and directory permissions are applied to ensure proper operation and security:

  • /opt/teamspeak: Owned by root:root with mode 0755.
  • /opt/tsi-web: Owned by root:root with mode 0755.
  • /root/nginx: Owned by root:root with mode 0755.
  • /data/nginx/user_conf.d: Owned by root:root with mode 0755.
  • Nginx configuration files ({final_domain}.conf): Owned by root:root with mode 0644.
  • Docker Compose file (compose.yml): Owned by root:root with mode 0644.

Starting, Stopping, and Updating

The services are managed using standard Docker commands.

Managing TeamSpeak and TS3-Manager

  • Start: 
    docker start teamspeak
docker start ts3-manager
  • Stop: 
    docker stop teamspeak
docker stop ts3-manager
  • Restart: 
    docker restart teamspeak
docker restart ts3-manager
  • Update Image: 
    docker pull teamspeak:latest
docker pull joni1802/ts3-manager:v2.2.3
docker restart teamspeak
docker restart ts3-manager

Managing Nginx Proxy

  • Start: 
    cd /root/nginx
docker compose up -d
  • Stop: 
    cd /root/nginx
docker compose down
  • Restart: 
    cd /root/nginx
docker compose restart
  • Update Image: 
    cd /root/nginx
docker compose pull
docker compose up -d

SSL Certificate Renewal

To manually trigger an SSL certificate renewal: 

docker exec nginx-certbot certbot certonly --webroot -w /var/www/letsencrypt -d {final_domain} --email [email protected] --agree-tos --non-interactive --keep
docker restart nginx-certbot

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×