Developer Tools Azure

Dashy on Ubuntu 24.04 on Azure User Guide

| Product: Dashy on Ubuntu 24.04 LTS on Azure

Overview

This guide covers the deployment and configuration of Dashy on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Dashy is an open source, self hosted dashboard for your homelab, servers and applications. It brings all of your links, apps and bookmarks together on one customizable start page, organised into sections with icons, themes, search, keyboard shortcuts, live status checks and a built in visual editor for changing the layout directly from the browser.

The image builds the pinned stable Dashy 4.4.5 release from source with Node.js 22 LTS (recorded in /opt/dashy/VERSION) and runs it under systemd as the unprivileged dashy system user, bound to loopback only (127.0.0.1:4000). nginx is the sole network facing surface: it terminates TLS on port 443, enforces HTTP basic authentication on every request and reverse proxies to Dashy. Port 80 redirects to HTTPS.

Secure by default. Dashy's own built in login is a client side gate that is turned off by default, which would leave an unprotected deployment open to anyone who can reach it. This image does not rely on it. Dashy is bound to loopback and fronted by nginx basic authentication, and a unique administrator credential is generated on each virtual machine's first boot. Only a one way bcrypt hash of the password is written to the server; the plain password is placed in a root only file for the administrator to read. There are no shared or default credentials, and nothing usable is baked into the image. Because Dashy is loopback only behind the basic auth gate, its built in config save endpoint is protected too.

What is included:

  • Dashy 4.4.5 built from source on Node.js 22 LTS and run under systemd as the unprivileged dashy system user

  • Dashy bound to loopback only (127.0.0.1:4000); it is never network exposed directly

  • nginx terminating TLS on :443, enforcing HTTP basic authentication and reverse proxying to Dashy, with HSTS and sensible security headers

  • Port :80 returns a 301 redirect to HTTPS for every path except an unauthenticated /healthz endpoint (HTTP 200) for load balancer probes

  • A unique admin credential generated per VM on first boot; only the one way bcrypt hash is stored, the plain password lands in a root only file

  • A self signed TLS certificate regenerated per VM on first boot (its Subject Alternative Names include the VM public IP, hostname and 127.0.0.1); replace it with your own CA signed certificate for production

  • A starter cloudimg dashboard preloaded so the interface is populated the moment you sign in

  • A built in self test at /usr/local/bin/dashy-selftest that proves the authenticated dashboard and config load end to end over TLS

  • Ubuntu 24.04 LTS base with the latest security patches applied at build time

  • Azure Linux Agent for seamless cloud integration and SSH key injection

  • 24/7 cloudimg support with a guaranteed 24 hour response SLA

Prerequisites

  • An Azure subscription with permission to deploy virtual machines

  • An SSH key pair for administrative access to the VM as the azureuser account

  • A Network Security Group allowing inbound TCP 443 (HTTPS) and 80 (redirect) from the networks that should reach the service, and 22 (SSH) from your management network only

  • A recommended size of Standard_B2s or larger

Step 1: Deploy from the Azure Portal

  1. Locate the Dashy on Ubuntu 24.04 LTS image in the Azure Marketplace and select Create.

  2. Choose your subscription, resource group and region.

  3. Select a VM size (Standard_B2s or larger) and provide your SSH public key for the azureuser account.

  4. On the Networking tab, allow inbound 443 and 80 from your users, and restrict 22 to your management network.

  5. Review and create. When the VM is running, browse to https://<your-public-ip>/.

Step 2: Deploy from the Azure CLI

Deploy the image from the command line, restricting SSH to your management network. Replace the placeholder values with your own before running:

az vm create \
  --resource-group my-resource-group \
  --name dashy \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_rsa.pub \
  --public-ip-sku Standard

# Allow the web UI from your users and SSH from your management network only
az vm open-port --resource-group my-resource-group --name dashy --port 443 --priority 1001
az network nsg rule create --resource-group my-resource-group --nsg-name dashyNSG \
  --name allow-ssh --priority 1002 --destination-port-ranges 22 \
  --source-address-prefixes <your-mgmt-cidr> --access Allow --protocol Tcp

When the VM is running, browse to https://<public-ip>/.

Step 3: Retrieve your per instance admin credential

Access is protected by HTTP basic authentication. Each VM generates its own admin username and password on first boot, written to a root only file. Read it over SSH:

ssh azureuser@<vm-ip> 'sudo cat /root/dashy-credentials.txt'

The file contains the DASHY_USER, DASHY_PASS and DASHY_URL for this specific VM. Keep it secret. The server only ever stores a one way bcrypt hash of the password, never the plain text.

Step 4: Sign in to your dashboard

Browse to https://<vm-ip>/. Because the certificate is self signed per VM, your browser will show a certificate warning the first time; accept it to proceed (or install the per VM certificate, or place a CA signed certificate in front, as covered in Step 9). Your browser then prompts for the basic authentication username and password from Step 3.

Dashy opens on your dashboard. The image ships a starter cloudimg layout so the interface is populated immediately: sections group your items into cards, each with an icon, and a search bar sits along the top.

The Dashy dashboard after signing in, titled cloudimg Dashy, showing a Getting Started section with cloudimg Deployment Guide, Dashy Documentation and cloudimg Support items and an Example Services section, with a search bar and settings icon along the top

Step 5: Customize the layout, theme and item size

Click the settings icon in the top right corner to open the Options panel. From here you can switch the theme, change the layout and item size, toggle edit mode, and open the config editor. Changes preview live, so you can try a look before keeping it.

The Dashy Options panel open on the right of the dashboard, showing Edit Mode and Config buttons, a Theme selector set to Colorful, layout icons, and Item Size options of Default, Minimal and Workspace

Step 6: Edit your dashboard configuration

Your whole dashboard is described by a single configuration file. From the Options panel, click Config to open the built in interactive editor. It shows the live configuration with syntax highlighting and validation, and you can edit sections and items directly. Save to Disk writes the change back to the server so it persists; Save Locally keeps it only in your browser.

The Dashy interactive configuration editor open, showing the cloudimg conf.yml with appConfig, pageInfo and sections, a green Config is Valid indicator, and Reset, Preview Changes, Save Locally and Save to Disk buttons

You can also edit the configuration file directly on the VM at /opt/dashy/user-data/conf.yml and restart the service. Both approaches are equivalent, because Save to Disk writes to that same file:

# Edit the dashboard configuration, then apply the change.
# Browse back to https://<vm-ip>/ afterwards.
sudo nano /opt/dashy/user-data/conf.yml
sudo systemctl restart dashy

Step 7: Find items fast with instant search

Start typing in the search bar to filter your items live. It is the quickest way to jump to a service on a large dashboard, and pressing Enter can hand the query off to a configured web search. Keyboard shortcuts let you open items without touching the mouse.

The Dashy search bar with cloudimg typed in, filtering the dashboard down to the cloudimg Deployment Guide and cloudimg Support items, with a hint that pressing enter searches the web

Step 8: Verify the deployment

SSH to the VM as azureuser and confirm the services are running and Dashy is bound to loopback only:

systemctl is-active dashy nginx
sudo ss -tlnp | grep 4000

All services report active, and Dashy listens on 127.0.0.1:4000 only. nginx is the only component exposed on :80 and :443.

systemctl reports dashy, nginx and dashy-firstboot all active, and ss shows the node process bound to 127.0.0.1:4000 loopback only with nginx listening on 0.0.0.0:80 and 0.0.0.0:443

Run the built in self test. It reads this VM's credential and proves the full path over TLS: the health probe answers, an unauthenticated request is refused, the config save endpoint is protected, and an authenticated request loads the dashboard and a known configuration item:

sudo /usr/local/bin/dashy-selftest

The dashy-selftest output reporting OK: healthz 200, unauthenticated request 401, unauthenticated config save 401, authenticated dashboard 200 and a known config item loaded over TLS

Step 9: TLS, redirect and the authentication gate

nginx terminates TLS on port 443 and redirects plain HTTP on port 80 to HTTPS. Confirm the redirect, the unauthenticated health probe, and that the dashboard and its config save endpoint both require the per VM credential:

curl -s -o /dev/null -w 'port 80 -> HTTP %{http_code}\n' http://127.0.0.1/
curl -sk -o /dev/null -w 'healthz -> HTTP %{http_code}\n' https://127.0.0.1/healthz
curl -sk -o /dev/null -w 'no creds -> HTTP %{http_code}\n' https://127.0.0.1/

Port 80 returns 301 and the health endpoint returns 200. An unauthenticated request to the dashboard, and to the config save endpoint, is refused with 401, while a request carrying this VM's credential succeeds with 200. The self signed certificate is regenerated per VM on first boot, with the VM IP and hostname in its Subject Alternative Names:

curl showing port 80 returning a 301 redirect, healthz returning 200, the dashboard and the config save endpoint each returning 401 without credentials, and the dashboard returning 200 with the per VM credential

Step 10: Replace the certificate for production

The per VM certificate is self signed, so browsers warn on first use. For a public deployment, put a real certificate in front. The simplest path is to point a DNS name at the VM and obtain a free certificate with Certbot:

# Point https://<your-domain> at this VM first, then:
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>

Alternatively, terminate TLS at an Azure Application Gateway or a load balancer in front of the VM and forward to port 443.

Step 11: Baked version and per instance credential

The baked Dashy and Node.js versions are recorded on the VM, alongside this instance's credential summary. The password line is redacted below; read the full value from the root only file in Step 3:

cat /opt/dashy/VERSION
sudo cat /root/dashy-credentials.txt

The /opt/dashy/VERSION file showing the baked Dashy 4.4.5 and Node.js versions, and the per VM dashy-credentials.txt showing the admin username and URL with the password redacted

Security notes

  • No default login. Access is protected by nginx HTTP basic authentication and a unique admin credential is generated on each VM's first boot. Only a one way bcrypt hash is stored; the plain password lives in the root only /root/dashy-credentials.txt.

  • Loopback only application. Dashy binds to 127.0.0.1:4000 and is only reachable through the nginx TLS reverse proxy on :443. Keep it that way and let nginx (or a load balancer) be the sole network facing surface.

  • Protected configuration. Because every path is behind the basic auth gate, Dashy's config save endpoint cannot be reached without the per VM credential. Only sign in over HTTPS.

  • Restrict access. Allow 443 only from the networks that need it, keep 22 restricted to your management network, and replace the self signed certificate with a CA signed one for production.

  • Rotate the credential by regenerating the nginx htpasswd entry (sudo htpasswd -B /etc/nginx/dashy.htpasswd admin) and reloading nginx, or by placing your own identity aware proxy in front.

Support

This image is backed by 24/7 cloudimg support with a guaranteed 24 hour response SLA. Contact support@cloudimg.co.uk for assistance. Dashy is open source software distributed under the MIT License and is free; the cloudimg charge covers packaging, hardening, security patching, image maintenance and support.